Running Process Monitor



Run the Process Monitor application Include the processes that you want to track the activity on. For this example, you want to include Notepad.exe in the (Include) Filters. Click Add, and click OK. Process Monitor (SNMP) This type of SAM component monitor uses SNMP to connect to a Linux/Unix server and test if a specified process is running. It then reports the CPU and physical memory used by the process in the Orion Web Console. Note the following details about this monitor. Process Monitor is a monitoring tool for Windows that shows live file, Registry and process/thread activity. It is a combination of two older Sysinternals utilities, Filemon and Regmon. Process Monitor is a part of Windows Sysinternals which is a set of utilities to manage, diagnose, troubleshoot, and monitor Windows. Download Process Monitor Extract the.zip file, and run Procmon.exe Click Agree to the EULA screen Process Monitor will start logging automatically OK, now that you have Process Monitor up and running, let's quickly point out a couple of features on the interface: In the main toolbar, you'll see this set of buttons. Remote Process Explorer by Lizardsystems is a well known free application to view and manipulate the running processes on a remote computer. It is completely free for home and non commercial use. You do need a free registration code to use the free version though, visit the Registration page and enter your name, e-mail, city and country.

Recently I needed to investigate why SSAS synchronisation commands were intermittently failing and the errors pointed to a file lock on a SSAS data file. To identify the file lock I needed to run process monitor for as long as it takes to capture the problem even if it takes weeks or months for it to occur. This presents the following problems

  • How to prevent the process monitor capture from consuming all available disk space.
  • How to ensure we do not over write the data we are looking for.
  • How to ensure the capture stops once we have the data we are looking for.

The solution I created for this is implemented using the following logic.

  1. Run a scheduled task every x minutes that does the following.
    1. Stop any process monitor sessions already running.
    2. Move the current log file to history folder and clean out any old logs.
    3. Start a new instance of process monitor logging.
  2. Create a schedule task that is fired on a windows event and does the following
    1. Stops any running process monitor session.
    2. Prevents the scheduled task that was running process monitor from running any more.
    Following this logic I now have a rolling process monitor solution that can run for months by running two simple batch files from scheduled tasks.
    The rest of this blog will now cover the detailed steps to setup the rolling process monitor.
Running Process Monitor

Configuration


Preparing the solution

  1. First of all you need to download the logging.zip file that contains the batch files and folder structures from my drop box here.
  2. Extract the folder structure and files onto your server.
  3. Download process monitor from here.
  4. Copy the process monitor executable into the exe directory in the logging folder structure.
  5. Run process monitor and define any filters you require, once done goto File – Export Configuration and save it as ProcmonConfiguration.pmc in the same directory as the executable.
  6. Open each batch file and if necessary update the paths at the top of the files.
  7. Now all you need to do is create the tasks to run the batch files as detailed below.

Task scheduling

First of all you need a task that will run the process monitor and perform the rollover, the steps to create this are shown below.

  1. Pull up the task scheduler and create a new task. The first screen should be setup as below noting the 2 points in red. The account you use to run the task needs to have local admin.
  2. Next move to the triggers tab and create a schedule to run the task every x minutes where x is the duration of time you wish to elapse before you roll over the log file.
  3. Next move to the actions tab and create a new action to start a program and populate it similarly to as shown below. You are pointing it at the Run_Procmon.bat that you downloaded earlier.
  4. Move to the settings tab and ensure you select “Run a new instance in parallel”, this allows a second instance of the batch file to run which shuts down the current running instances and performs the roll over.

With the process monitor rollover task in place you now need a second task that will fire on a predetermined condition and stop process monitor from running any more.

  1. Repeat step 1 as before to start creation of the task, this time giving it a different name.
  2. Move to the triggers tab and this time rather than creating a schedule choose “On an event” and then select the appropriate windows event that you want to use as a trigger. Below is an example showing a trigger configured to fire when SSAS logs event ID 33 to the application log. If required you can define multiple events.
  3. Next move to the actions tab and create a new action to start a program and populate it similarly to as shown below. You are pointing it at the Stop_Procmon.bat that you downloaded earlier. Note, you can also add an additional action to send you an e-mail notifying you that the event fired and process monitor has been stopped so you can review the logs.

You should now have 2 tasks configured and all you have to do is wait for the condition to be met and then review the logs to identify the culprit!

I have a treat for you today. I have finally solved something that has been a pain in my side for years now. Have you ever been in the following situation?

You are reviewing log files and discover that a remote computer (perhaps a virtual machine running on shared storage) is running wild and hammering on the disk. You need to figure out what exactly what processes and files are causing that disk IO. However perhaps that computer is always in use and you simply can’t log in locally to launch resource monitor or process monitor. You need ultimately to run Process Monitor remotely. Unfortunately you google this and discover that it’s not possible due to the amount of data that process monitor generates and can’t pass it all over the wire. So what do you do?

I found myself in this exact situation yet again today and finally decided to sit down and solve it once and for all. My googling revealed a suggestion in some forum to use psexec to run procmon.exe on the remote machine and then copy over the PML file to your machine for analysis. I’m afraid I couldn’t find that blog post so I can’t give credit to the original author of the idea. But there is a world of difference between an idea and a practical implementation and that’s what I have to share with you today.

Below is a PowerShell script that includes a function called Get-ProcMonData. It accepts just two parameters, a -ComputerName for the name of the remote computer you wish to connect to and -Duration for how long procmon will run for on the remote system. Note that the script is hardcoded to limit you to a maximum of 100 seconds as I discovered the hard way that Procmon generates an enormous amount of data and you can easily fill the remote drive if you’re not careful.

Linux Process Running Monitor

To run this script, I recommend opening it in the PowerShell ISE and editing the variables around line 34 to point to the path where you keep your psexec and procmon executables. Once that’s done, go to the last line of the script and change “remotecomputerhere” to the computer you wish to collect data from and specify the duration anywhere from 10 to 100 seconds.

Note: This script was only tested in my environment and assumes you have full permissions to the target system. In my case, I ran the script under a domain admin account.

How To Use Process Monitor

Run the script. Here’s what it’ll do:

Process Monitor Tool Windows

  • Test to verify that the remote system responds to ping and that PowerShell can see procmon.exe and psexec.exe
  • Verify that both the source and target system have at least 500MB free
  • Copies procmon.exe to the c:windowstemp folder on the remote system
  • Launches procmon.exe on the remote system (uses a seperate process so we can stop it later in the script)
  • Displays a progress bar for the duration specified while we wait for the data collection to complete
  • Stops procmon.exe on the remote system properly such that the generated PML file is valid
  • Copies the PML file to your local machine for analysis
  • Removes procmon.exe and the PML file from the remote machine (always clean up after yourself)
  • Displays the size of the PML file and reminds you to delete it when you’re done (They can get very large!)
  • Launches process monitor on your machine and opens the PML file for your analysis

Telegraf Monitor Running Process

There is still a lot I can do to clean this up and make it a more robust advanced function but at this point it’s working for me reliably so I’m going to call it. I hope you find this useful!