Team: Huntress EDR
Product: EDR/RIO
Environment: Windows
Summary: This guide covers how to use Process Monitor (Procmon) to gather additional information on conflicts or unexpected behavior with EDR/RIO and other applications. Process conflicts can arise when multiple applications or processes attempt to access the same system resources, such as files, registry keys, or network ports, causing issues like crashes, freezing, or unexpected behavior.
Using Procmon to gather additional information for our Engineering team.
Please read the entire guide before starting to become familiar with the process. Some of these steps must be followed quickly to prevent unnecessary information from being gathered.
Step 1: Download and Extract Procmon
- Download Procmon: If you haven’t already, download Procmon from the official Microsoft Sysinternals site: Download Process Monitor.
- Extract Procmon: Locate the Procmon downloaded file, then "right click" on the folder to extract it to your preferred location.
Step 2: Verify that RIO is running on the target host
- Open Task Manager on the host.
- Scroll down to see if Huntress Rio Agent is running.
Step 3: Start Procmon to gather additional information
- Navigate to the location where you previously extracted the ProcessMonitor folder.
- Open the folder, then double-click on Procmon.
You may encounter a pop-up box asking, "Do you want to allow this program to make changes to your device?" if so, select YES. - As soon as Procmon starts running, it will automatically start gathering information. By default, in the top bar, Show Registry Activity, Show File System Activity, Show Network Activity, and Show Process and Thread Activity are enabled. Show Profiling Events is disabled. We do not need information on Show Profiling Events.
Step 4: Open the application that you previously encountered unexpected behavior with.
- Navigate to and open the Application or Program where unexpected behavior was encountered.
Step 5: Pause, Save, and Send us the information
- Pause the recording: In the top bar of Procmon, you will see an icon that looks like a Play Button. Select this icon to pause the recording after the unexpected behavior is encountered.
- Save: Select "File" then "Save" from the Process Monitor Menu at the top. Save the file to a location that you can easily locate. The preferred file type is (PML).
- Send: Attach the saved file to your next reply with Support on the ticket.
Please use the Carbon Copy (CC) filed and enter the Support representative's email address. This ensures that our technician receives the attachment regardless of file size.
Comments
0 comments
Please sign in to leave a comment.