![]() ![]() Right click on Altitude, change value to 40000, click OK Alternatively, you could set the altitude to 372000 if you suspected a specific driver.Įx. Change the Altitude Regkey value to lower than your lowest filter driver.įor this example: change the Altitude value to 40000 (which will show you virtually everything that is happening on the machine).In Example: PROCMON24 (name may have a different number on your machine)Įxpand to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PROCMONXX\Instances\Process Monitor XX instance. Navigate to registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PROCMONXX\ In the screenshot, the lowest filter driver altitude is 37200 From an Administrative Command prompt, run FLTMC to see the Altitude of the filter drivers:.Install Procmon (assuming you have not already installed it). ![]() To change the altitude of procmon, you will want to perform the following steps: In doing so, you will be able to see all the activity that you want from most filter drivers. In this example below, you will see Procmon’s altitude at 385200 as well as Legacy Filter Drivers such as vdorctl, and dgmaster:Ĭhanging the "Altitude" that procmon will run, putting it lower in the filter stack. ![]() In our case, we have a driver called Leakyflt.sys but in procmon it only shows as FLTMGR.sys but we want to know which driver it is without performing more tracing.įrom an administrative command prompt, we see the driver LeakyFlt at altitude 372000: Procmon is typically used to figure out what is happening on the machine, but you do not get to see the activity of things such as virus scanners because they happen at a lower level than the procmon filter. If you need to get Procmon's filter to run below us in the filter stack, it has a setting for that. A special thanks to my colleague, Becky Burns for documentation collaboration and a special shout out to Denis Pasos and Ron Stock for both creating a leaky kernel filter driver, and documentation collaboration. My name is Susan and a small group of us have joined together to provide you documentation on how to view a kernel filter driver in procmon on the stack, that is normally obfuscated. ![]()
0 Comments
Leave a Reply. |