Solved

How to config process monitor to capture data

Posted on 2014-03-13
2
700 Views
Last Modified: 2014-03-28
I need to capture all read data for mcshield.exe using process monitor. I have a link from mcafee to config process monitor, but it for the older version of process monitor.

So how do config PM to capture all read actions by mcshield.exe and how do view the read actions?

this is the mcafee link for Process monitor. But I'm not sure how to config it and view the read actions. The version of PM it points me to I think is a newer version.

https://kc.mcafee.com/corporate/index?page=content&id=KB50981
0
Comment
Question by:rdefino
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 7

Expert Comment

by:Sivaraj E
ID: 39928305
Did you try the Microsoft SysInternals process monitor tool ? It's a real time monitoring tool and also exporting the configuration is possible through this, please give a try and let me know that is this the one you were looking for ?

http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx 

Regards, Shiva
0
 
LVL 62

Accepted Solution

by:
☠ MASQ ☠ earned 245 total points
ID: 39928566
For PM 3.10  (Don't use Process Explorer when you mean to use Process Monitor and vice versa)

1) Click Filter then Filter (Ctrl + L)

2) In the Filter you need to set up Boolean searches so first pull out the process you want to examine.
In the first drop down choose ProcessName in the second leave set as "is" then you should find MCSHIELD.exe if it is running the the blank dropdown - finally leave the last dropdown as "Include".

3) When you hit apply you will see your filter appear in the box bewlow and in the main window you should now only see processes that match this.

4) Review the main window (you might find it helpful to run this full screen and adjust column widths).

5) PM can filter two read functions "ReadFile" and "ReadConfig" - if there is still too much data in the main window you can filter those by creating a further filter selecting "Operation" in the first column and choosing the operation you are most interested in from the blank dropdown.  This applies a second filter to the results captured by the first.

As another tip don't over filter if you can see the information needed in one filter quit at that point.  My experience is you often see other issues that need investigation in the higher level filter before you focus down onto the real detail.

I'm not running McAfee so can't send you screenshots but hope that's self explanatory.




- Have just looked at the McAfee KB document you linked to:

They have an error in their instructions - Enable Advanced Output is in the Filter Menu NOT under Options

Otherwise their filter instructions follow mine above:


You need to enable:

Filter 1:
Process Name: "IS" McShield.exe "INCLUDE" <Add>

Filter 2:
Operation: "CONTAINS" IRP_MJ_READ "INCLUDE" <Add>
0

Featured Post

How Blockchain Is Impacting Every Industry

Blockchain expert Alex Tapscott talks to Acronis VP Frank Jablonski about this revolutionary technology and how it's making inroads into other industries and facets of everyday life.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Assume you have an outside contractor who comes in seasonally or once a week to do some work in your office, but you only want to give him access to the programs and files he needs and keep all other documents and programs private. Can you do this o…
While working, an annoying popup showing below will come and we cannot cancel or close it form the screen. The error message will come again and again.
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question