2

I know process monitor has the "enable boot logging" function.

but that only takes effect for next boot.

is there a way to enable boot logging for every boot in the future?

SparedWhisle
  • 4,025
  • 1
  • 20
  • 30
  • Boot logging is intended for troubleshooting and should not be enabled by default. Even more since the logging will continue until the program is started the next time (i.e. you would be logging everything from boot to shutdown). What problem are you trying to solve by this? – Ansgar Wiechers Nov 08 '12 at 09:42
  • every several days I find the entry containing "www.google.com" gone from my hosts file, which is very annoying. I need to monitor the file for several days(probably a week) to find out which program did it. – SparedWhisle Nov 08 '12 at 10:02
  • @DavidDai why not set "read only" attribute on the hosts file? – Moab Nov 08 '12 at 15:16
  • of course I can do that. but I just want to find out the black hand behind this. :( – SparedWhisle Nov 09 '12 at 01:59
  • @ansgarwiechers if you configured ProcMon to drop filtered events, wouldn't boot time logging be relatively non invasive? – Justin Dearing Dec 23 '14 at 22:59
  • @JustinDearing It would still need to hook into the boot sequence, and would still consume CPU cycles for matching and selecting events. And writing events to a log. Boot logging is a kind of debug logging. Don't enable it unless you have something you need to debug. – Ansgar Wiechers Dec 25 '14 at 21:57

2 Answers2

3

I'm not aware of a regular way to permanently enable boot logging, but it seems that boot logging is controlled by two registry values in the Procmon driver configuration. Perhaps (re-)creating these values (e.g. with a startup script) will do what you want:

if not exist %SystemRoot%\System32\Drivers\PROCMON23.sys copy PROCMON23.sys %SystemRoot%\System32\Drivers\
reg add HKLM\SYSTEM\CurrentControlSet\services\PROCMON23 /v ImagePath /t REG_SZ /d "System32\Drivers\PROCMON23.sys" /f
reg add HKLM\SYSTEM\CurrentControlSet\services\PROCMON23 /v Start /t REG_DWORD /d 0x0 /f
reg add HKLM\SYSTEM\CurrentControlSet\services\PROCMON23 /v Type /t REG_DWORD /d 0x1 /f

However, before trying something like that, I'd first try "regular" monitoring (without boot logging). Start Process Monitor once and configure it to monitor only access to the hosts file (Filter → Filter...). Export that configuration to the file C:\hosts.pmc (File → Export Configuration...). Then run something like this in a startup script:

procmon /LoadConfig C:\hosts.pmc /BackingFile C:\hosts_%DATE:/=-%.pml /Quiet > C:\hosts.log 2>&1

That will start Process Monitor with the exported configuration (/LoadConfig C:\hosts.pmc), start monitoring without prompting for confirmation of filter settings (/Quiet), and log the recorded events to a log file with the current date (/BackingFile C:\hosts_%DATE:/=-%.pml). The expression %DATE:/=-% produces the current date with forward slashes / replaced by hyphens -. If your date format is not MM/DD/YYYY you'll have to modify this expression accordingly.

Startup scripts can be configured in various ways (Run keys in the registry, scheduled tasks, group policies, ...). See the answers to this question on StackOverflow for an overview.

Community
  • 1
Ansgar Wiechers
  • 5,400
  • 2
  • 21
  • 23
  • other than the registry keys, boot logging requires a file PROCMON23.sys in C:\Windows\System32\Drivers\. if I enable boot loging by using the menu, it does that. but I cannot move the file from Drivers to anywhere else. – SparedWhisle Nov 08 '12 at 13:27
  • With admin privileges you should be able to copy the file. Perhaps you could copy the backup copy back to the drivers directory if it doesn't exist, and then set the registry keys. But again, I recommend against trying this before you have tried everything else. – Ansgar Wiechers Nov 08 '12 at 14:05
  • I couldn't back up PROCMON23.sys even with administrator.I left procmon running during last night and I have found the processes that ruin my hosts file. they are "system" and "svchost.exe", that is another question. Thanks anyway. – SparedWhisle Nov 09 '12 at 02:04
  • Make sure to copy PROCMON23.SYS into system32/drivers before manually adding the reg values. When using procmon GUI option it copy it into this directory and apply the reg values. when un checking this option it deletes it. If you want to do it manually, copy the sys file to this directory and apply the reg values your self. works ok. –  Feb 05 '13 at 11:23
1

