Occasionally GES or R&D request to capture a Process Monitor log of an issue with ProcMon attached on a different altitude.
This article explains the steps required to achieve that.
The following sections are covered:
Applies to the following Sophos products and versions
Not product specific
We want to change the Altitude that ProcMon will run on, meaning putting it lower in the filter stack. After doing that, the resulting log will contain lots of additional information that is usually left out. To change the altitude of ProcMon, do the following steps (after installing Procmon, which is usually nothing more than putting it on the machine and running it once).
The default altitude is 385200, to troubleshoot issues related to SafeGuard's Mini filter driver the required altitude to attach directly below would be 140000 so that is the value you have to save in the Altitude key.
The steps are:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PROCMON24\Instances\Process Monitor 24 Instance.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PROCMON24\Instances\Process Monitor 24 Instance
This time you should see that the Procmon24 altitude is adapted to the value you defined and now you are ready to capture another PML.
Once this is captured, zip it and upload.
When running on the default level, the result will be similar to this (filters shown depend on what you have installed):
After successfully changing ProcMon's altitude it will look like this:
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.