Procmon commandline many pml files and not terminating all processes - Windows 11 Multisession

Question

Windows 11 Multisession

Using procmon at commandline it appears to be creating lots of proc-1.pml , proc-2.pml , etc files every 30secs or so. And not a single file. Why is this?

Also when running procmon -terminate , it is not terminating all processes , some are left behind?

Note procmon seems to create a number ie 6+ process in the device, could this be because it is a multisession device?

Answer 1

Running procmon with an invalid command line argument generates a message box that "procmon -terminate" will not kill.

What command line arguments are you running procmon with? If you are launching procmon with a "/loadconfig <file>" switch, what are the contents of the config file?

Answer 2

Here's how I tested. My goal was to automate procmon tracing all file I/O to C:\Scripts.

Start by removing all current procmon settings.

reg delete "HKEY_CURRENT_USER\Software\Sysinternals\Process Monitor" /f

Then run procmon and configure it to "Drop filtered events" and set a filter for "Path contains C:\scripts".

Export configuration to C:\temp\ProcmonConfiguration.pmc

Delete any old backing files and launch procmon.

del C:\Temp\proc.pml
procmon -accepteula -backingfile c:\temp\proc.pml -quiet -loadconfig C:\temp\ProcmonConfiguration.pmc

Do some file I/O.

dir c:\scripts /s 

Stop procmon, rename the pml file, and open procmon so I can see the results.

procmon -terminate 
ren C:\Temp\proc.pml   procsave.pml
procmon -accepteula /openlog C:\Temp\procsave.pml /quiet 

As to your multiuser question... I would recommend that you only run one instance of procmon at a time. If you have orphan processes from whatever testing you were doing, then use task manager or taskkill.exe to end them. If they won't go away, then reboot.

taskkill /im procmon.exe /f
taskkill /im procmon64.exe /f