'Process Monitor' has a max history depth of 199 million events. I need to record about 10 times this. I don't mind if the data is split, e.g. a new data set for every hour. Anyone know how to do it? I'm guessing a batch file, with backing files going to sequentially named folders. Is there a way of detecting once Process Monitor has filled its history depth to kill it, or do I just need to sleep?
Asked
Active
Viewed 1,479 times
0
-
1You need to record about 2 billion events? From one server? Really? This makes me think that whatever you're trying to do, you're doing it wrong. – HopelessN00b Mar 26 '13 at 18:33
-
I need to analyze an event that only happens once a night on a server under load – Sam Mar 27 '13 at 10:04
-
For the record, here's what I used:@echo off set PM=C:\ProcessMonitor\Procmon.exe :loop rem create dir name set T=%time:~0,5% set dir=%date:/=-% %T::=-% rem create dir mkdir "z:\%dir%\" rem start recording to dir start %PM% /backingfile "z:\%dir%\procmon" /Quiet /Minimized rem sleep 10 minutes sleep 600 rem kill procmon %PM% /terminate rem repeat goto loop – Sam Mar 27 '13 at 10:05
1 Answers
2
Yes, you're going to have to script it. I've done some similar work with Procmon like this before, but my aim was nothing like to capture billions of events. Nevertheless, this should help you, unless you needed someone to write the script for you:
Create a VBscript that runs every 5 minutes. Task Scheduler can help you with that.
If this is the first time the script has run, then start Procmon like so:
objShell.Run "Cmd /C " & PRM_ProcMonExe & " /quiet /minimized /AcceptEula /backingfile " & PRM_PMLDir & "Procmon" & subDir & ".pml"
Then on subsequent runs of the script, measure the total size of all the *.pml files in the subDir.
If ProcMonTriggered = True And ProcMonTerminated = False Then
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFolder = objFSO.GetFolder(PRM_PMLDir)
Set objFiles = objFolder.Files
For Each objItem In objFiles
If UCase(objFSO.GetExtensionName(objItem.Name)) = "PML" Then
totalPMLSize = totalPMLSize + objItem.Size
End If
Next
If totalPMLSize > (PRM_PMLMaxSize * 1073741824) Then
NQExt.CreateEvent PRM_TriggeredSev, "ProcMon Terminated", "AKP_NULL", gstrEventTarget, 0.0, "Process Monitor was terminated because the PML file reached the limit of " & PRM_PMLMaxSize & "GB." & vbCrlf & "Process Monitor cannot be triggered again until this script is re-deployed." & vbCrlf & "Please see KB " & PRM_KBArticle, "", 0, 0
Set objShell = CreateObject("WScript.Shell")
objShell.Run "Cmd /C " & PRM_ProcMonExe & " /AcceptEula /terminate"
End If
If isObject(objFiles) Then Set objFiles = Nothing
If isObject(objFolder) Then Set objFolder = Nothing
If isObject(objShell) Then Set objShell = Nothing
If isObject(objFSO) Then Set objFSO = Nothing
ProcMonTerminated = True
End If
That isn't specifically tailored to your situation. You'll have to tweak it. That's something I wrote a long time ago for a slightly different purpose. What you want to do is if the size of all the *.pml files in the subdirectory added together has not increased since the last time the script ran... then you know it's time to terminate Procmon and start a new instance.
The point is that you have to terminate Procmon gracefully with the /terminate parameter, not just kill the process, or else the log will be corrupt and unreadable.
Then start a new instance of procmon in a new subDir. Creativity will have you creating subdirectories with incremental names like subdir1, subdir2, subdir3, etc.
Edit: Also, I've never run Procmon to 200 million events before, so I don't know if it just sits there and does nothing after reaching 199 million, or if it completely shuts down. If the latter is the case, then your job is easier. Just check if Procmon.exe is still running. If it's not, then you know it's time to fire it up again under a new subdirectory.
Edit: Yeah I think it just starts rolling once it hits the history depth... so do the file size thing.
Ryan Ries
- 55,481
- 10
- 142
- 199