Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 750
  • Last Modified:

How to config process monitor to capture data

I need to capture all read data for mcshield.exe using process monitor. I have a link from mcafee to config process monitor, but it for the older version of process monitor.

So how do config PM to capture all read actions by mcshield.exe and how do view the read actions?

this is the mcafee link for Process monitor. But I'm not sure how to config it and view the read actions. The version of PM it points me to I think is a newer version.

https://kc.mcafee.com/corporate/index?page=content&id=KB50981
0
rdefino
Asked:
rdefino
1 Solution
 
Sivaraj ELead – IT InfrastructuresCommented:
Did you try the Microsoft SysInternals process monitor tool ? It's a real time monitoring tool and also exporting the configuration is possible through this, please give a try and let me know that is this the one you were looking for ?

http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx 

Regards, Shiva
0
 
☠ MASQ ☠Commented:
For PM 3.10  (Don't use Process Explorer when you mean to use Process Monitor and vice versa)

1) Click Filter then Filter (Ctrl + L)

2) In the Filter you need to set up Boolean searches so first pull out the process you want to examine.
In the first drop down choose ProcessName in the second leave set as "is" then you should find MCSHIELD.exe if it is running the the blank dropdown - finally leave the last dropdown as "Include".

3) When you hit apply you will see your filter appear in the box bewlow and in the main window you should now only see processes that match this.

4) Review the main window (you might find it helpful to run this full screen and adjust column widths).

5) PM can filter two read functions "ReadFile" and "ReadConfig" - if there is still too much data in the main window you can filter those by creating a further filter selecting "Operation" in the first column and choosing the operation you are most interested in from the blank dropdown.  This applies a second filter to the results captured by the first.

As another tip don't over filter if you can see the information needed in one filter quit at that point.  My experience is you often see other issues that need investigation in the higher level filter before you focus down onto the real detail.

I'm not running McAfee so can't send you screenshots but hope that's self explanatory.




- Have just looked at the McAfee KB document you linked to:

They have an error in their instructions - Enable Advanced Output is in the Filter Menu NOT under Options

Otherwise their filter instructions follow mine above:


You need to enable:

Filter 1:
Process Name: "IS" McShield.exe "INCLUDE" <Add>

Filter 2:
Operation: "CONTAINS" IRP_MJ_READ "INCLUDE" <Add>
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now