Adam Collett/adjman666 wrote a vbscript to do it and posted it to the sysinternals forums.. For this to work \server\procmon share will need to have sharing and file permissions set so that "Domain Computers" can read from that location, otherwise the script will error with an "Access Denied" message.

'Script to enable boot logging in Process Monitor at every shutdown to ensure we capture all activity, every time.

'Declare the objects used in the script
Dim objFSO, objShell, objRegistry

'Declare the variables used in the script
Dim strProcmon20KeyPath, strInstancesKeyPath, strPMIKeyPath, strStartValueName, strGroupValueName, strTypeValueName, strImagePathValueName
Dim strDefInstanceValueName, strAltitudeValueName, strFlagsValueName, strComputer

'Declare the constants used in the script
Const HKEY_LOCAL_MACHINE = &H80000002

'Create our FileSystem, Shell and Registry objects
Set objFSO=CreateObject("Scripting.FileSystemObject")
Set objShell=WScript.CreateObject("WScript.Shell")
strComputer = "."
Set objRegistry = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")

'Set all variables ready for use

strProcmon20KeyPath = "SYSTEM\CurrentControlSet\Services\PROCMON20\"
strInstancesKeyPath = "SYSTEM\CurrentControlSet\Services\PROCMON20\Instances\"
strPMIKeyPath = "SYSTEM\CurrentControlSet\Services\PROCMON20\Instances\Process Monitor Instance\"

strStartValueName = "Start"
strGroupValueName = "Group"
strTypeValueName = "Type"
strImagePathValueName = "ImagePath"
strDefInstanceValueName = "DefaultInstance"
strAltitudeValueName = "Altitude"
strFlagsValueName = "Flags"

'Check for the Process Monitor Executable, copy it in if not already on the system.
If not objFSO.FileExists("C:\Windows\System32\procmon.exe") Then
  objFSO.CopyFile "\\server\procmon\procmon.exe", "C:\Windows\System32\", true
End If

'Now import the registry settings, one at a time
objShell.RegWrite "HKEY_LOCAL_MACHINE\" & strProcmon20KeyPath & strStartValueName, "0", "REG_DWORD"
objShell.RegWrite "HKEY_LOCAL_MACHINE\" & strProcmon20KeyPath & strGroupValueName, "FSFilter Activity Monitor", "REG_SZ"
objShell.RegWrite "HKEY_LOCAL_MACHINE\" & strProcmon20KeyPath & strTypeValueName, "1", "REG_DWORD"
objShell.RegWrite "HKEY_LOCAL_MACHINE\" & strProcmon20KeyPath & strImagePathValueName, "System32\Drivers\PROCMON20.SYS", "REG_EXPAND_SZ"

objShell.RegWrite "HKEY_LOCAL_MACHINE\" & strInstancesKeyPath & strDefInstanceValueName, "Process Monitor Instance", "REG_SZ"

objShell.RegWrite "HKEY_LOCAL_MACHINE\" & strPMIKeyPath & strAltitudeValueName, "385200", "REG_SZ"
objShell.RegWrite "HKEY_LOCAL_MACHINE\" & strPMIKeyPath & strFlagsValueName, "0", "REG_DWORD"

'Now copy over the PROCMON20.SYS file to the C:\Windows\System32\Drivers folder

If not objFSO.FileExists("C:\Windows\System32\Drivers\PROCMON20.SYS") Then
  objFSO.CopyFile "\\server\procmon\PROCMON20.SYS", "C:\Windows\System32\Drivers\", true
End If

'End of Script
Journeyman Geek
  • 127,463
  • 52
  • 260
  • 430
Justin Dearing
  • 2,984
  • 6
  • 40
  • 55