When troubleshooting an issue for a client of mine, I was in need for some further debugging information. To look into what processes are doing in the background, I turn to Sysinternals’ Process Monitor – one of the tools I recommend to master as an IT consultant. What was troublesome however, is that the issue I was looking into only occurred at night and I didn’t feel much for staying up late to fire off Process Monitor. To complicate matters, the systems themselves were in the production environment, and since Process Monitor does have a (hefty) impact on system performance (and the logs it creates grows very large very quick) I couldn’t just start it before leaving for home, leaving it running until I came back to work the next morning.
So it would be cool if it was possible to run Process Monitor as a scheduled task, run it for a few minutes (when the issue occurs) and retrieve the log the next morning to analyze it.
So, what options do we have when running Process Monitor?
Looks like we have enough arguments to choose from to get this to work. So, let’s put the scheduled task together.
Create the scheduled task to run Process Monitor
- First, download Process Monitor if you haven’t already done that, and save it on the machine you want to monitor.
- On the machine, go to the Administrative Tools and open the Task Scheduler console.
- In the left pane, click on Task Scheduler Library
- On the right pane, click on Create Basic Task…
- Enter the name of the task (e.g. Start Process Monitor) and click on Next
- Choose the frequency. Since I only want to run it once, I chose “One Time”. Click on Next
- Enter the time when you want the task to be run (before the issue occurs of course) and click on Next
- For the action choose “Start a program” and click on Next
- Browse for the Process Monitor executable (procmon.exe), and add /accepteula /quiet and /BackingFile <log path> (e.g. C:\temp\log.pml) as arguments. Make sure you have enough diskspace where you’re saving the log file.
- Check “Open the Properties dialog…” and click on Finish
- The properties dialog is shown. On the bottom, click on “Change User or Group”, select SYSTEM and click OK. Click on OK again to close the properties window.
Great! We’ve set up the scheduled task! However, if we do nothing else Process Monitor will run on forever, and we don’t want that to happen… Unfortunately, there’s no argument to run PM for a certain amount of time. You could, using the options of the scheduled task, kill the task after a certain amount of time. However, when you just kill the process and don’t shut it down properly, the log will get corrupted, so we can’t use that. Fortunately, we can run Process Monitor with the /terminate option, which will terminate all running instances of PM (running in the executing user’s context). So, we’ll set up a second scheduled task to terminate PM after a set amount of time.
Create the second scheduled task to stop Process Monitor
- Open the Task Scheduler console again.
- Create a new Basic Task
- Enter an appropriate name (e.g. End Process Monitor)
- Choose the frequency.
- Enter time time to end Process Monitor. The should be after the issue occurs (and inherently later the time when starting PM).
- For the action, choose “Start a program” again.
- Select the executable again, but enter /terminate as the argument.
- Check “Open the Properties dialog…” again and click on Finish
- In the properties window, change the user to SYSTEM again in the security options.
And there you have it! The next morning (after grabbing a cup of coffee) you’ll be able to open up the log file and analyze the issue.
Hope this was helpful!
Exactly what I was looking for!! Fantastic article, thank you so much!
Excellent article. Very helpful
Awesome post. Thanks very much for sharing.
Does anyone here know how bast to use ProcMon to capture a ‘phantom’ task scheduler process ? i.e. how best to set the filter to catch it. Thanks
ProcMon now has a /runtime option to run for a specific number of seconds