Automating Process Monitor Captures on Remote Machines Using PowerShell

Automating Process Monitor Captures on Remote Machines Using PowerShell

July 16, 2018 4 By Amir Joseph Sayes

Managing thousands of VDIs and servers can be challenging not to mention when troubleshooting odd issues! In many scenarios, when you feel like you are running out of ideas and you log a ticket with the vendor screaming for help, their initial response is likely to ask for all sorts of logs! Process Monitor is Windows Sysinternals tool that is a very close friend to End User Computing experts for the insight that it gives and the ability to pinpoint and narrow down your search for what’s happening behind the scene.

But, what if the problem is sporadic and you are not sure where to run the tool or for how long?

What if you have very limited time to react when the problem occurs and you really don’t have that luxury of time to setup your ProcMon capture and customize it to capture only the things you need?

What if you are troubleshooting a “logged on” machine and you can not log the user off or you do not want them to feel the performance hit when running the tool?

For all the above, I have written a tool using PowerShell that utilities “ProcMon.exe” and relies on another Sysinternal tool “PsExec.exe”, and a per-configured capture configurations that would give you a quick and easy way to capture what you need.

Assumptions

WinRM and WMI services are enabled on the remote machines and Firewall rules allow communication to those services

Pre-requisites

  1. PowerShell  v3+
  2. Admin rights on the remote machine

 Features

  1. The tool can run from anywhere – the tool will copy the supporting files to your local machine and to the remote machine.
  2. Capture indefinitely (until the machine dies – relevant in some VDI troubleshooting scenarios) or for limited number of captures
  3. Stop capturing when the capture file size hits a pre-defined limit that you set. The script will copy the capture from the remote machine to your local machine before starting a new capture.
  4. You can stop capturing by pressing and holding on F12.
  5. Capture only what you are looking for: per-configured capturing configs give you the option to either capture
    1. Read/Writes to disk
    2. Registry Keys
    3. Everything
  6. Live monitoring of the remote machine disk space while capturing (optional).

How it works?

  1. Download the zip file ProcMon_Remote_v1.1 and extract it to a share or a local folder of your choice.
  2. Run Powershell on your local machine with an account that has admin rights on the remote machines.
  3. Run the script – for example: & c:\temp\ProcMon_Remote_v1\Automated_ProcMon_v1.ps1
  4. Follow the instructions on the screen
  5. Temporary folder will be created under “c:\temp\ProcMon_Remote\” on both your local machine and the remote (target) machine.
  6. Captures would get saved in your local C:\Temp\ProcMon_Remote\<Remote_machine_name>

Example

  1. Enter the FQDN of the target machine that you want to monitor
  2. Choose between capturing indefinitely “0”  or between 1 and 50 captures – In here I chose 0
  3. Choose the threshold at which capturing will stop and a new capture will start – In here I chose 10 MB
  4. Choose whether to monitor Disk Space or not – In here I am choosing Yes (Y)

Then the tool will go and copy the necessary files to the target machine and start a Psexec.exe and start capturing

  1. In step 5, I pressed and held on F12 to stop capturing, the tool would then go and gracefully stop the capture, then make sure nothing is left behind running on the machine.
  2. In step 6, the tool will copy down the capture to your machine for analysis.

Happy capturing!