The Power of Procmon (Process Monitor)

-

 

Procmon (Process Monitor) is "an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity." This accurately describes what Procmon does, but it doesn't come close to describing the power that it provides to monitor, investigate, and troubleshoot on a Windows system. 

Let explore it (download from Microsoft to follow along).

Activity Options

Procmon had a hard time adjusting to my display resolution, but you can see here and in the screenshot at the top the Activity display options. These will enable / disable various types of activities from being displayed. Deselecting one of these options doesn't erase any existing logs, but just narrows down the output to the types of events you want to see. These include registry, file system, network, and process/thread activity. 

These are helpful for narrowing focus when troubleshooting an issue, but you can still be left with thousands of entries. This is where filters come in. 

Filters

Filters allow you to narrow the results in Procmon down to just those entries you care about and is where Procmon really starts to shine. For example, to see all of what chrome.exe is doing, we can apply the filter "Process Name is chrome.exe". 

We can also select a Process ID, User, Path, and several other options. One of the most useful when troubleshooting an issue can be the Result filter. With the Result filter you can show all activity that was not successful -- failed or otherwise. This can be helpful in cases where an application is looking for a particular file or registry entry that is missing, or if a suspicious process is attempting to access directories it shouldn't.

Process Tree

Procmon also gives you the ability to see a live process tree and include specific processes or whole subtrees in the full Procmon view. 

Alternatively, you can select Go To Event and the chosen process will be jumped to and highlighted in the full Procmon view.

Event Properties - Process and Stack

Event Process

Event Stack

Two areas I use less often but that provide interesting detail are the Event Process and Event Stack tabs. These tabs provide the associated modules and the thread stack of a process, respectively. 

Boot Logging

Finally, enabling Boot Logging allows Procmon to record Windows startup activity for events such as loaded drivers that can aid in troubleshooting (requires a restart and starting Procmon again upon entering Windows).

Conclusion

If you're ever troubleshooting an issue with a piece of software, investigating what a particular script touches, or just curious to learn more about what processes are doing on your system, Procmon is a great tool for the job. 

Comments

Post a Comment

Popular Posts

Hashcat - Cracking MD5 and NTLM Hashes

-
Image
Today we'll be exploring Hashcat -- "the world’s fastest and most advanced password recovery utility". This, along with similar tools, should be used only for password recovery, pentest engagements, CTFs, etc and never for illegal purposes. I could write an entire series about the capabilities Hashcat provides, but we will cover a few basic examples for now ( besides, Hashcat does a pretty good job of that themselves ): Crack MD5 hashes using the rockyou.txt wordlist. Crack NTLM hashes using the rockyou.txt wordlist. Crack NTLM hashes using a mask attack (modified brute force). I'll be using Kali Linux as Hashcat comes pre-installed, but Hashcat can run on Windows, macOS, and other Linux distributions as well. As you'll see, I'll be using some lists of hashes I made previously. Tools to generate hashes using dozens of algorithms are available online -- just save the output as a text file if you want to follow along. Cracking MD5 Hashes Using rockyou.txt Wordl
Read more

Configuring Secure Ciphers Suites and TLS

-
Image
Hey everyone, today we're back on cipher suites. If you want a refresher of TLS and secure cipher suites overall, check out my previous post . There are many instances in which you'll need to edit cipher suites on a system -- compliance efforts, CIS benchmarks, or simply ensuring your system doesn't use insecure suites. There are a few ways to go about this and I'll detail two of them now: IIS Crypto and the Windows registry. IIS Crypto My favorite way of editing TLS versions and cipher suites is using IIS Crypto . IIS Crypto allows you to select your desired TLS/SSL version, cipher suites, and backup the registry, all with a few mouse clicks. Only downside is that it's Windows only (even the command line version). This is what IIS Crypto will look like on an unmodified Windows 10 system. Note the separate  Server Protocols  and  Client Protocols  sections. These are important to keep straight depending on what system is listening for connections and what system is
Read more

Configuring SSH Key Based Authentication

-
Image
Overview Most personal computers and many organizations running Linux servers utilize password-based authentication. This is what most of us are used to -- you enter a username and password in order to authenticate your account and gain access to a system. While straightforward and commonplace, this isn't the best solution in most cases. Today I'll be explaining why key based authentication is more convenient, more secure, and allows for automation of tasks without saving credentials in plain-text in a text file. Key based authentication involves the use of private and public keys ( public-key cryptography ). The private key is stored on the client and the public key is stored on the server in a special file ( ~/.ssh/authorized_keys ). This allows any system with the corresponding private key to login to the server where we just stored the public key. Our steps are: Generate key pair (public / private key). Transfer public key and add it to the authorized_keys file on the remot
Read more