Solved

How to config process monitor to capture data

Posted on 2014-03-13
2
630 Views
Last Modified: 2014-03-28
I need to capture all read data for mcshield.exe using process monitor. I have a link from mcafee to config process monitor, but it for the older version of process monitor.

So how do config PM to capture all read actions by mcshield.exe and how do view the read actions?

this is the mcafee link for Process monitor. But I'm not sure how to config it and view the read actions. The version of PM it points me to I think is a newer version.

https://kc.mcafee.com/corporate/index?page=content&id=KB50981
0
Comment
Question by:rdefino
2 Comments
 
LVL 7

Expert Comment

by:Sivaraj E
ID: 39928305
Did you try the Microsoft SysInternals process monitor tool ? It's a real time monitoring tool and also exporting the configuration is possible through this, please give a try and let me know that is this the one you were looking for ?

http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx 

Regards, Shiva
0
 
LVL 62

Accepted Solution

by:
☠ MASQ ☠ earned 245 total points
ID: 39928566
For PM 3.10  (Don't use Process Explorer when you mean to use Process Monitor and vice versa)

1) Click Filter then Filter (Ctrl + L)

2) In the Filter you need to set up Boolean searches so first pull out the process you want to examine.
In the first drop down choose ProcessName in the second leave set as "is" then you should find MCSHIELD.exe if it is running the the blank dropdown - finally leave the last dropdown as "Include".

3) When you hit apply you will see your filter appear in the box bewlow and in the main window you should now only see processes that match this.

4) Review the main window (you might find it helpful to run this full screen and adjust column widths).

5) PM can filter two read functions "ReadFile" and "ReadConfig" - if there is still too much data in the main window you can filter those by creating a further filter selecting "Operation" in the first column and choosing the operation you are most interested in from the blank dropdown.  This applies a second filter to the results captured by the first.

As another tip don't over filter if you can see the information needed in one filter quit at that point.  My experience is you often see other issues that need investigation in the higher level filter before you focus down onto the real detail.

I'm not running McAfee so can't send you screenshots but hope that's self explanatory.




- Have just looked at the McAfee KB document you linked to:

They have an error in their instructions - Enable Advanced Output is in the Filter Menu NOT under Options

Otherwise their filter instructions follow mine above:


You need to enable:

Filter 1:
Process Name: "IS" McShield.exe "INCLUDE" <Add>

Filter 2:
Operation: "CONTAINS" IRP_MJ_READ "INCLUDE" <Add>
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How do I hook up a bluetooth speaker? 20 92
Bootstrap.ini settings in MDT 1 30
Missing Restore Points on Windows 7 9 84
CPU at 100% usage, why? 27 26
Windows 7 does not have the best desktop search built in. This is something Windows 7 users have struggled with. You type something in, and your search results don’t always match what you are looking for, or it doesn’t actually work at all. There ar…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now