Managing thousands of VDIs and servers can be challenging not to mention when troubleshooting odd issues! In many scenarios, when you feel like you are running out of ideas and you log a ticket with the vendor screaming for help, their initial response is likely to ask for all sorts of logs! Process Monitor is Windows Sysinternals tool that is a very close friend to End User Computing experts for the insight that it gives and the ability to pinpoint and narrow down your search for what’s happening behind the scene.
But, what if the problem is sporadic and you are not sure where to run the tool or for how long?
What if you have very limited time to react when the problem occurs and you really don’t have that luxury of time to setup your ProcMon capture and customize it to capture only the things you need?
What if you are troubleshooting a “logged on” machine and you can not log the user off or you do not want them to feel the performance hit when running the tool?
For all the above, I have written a tool using PowerShell that utilities “ProcMon.exe” and relies on another Sysinternal tool “PsExec.exe”, and a per-configured capture configurations that would give you a quick and easy way to capture what you need.
Contents
Assumptions
WinRM and WMI services are enabled on the remote machines and Firewall rules allow communication to those services
Pre-requisites
- PowerShell v3+
- Admin rights on the remote machine
Features
- The tool can run from anywhere – the tool will copy the supporting files to your local machine and to the remote machine.
- Capture indefinitely (until the machine dies – relevant in some VDI troubleshooting scenarios) or for limited number of captures
- Stop capturing when the capture file size hits a pre-defined limit that you set. The script will copy the capture from the remote machine to your local machine before starting a new capture.
- You can stop capturing by pressing and holding on F12.
- Capture only what you are looking for: per-configured capturing configs give you the option to either capture
- Read/Writes to disk
- Registry Keys
- Everything
- Live monitoring of the remote machine disk space while capturing (optional).
How it works?
- Download the zip file ProcMon_Remote_v1.1 and extract it to a share or a local folder of your choice.
- Run Powershell on your local machine with an account that has admin rights on the remote machines.
- Run the script – for example: & c:\temp\ProcMon_Remote_v1\Automated_ProcMon_v1.ps1
- Follow the instructions on the screen
- Temporary folder will be created under “c:\temp\ProcMon_Remote\” on both your local machine and the remote (target) machine.
- Captures would get saved in your local C:\Temp\ProcMon_Remote\<Remote_machine_name>
Example
- Enter the FQDN of the target machine that you want to monitor
- Choose between capturing indefinitely “0” or between 1 and 50 captures – In here I chose 0
- Choose the threshold at which capturing will stop and a new capture will start – In here I chose 10 MB
- Choose whether to monitor Disk Space or not – In here I am choosing Yes (Y)
Then the tool will go and copy the necessary files to the target machine and start a Psexec.exe and start capturing
- In step 5, I pressed and held on F12 to stop capturing, the tool would then go and gracefully stop the capture, then make sure nothing is left behind running on the machine.
- In step 6, the tool will copy down the capture to your machine for analysis.
Happy capturing!
I’m getting this error when running your script. Any idea why its looking for plist.exe?
WARNING: System.Management.Automation.ItemNotFoundException: Cannot find path ‘C:\temp\ProcMon_Remote\pslist.exe’ because it does not exist.
at System.Management.Automation.LocationGlobber.ExpandMshGlobPath(String path, Boolean allowNonexistingPaths, PSDriveInfo drive, ContainerCmdletProvider provider, CmdletProv
iderContext context)
at System.Management.Automation.LocationGlobber.ResolveDriveQualifiedPath(String path, CmdletProviderContext context, Boolean allowNonexistingPaths, CmdletProvider& provider
Instance)
at System.Management.Automation.LocationGlobber.GetGlobbedMonadPathsFromMonadPath(String path, Boolean allowNonexistingPaths, CmdletProviderContext context, CmdletProvider&
providerInstance)
at System.Management.Automation.LocationGlobber.GetGlobbedProviderPathsFromMonadPath(String path, Boolean allowNonexistingPaths, CmdletProviderContext context, ProviderInfo&
provider, CmdletProvider& providerInstance)
at System.Management.Automation.SessionStateInternal.CopyItem(String[] paths, String copyPath, Boolean recurse, CopyContainers copyContainers, CmdletProviderContext context)
at Microsoft.PowerShell.Commands.CopyItemCommand.ProcessRecord()
Hi Joseph, that’s a good catch. I have updated the version so you may re-download the script or you may just want to delete line 304 of the script. Thanks,
Hi Amir the script is not provided for download. Are you still sharing the script?
Hey Andrew, yes it’s still available to download from the link above (How it works section- Step 1). Just tested download and it’s working OK
Hey Amir , what if i want to use my own configuration pmc file.
Hi Srivatsa, you may create your own PMC and edit the script to add it as an additional option. If you don’t want to edit the script, just make sure your PMC file name replaces one of the existing PMCs I provided with the script and then use it choose it when you run the script.