Hello, my name is Curt. I am a Senior Principal Engineer working with the GSE team. This video is dedicated to looking at how we can set up the Sysinternals tool Process Monitor to run without user intervention. We'll discuss why and when running Process Monitor as an automated task can be helpful in gathering system information when troubleshooting certain types of server program and system failure events.
Now, for general information, Process Monitor is a Microsoft Sysinternals tool showing real-time file system registry and process activity. We can set this up as a scheduled task within Windows in order to capture information and avoid actually having to manually start the program to get the information. Now, in order to make this work we have to run a command and we're going to be calling on the procmon64 program.
We've located that in a PM folder on the C drive - the name of the folder is ‘PM’ - and we've also added some arguments to create a log to actually view the activity of the trace. We've specified we want to run this for 60 seconds with the runtime switch, and we want to make sure that we put in forward slash quiet so that procmon will actually start and run on its own, versus having a user approve the filters that are being presented for the trace. Now, when this is all said and done we'll do a test, and we'll also export this to an XML file.
So we want to move into the environment that we're working with here at the server level. Now once again we want to create a task, so we'll just jump right into that, and each task is created requires a name. Keep it simple, ‘Procmon_Trace’, now we're going to be running this under the credentials of a domain administrator account.
We want to specify - very important - that this is run whether the user is logged in or not, and I want to try to avoid as many permissions issues as possible, so I want to go ahead and check off ‘Run with highest privileges’. We got that taken care of there. Okay so as far as our triggers, we want to run this on a schedule. I'm troubleshooting a backup issue, the backups are not starting as expected, so I'm going to do this on a daily basis, because that's when the backup runs. Each and every day the backup runs at one in the morning, so I'm going to go ahead and set that up as my start time for my particular procmon trace. We also want to make sure that the ‘Enabled’ box is checked as well for the trigger section of the task set up.
Now for actions this is where we include our command, so I have that available once again. Where you're calling on the procmon executable to run our trace and we have to add those additional arguments to ensure that our activity logs being created. Also ensure that procmon doesn't run continuously, and also that ‘/quiet’ switch to ensure that it starts on its own without user intervention.
So go ahead and click OK on that and for the conditions I have no changes here, for the settings I want to go ahead and specify that this will stop after an hour. Also by default you'll see that we have ‘Allow task to run on demand’. Starting a task is generally fairly easy, stopping one sometimes seems to be a little a little bit more complicated. I've specified this task is only going to run for an hour. Once again my Trace is only going to last 60 seconds, but there's not a whole lot of easy ways to stop tasks in the world of Windows scheduling, so I want to go ahead and just allow this thing to be active for an hour.
It's not going to cause any problems on the server I’m running, so I'm gonna go ahead and click ‘OK’. Now it's also going to want you to verify credentials for the logged in user creating the task, and it's that administrator account that I'm using. So this is our task it's in a ready state, so what I want to do at this point is go ahead and run it, and we're going to allow this to run the entire 60 Seconds So we've allowed that Trace to complete, so let's go and take a look. We do have a created log. Now, the command that I put in wasn't exactly what I wanted to put in.
I can go back and make changes on it to make sure that it puts it in the log directory next time around, but let's go ahead and click on it, verify that it ran successfully, collected information all right. So I have a bucket of information on that particular trace with that procmon run. It's about 90 Megs, so keep in mind that these particular procmon traces will gather a lot of information and they will build very large logs.
All right, so as I mentioned before, I have an interest in running this on another system. So in this particular case this task has served its purpose, I'm going to right click, I'm going to end the task, and I'm going to go ahead and do an export of this. So all I have to do is right click the task itself, select export, and I'm going to use procmon underscore trace.xml. I have a previously created log here, I'm going to go ahead and save this version, this is the one I want to use so there we go. We've created the task and we've ran it successfully, and we have also exported that for use on other systems.
This concludes our video on setting up Process Monitor to run as an automated task, and how it can be beneficial in troubleshooting server failure events. I hope this video helped you understand the value of using Process Monitor and how it can run as a scheduled task.
Thank you for watching
