{"id":9226,"date":"2023-04-10T22:42:33","date_gmt":"2023-04-10T20:42:33","guid":{"rendered":"https:\/\/michlstechblog.info\/blog\/?p=9226"},"modified":"2024-07-23T23:02:11","modified_gmt":"2024-07-23T21:02:11","slug":"windows-inject-procmon-in-an-existing-windows-installation-by-windows-pe","status":"publish","type":"post","link":"https:\/\/michlstechblog.info\/blog\/windows-inject-procmon-in-an-existing-windows-installation-by-windows-pe\/","title":{"rendered":"Windows: Inject Process Monitor in an existing Windows installation by Windows PE"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_9226 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_9226')){$('.twoclick_social_bookmarks_post_9226').socialSharePrivacy({\"services\":{\"flattr\":{\"uid\":\"Michl\",\"status\":\"on\",\"the_title\":\"Windows%3A%20Inject%20Process%20Monitor%20in%20an%20existing%20Windows%20installation%20by%20Windows%20PE\",\"the_excerpt\":\"Hi%2C%0D%0A%0D%0Afor%20debugging%20purposes%20it%27s%20sometimes%20necessary%20to%20enable%20the%20boot%20logging%20feature%20of%20sysinternals%20procmon.%0D%0A%0D%0A%20%28more%26hellip%3B%29\",\"txt_info\":\"2 clicks for more data protection:\\r\\n\\r\\nOnly when you click here, the button will be come active and you can send your recommendation to Flattr. When activating, data are transmitted to third parties. \",\"perma_option\":\"off\"}},\"txt_help\":\"When you activate these fields by clicking, information to Flattr may be transferred abroad, and probably may also stored there.\",\"settings_perma\":\"Enable permanently and accept data transmission. \",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/michlstechblog.info\\\/blog\\\/windows-inject-procmon-in-an-existing-windows-installation-by-windows-pe\\\/\",\"post_id\":9226,\"post_title_referrer_track\":\"Windows%3A+Inject+Process+Monitor+in+an+existing+Windows+installation+by+Windows+PE\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p>Hi,<\/p>\n<p>for debugging purposes it&#8217;s sometimes necessary to enable the boot logging feature of sysinternals <strong>procmon<\/strong>.<\/p>\n<p><!--more--> <\/p>\n<p>But you can only enable boot logging only by the GUI and it logs only one boot process. If the systems boots multiple times the other boots are omitted by procmon.<\/p>\n<p>So you need to inject procmon just before the boot you want to log is started. <\/p>\n<p>Required files are the Procmon.exe and the related procmon24.sys driver. You can get the procmon24.sys by starting Procmon on another machine and copy it from the C:\\Windows\\System32\\drivers folder. procmon24.sys is hidden! You can copy the files by xcopy<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nC:\\&gt; xcopy \/h C:\\Windows\\System32\\drivers\\PROCMON24.SYS C:\\temp\r\n<\/pre>\n<p>To automate the process copy all files on a network share<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nC:\\myShare &gt; dir \r\n26.10.2022  19:50         5.216.168 Procmon.exe\r\n11.04.2023  04:36            80.264 PROCMON24.SYS\r\n26.10.2022  19:50         2.691.488 Procmon64.exe\r\n<\/pre>\n<p>To inject the procmon driver the registry of the must get an driver entry and the driver file must be copied to C:\\Windows\\System32\\drivers. Also the procmon executables should be copied to stop the boot logging and save the events to file.<\/p>\n<p>Create a registry file <strong>Procmon_boot_winpe_insert.reg<\/strong> within C:\\myShare. The __temp__hive__ key is where the SYSTEM hive of the Windows Installation must loaded to.