How to set procmon to capture cyvrfsfd's IO

How to set procmon to capture cyvrfsfd's IO

3718
Created On 07/09/23 13:19 PM - Last Modified 12/25/24 13:03 PM


Objective


  • This article indicates how to set procmon correctly in order to capture cyvrfsfd's IO

Environment


  • Cortex XDR/XSIAM
  • Windows

Procedure


  1. Run Procmon as an Administrator and close the application to create the registry entries needed
  2. Open Regedit.exe and find "HKLM\System\CurrentControlSet\Services\Procmon23\Instances\Process Monitor 23 Instance"
  3. Adjust "Altitude" to "321200"
  4. To avoid resetting the change right click on the "Process Monitor 23 Instance" key and select Permissions...
  5. Select Advanced Permissions
  6. Under the Permissions tab, select "Add"
    • Open "Select Principle" and type "everyone". Hit "Check Names" and then OK
    • Type: Deny
    • Applies to: This key and subkeys
    • Show Advanced Permissions
    • Select only "Set Value" and "Delete"
  7. Click Apply for both "Advanced Security Settings for Process Monitor 23 Instance" and "Permissions for Process Monitor 23 Instance" to take effect
  8. Reboot the machine to take effect
  9. When running a capture, you can confirm the altitude did not revert by running this Command-Line as Admin fltmc
Note:
  • Procmon23 is the version installed in this example. You may see a different value in your environment depending on the Procmon version installed
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000bqKrCAI&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language