Blog Post

Ask The Performance Team
3 MIN READ

Change Altitude of Process Monitor (ProcMon)

TeedaN's avatar
TeedaN
Icon for Microsoft rankMicrosoft
Feb 08, 2021
My name is Susan and a small group of us have joined together to provide you documentation on how to view a kernel filter driver in procmon on the stack, that is normally obfuscated.  A special thank...
Updated Feb 08, 2021
Version 2.0
SecureSphere's avatar
SecureSphere
Copper Contributor
Jun 20, 2023

ShaneCreamer 

Excellent article, but is there a way to script that out for all of the configuration & permissions work do be performed in a script such as PowerShell?  Customer Support teams like ours ideally need a script that performs those steps to make this process faster and to avoid customer mistakes trying to follow a fairly complex set of instructions above.

If you can provide a PS script for enabling those permissions, we could use this instead of having to perform ETL traces that collect the Mini-Filter driver provider to see which security tool in kernel is hooking process stacks..

Here you are:

 

 

$Altitude = 40000 # default 385200

$ProcMonSvcRegKey = "HKLM:\SYSTEM\CurrentControlSet\Services\"

$IsRegKeyPresent = Get-ChildItem -Path $ProcMonSvcRegKey | Where-Object {$_.PSChildName -like "PROCMON*"}
$Number = ($IsRegKeyPresent.PSChildName).Split("N")[1]

if($IsRegKeyPresent){
    $FullPathToProperty = $ProcMonSvcRegKey + "$($IsRegKeyPresent.PSChildName)" + "\" + "Instances\Process Monitor $Number Instance"
    Set-ItemProperty -Path $FullPathToProperty -Name Altitude -Value $Altitudeude

    (Get-Acl -Path $FullPathToProperty).Access

    $SID = New-Object System.Security.Principal.SecurityIdentifier("S-1-1-0")
    # Use Translate to find user from sid
    $objUser = $SID.Translate([System.Security.Principal.NTAccount])
    # Print the converted SID to username value
    $EveryoneGroupName = $objUser.Value

    $NewAcl = Get-Acl -Path $FullPathToProperty
    $identity = [System.Security.Principal.NTAccount]("$EveryoneGroupName")
    $regKeyRights = "SetValue,Delete"
    $actype = [System.Security.AccessControl.AccessControlType]::Deny
    $inhFlags = 'ContainerInherit, ObjectInherit'
    $prFlags = [System.Security.AccessControl.PropagationFlags]::None
    $regKeyAccessRuleArgumentList = $identity, $regKeyRights, $inhFlags, $prFlags, $actype
    $regKeyAccessRule = New-Object System.Security.AccessControl.RegistryAccessRule ($identity, $regKeyRights, $inhFlags, $prFlags, $actype)
    $NewAcl.SetAccessRule($regKeyAccessRule)
    $NewAcl.SetAccessRuleProtection( $true, $false ) # True, True - Convert Inherited permissions form this object | True False Remove all inherited permissions from this object
    Set-Acl -Path $FullPathToProperty -AclObject $NewAcl
}