when running using procmon /terminate log is corrupted

Miguel Gomes 1 Reputation point
2020-12-31T12:37:44.237+00:00

Hello Guys,

I'm configuring procmon to run as a scheduled task and then also using another schedule task to terminate it.
Both tasks are configured to run with System.

Start task has the following arguments: /AcceptEula /LoadConfig C:\Users\cmiguel\Downloads\ProcessMonitor\ProcmonConfiguration.pmc /Quiet /BackingFile c:\temp\log.pml
End task has the following argument: /terminate

The issue is, when I run the task to end procmon, it closes but the log file is corrupted and I cannot analyze it.
52571-image.png
Any ideia on how to solve this? I believe it's due to the terminate not stopping the capture but not sure on what needs to be done.

I followed this article to set up:
https://kb.acronis.com/procmon

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,084 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. mariora 376 Reputation points
    2021-01-01T09:24:08.237+00:00

    These are the cmd I use to start and terminate procmon:

    REM *****startpmon.cmd*****
    set PMExe="C:\temp\Procmon.exe"
    set PMHide=/Quiet /Minimized /AcceptEula
    set PMCfg=/LoadConfig C:\TEMP\application.pmc
    set PMFile=/BackingFile C:\temp\application.pml
    start "" %PMExe% %PMFile% %PMCfg% %PMHide%
    %PMExe% /WaitForIdle

    REM *****Stop.cmd*****
    set PMExe="C:\temp\Procmon.exe"
    %PMExe% /Terminate
    REM *****Reset Using Paging File for next usage…
    start "" %PMExe% /PagingFile /NoConnect /minimized /quiet
    %PMExe% /waitforidle
    %PMExe% /Terminate

    Try with these in your scheduled task..

    HTH
    -mario

  2. Plichta, Mike 81 Reputation points
    2022-04-05T21:24:42.647+00:00

    I'm seeing that too. Procmon.exe runs procmon64.exe from c:\windows\temp when you start it using the system account through task scheduler. It ignores the /terminate command and then you get a corrupted pml file. I'll try a different account other than System or see if there is an updated version. This is procmon v3.50.0.0.

    0 comments
  3. Plichta, Mike 81 Reputation points
    2022-04-05T21:47:49.377+00:00

    Version 3.89 seems to have the same issue.

    I tried a domain account with local admin rights running in an elevated Powershell.
    I also tried running the command in a PowerShell instance running as the system account using this command.

    • psexec /i /s powershell

    However, running /terminate from a scheduled task under the system account worked and the file is readable.

    0 comments