Experiment-3
Aim: - Perform Registry analysis and get boot time using process monitor tool.
About tool:-
Process Monitor is an advanced monitoring tool for Windows that shows real-time file
system, Registry and process/thread activity. It combines the features of two legacy
Sysinternals utilities, Filemon and Regmon, and adds an extensive list of
enhancements including rich and non-destructive filtering, comprehensive event
properties such as session IDs and user names, reliable process information, full
thread stacks with integrated symbol support for each operation, simultaneous
logging to a file, and much more. Its uniquely powerful features will make Process
Monitor a core utility in your system troubleshooting and malware hunting toolkit.
Overview of Process Monitor Capabilities
Process Monitor includes powerful monitoring and filtering capabilities, including:
More data captured for operation input and output parameters
Non-destructive filters allow you to set filters without losing data
Capture of thread stacks for each operation make it possible in many cases to
identify the root cause of an operation
Reliable capture of process details, including image path, command line, user
and session ID
Configurable and moveable columns for any event property
Filters can be set for any data field, including fields not configured as columns
Advanced logging architecture scales to tens of millions of captured events
and gigabytes of log data
Process tree tool shows relationship of all processes referenced in a trace
Native log format preserves all data for loading in a different Process Monitor
instance
Process tooltip for easy viewing of process image information
Detail tooltip allows convenient access to formatted data that doesn't fit in the
column
Cancellable search
Boot time logging of all operations
Procedure:-
Open the ProcessMonitor folder, you will see five files:
Eula.txt – The license agreement you’ll have to accept before running procmon.
procmon.chm – The help file which contains all of the provided documentation.
Procmon.exe – The main EXE that will launch the correct procmon instance (x86 or
x64).
13
�Procmon64.exe – The x64 procmon binary.
Procmon64a.exe – The alpha 64 procmon binary.
Now run procmon by invoking the ~\ProcessMonitor\procmon.exe file.
When you fire up procmon for the first time, you might be overwhelmed with the
options. Don’t worry, you’ll learn just about everything in this Guide! You can see
below a typical procmon capture in progress.
The moment you run procmon, it begins capturing many different kinds of Windows
events.
As you can see in the screenshot above under the Operation column, there are
various icons each representing different classes of Windows events. Procmon
captures events from five different classes:-
Registry
Filesystem
Network
Processes
Profiling events
Each event in all classes is represented in a single list pane of seven columns:-
Time of day – The time the event occurred.
Process name – The name of the process that triggered the event.
14
�PID – The process identifier.
Operation – The type of event like if the process opened a file, changed a registry
key value, etc.
Path – The path to the object the event interacted with like a file path, registry path,
etc.
Result – This column will contain numerous values to indicate the result of the event.
This value can be as simple as SUCCESS or specific to the event like REPARSE,
BUFFER OVERFLOW, NAME NOT FOUND, etc.
Detail – This column contains all of the nitty-gritty detail once you pinpoint an event
you’d like to see.
If you’d rather not see a certain column or would like to see what other columns you
have available, right-click on any column header and choose Select columns. You’ll
be presented with a dialog box where you can customize the viewable columns.
In the event window, double-click on an event. You can find many more details about
the process and the event itself by viewing the event, process and stack tabs.
15
�Enabling and Disabling Captures
You have complete control over the capture process. You can either disable the
entire capture process or disable capturing by event class.
On the top menu bar, you’ll see a magnifying glass icon (below). If the magnifying
glass is a red X over it, that means the capture is disabled. Otherwise, the capture is
enabled. If you’d rather be more selective, you can also control the capture of each
event class. In the menu bar, you’ll see five of the same icons being displayed in the
operation column. By clicking on these buttons, you can enable and disable entire
event classes.
Conclusion: Hence we can successfully perform Registry analysis and get boot time
using process monitor tool.
16
