Process Monitor is a great tool when it comes to troubleshooting applications. But what does actually ProcMon show you? Process Monitor displays all the activity that happens on the system. The activity is composed out of file system changes, registry changes and processes/threads.
However, there might be cases where Process Monitor cannot show all the threads, or the information shown might be misleading. Let’s understand why and how you can change this.
First of all let’s understand what is happening when you open up Process Monitor. For a normal user, the windows appears and this starts to record everything that happens on the system.
However, in the background, Process Monitor loads a Filter Driver. If we open up PowerShell as an Administrator and type fltmc, we can see all the filter drivers present on the machine:
As you can see, the PROCMON24 filter drives is almost at the top, with an altitude of 385200. But before we get to the altitude, let’s try to understand what filter drivers are.
A filter driver is a kernel-mode component which runs as part of the windows executive. For example, a file system filter driver can filter the I/O operations for the file system volumes, and depending on how that filter is designed it can either log the operations, observe the operations or completely block file operations.
So if you think of it, this is how most antivirus utilities work. When you double click a file and you have an Antivirus installed, the filter driver of the antivirus loads the file, reads it, checks for any malicious code and then releases it for execution. These operations must be performed by the antivirus software before the file is executed, otherwise it doesn’t make sense to let a virus run and then tell the user “heeeeey uhhhmmm yeah soooo it’s kinda bad you have a virus in your system now”.
Now, it doesn’t mean that you can go, create a virus, put a higher elevation on the filter driver and TADA, you have a potent virus. Each filter driver must have a unique altitude identifier, and the altitude allocation is managed by Microsoft. So if you want different altitudes, you must ask Microsoft about it.
Now that we know what filter drivers are, let’s understand what the altitude is. As previously mentioned, every filter driver must have a unique altitude identifier, and windows uses a dedicated set of load order groups that are loaded at system startup.
Now, there is a whole list of load order groups and altitude ranges on Microsoft website, but what you need to understand is that, the higher the altitude of your filter driver, the more operations you can catch. So if an antivirus has a high altitude filter driver, it will catch more operations that are happening, rather than what you see with Process Monitor at the default altitude.
There are many scenarios where you need to debug higher altitude operations, and for this, Process Monitor (ProcMon) does offer a way to increase it’s altitude.
As previously mentioned, when you open up Process Monitor, it loads a filter driver, but it also creates some additional registry keys. These registry keys can be found in:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PROCMON24\
If we navigate to that key and look a bit, we can see a REG_SZ key called Altitude, which is defined with 385200, same as is shown in PowerShell.
However, here comes a problem. If we only change that registry key and assign a higher altitude, close and open up ProcMon again, the changes will not be applied. The problem is with the filter driver, because when you close ProcMon, the filter driver doesn’t get unloaded. Technically you could try to unload it from PowerShell with the following command:
fltmc unload PROCMON24
However, when you try this, the following error appears:
Unfortunately the only way to unload the ProcMon24 filter driver is to completely restart the machine. But when you restart the machine, the registry keys get deleted, so even if you modified them, they will be gone. So the steps to correctly modify the ProcMon altitude would be:
- Open Procmon
- Run regedit as an administrator and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PROCMON24\Instances\Process Monitor 24 Instance
- Change Change the Altitude value (make it higher according to the list provided earlier)
- Right-click on the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PROCMON24\Instances\Process Monitor 24 Instance and select Permissions
- Click Advanced > Add
- Click on Select A Principal
- Type Everyone in the box and click on Check Names
- Everyone should now be underlined. Click on OK.
- Change the Type to Deny
- Click on Show Advanced Permissions
- Check Set Value and Delete, leave other boxes unchecked
- Click OK until everything is closed, if you have any permission requests allow them
- Reboot the machine
- Start Process Monitor again
When you will start Process Monitor again, it won’t have permissions to modify the registry that you previously changed, and if you open up PowerShell again and type fltmc, this will show the altitude that you set to ProcMon.
