Solved

How to config process monitor to capture data

Posted on 2014-03-13
2
671 Views
Last Modified: 2014-03-28
I need to capture all read data for mcshield.exe using process monitor. I have a link from mcafee to config process monitor, but it for the older version of process monitor.

So how do config PM to capture all read actions by mcshield.exe and how do view the read actions?

this is the mcafee link for Process monitor. But I'm not sure how to config it and view the read actions. The version of PM it points me to I think is a newer version.

https://kc.mcafee.com/corporate/index?page=content&id=KB50981
0
Comment
Question by:rdefino
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 7

Expert Comment

by:Sivaraj E
ID: 39928305
Did you try the Microsoft SysInternals process monitor tool ? It's a real time monitoring tool and also exporting the configuration is possible through this, please give a try and let me know that is this the one you were looking for ?

http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx 

Regards, Shiva
0
 
LVL 62

Accepted Solution

by:
☠ MASQ ☠ earned 245 total points
ID: 39928566
For PM 3.10  (Don't use Process Explorer when you mean to use Process Monitor and vice versa)

1) Click Filter then Filter (Ctrl + L)

2) In the Filter you need to set up Boolean searches so first pull out the process you want to examine.
In the first drop down choose ProcessName in the second leave set as "is" then you should find MCSHIELD.exe if it is running the the blank dropdown - finally leave the last dropdown as "Include".

3) When you hit apply you will see your filter appear in the box bewlow and in the main window you should now only see processes that match this.

4) Review the main window (you might find it helpful to run this full screen and adjust column widths).

5) PM can filter two read functions "ReadFile" and "ReadConfig" - if there is still too much data in the main window you can filter those by creating a further filter selecting "Operation" in the first column and choosing the operation you are most interested in from the blank dropdown.  This applies a second filter to the results captured by the first.

As another tip don't over filter if you can see the information needed in one filter quit at that point.  My experience is you often see other issues that need investigation in the higher level filter before you focus down onto the real detail.

I'm not running McAfee so can't send you screenshots but hope that's self explanatory.




- Have just looked at the McAfee KB document you linked to:

They have an error in their instructions - Enable Advanced Output is in the Filter Menu NOT under Options

Otherwise their filter instructions follow mine above:


You need to enable:

Filter 1:
Process Name: "IS" McShield.exe "INCLUDE" <Add>

Filter 2:
Operation: "CONTAINS" IRP_MJ_READ "INCLUDE" <Add>
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
A quick guide on how to use Group Policy to create a custom power plan and set it active on Windows 7.
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question