mrboyd avatar image
0 Votes"
mrboyd asked

Procmon visilibily into Kernel activities

Hi Guys,
Today I had a developer tell me that Procmon could not 'see' actions that occur in kernel mode because they don't cross the system call boundery between user mode and kernel mode, and the filter driver can only see those transactions and not the ones before it. Is this accurate? If it is, is there a way (other than windbg) to catch transaction that happen in Kernel mode?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

0 Answers