<br \/>\n<code><br \/>\nWindows Registry Editor Version 5.00<\/p>\n<p>[HKEY_LOCAL_MACHINE\\__temp__hive__\\ControlSet001\\Services\\PROCMON24]<br \/>\n\"SupportedFeatures\"=dword:0009c26c<br \/>\n\"Start\"=dword:00000000<br \/>\n\"Group\"=\"FSFilter Activity Monitor\"<br \/>\n\"Type\"=dword:00000001<br \/>\n\"ImagePath\"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\\<br \/>\n  72,00,69,00,76,00,65,00,72,00,73,00,5c,00,50,00,52,00,4f,00,43,00,4d,00,4f,\\<br \/>\n  00,4e,00,32,00,34,00,2e,00,53,00,59,00,53,00,00,00<\/p>\n<p>[HKEY_LOCAL_MACHINE\\__temp__hive__\\ControlSet001\\Services\\PROCMON24\\Instances]<br \/>\n\"DefaultInstance\"=\"Process Monitor 24 Instance\"<\/p>\n<p>[HKEY_LOCAL_MACHINE\\__temp__hive__\\ControlSet001\\Services\\PROCMON24\\Instances\\Process Monitor 24 Instance]<br \/>\n\"Altitude\"=\"385200\"<br \/>\n\"Flags\"=dword:00000000<\/p>\n<p>[HKEY_LOCAL_MACHINE\\__temp__hive__\\ControlSet001\\Services\\PROCMON24\\Parameters]<br \/>\n\"ThreadProfiling\"=dword:00989680<br \/>\n\"RuntimeSeconds\"=dword:ff676980<br \/>\n<\/code><br \/>\nand a simple batch install_procmon.cmd file to do all the tasks :-). Adjust the WINDOWS_INSTALLATION_DRIVE variable to the drive where Windows is installed. This depends on the order Windows PE determines the partitions(when multiple disk installed). Usually it&#8217;s C: or D:<\/p>\n<p>The batch file loads the system hive the Windows installation to HKLM\\__temp__hive__ and applies the registry file.<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n@echo off\r\nset WINDOWS_INSTALLATION_DRIVE=C:\r\nmkdir &quot;%WINDOWS_INSTALLATION_DRIVE%\\Program Files\\procmon&quot;\r\ncopy \/y %~dp0procmon* &quot;%WINDOWS_INSTALLATION_DRIVE%\\Program Files\\procmon&quot;\r\necho Copy driver\r\ncopy \/y &quot;%WINDOWS_INSTALLATION_DRIVE%\\Program Files\\procmon\\PROCMON24.SYS&quot; &quot;%WINDOWS_INSTALLATION_DRIVE%\\Windows\\System32\\drivers&quot;\r\n\r\nreg load HKLM\\__temp__hive__ %WINDOWS_INSTALLATION_DRIVE%\\Windows\\System32\\config\\SYSTEM\r\n\r\nregedit \/s \/u %~dp0Procmon_boot_winpe_insert.reg\r\n\r\nreg unload HKLM\\__temp__hive__\r\n<\/pre>\n<p>Boot Windows PE mount the network share and execute the batchfile<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nX:\\&gt; net use \\\\myComputer\\myShare \/user:myDomain\\myUser\r\nX:\\&gt; \\\\myComputer\\myShare\\install_procmon.cmd\r\n\\\\myComputer\\myShare\\Procmon.exe\r\n\\\\myComputer\\myShare\\PROCMON24.SYS\r\n\\\\myComputer\\myShare\\Procmon64.exe\r\n\\\\myComputer\\myShare\\Procmon_boot_winpe_insert.reg\r\n...\r\n<\/pre>\n<p>and reboot the system. After you logon to the system call <\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nC:\\&gt; &quot;C:\\Program Files\\procmon\\Procmon.exe&quot;\r\n<\/pre>\n<p>to stop logging and get the procmon log file.<\/p>\n<p>Michael<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi, for debugging purposes it&#8217;s sometimes necessary to enable the boot logging feature of sysinternals procmon.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[1958,1960,1959,20,300,599],"class_list":["post-9226","post","type-post","status-publish","format-standard","hentry","category-windowsknowhow","tag-inject","tag-process-monitor","tag-procmon","tag-windows-2","tag-windows-pe","tag-winpe"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/9226","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/comments?post=9226"}],"version-history":[{"count":9,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/9226\/revisions"}],"predecessor-version":[{"id":9819,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/9226\/revisions\/9819"}],"wp:attachment":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/media?parent=9226"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/categories?post=9226"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/tags?post=9226"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}