«

»

Feb 15 2017

HOWTO: Run Process Monitor on a Remote Machine from the Command Line

I have a treat for you today.  I have finally solved something that has been a pain in my side for years now.  Have you ever been in the following situation?

You are reviewing log files and discover that a remote computer (perhaps a virtual machine running on shared storage) is running wild and hammering on the disk.  You need to figure out what exactly what processes and files are causing that disk IO.  However perhaps that computer is always in use and you simply can’t log in locally to launch resource monitor or process monitor.  You need ultimately to run Process Monitor remotely.  Unfortunately you google this and discover that it’s not possible due to the amount of data that process monitor generates and can’t pass it all over the wire.  So what do you do?

I found myself in this exact situation yet again today and finally decided to sit down and solve it once and for all.  My googling revealed a suggestion in some forum to use psexec to run procmon.exe on the remote machine and then copy over the PML file to your machine for analysis.  I’m afraid I couldn’t find that blog post so I can’t give credit to the original author of the idea.  But there is a world of difference between an idea and a practical implementation and that’s what I have to share with you today.

Below is a PowerShell script that includes a function called Get-ProcMonData.  It accepts just two parameters, a -ComputerName for the name of the remote computer you wish to connect to and -Duration for how long procmon will run for on the remote system.  Note that the script is hardcoded to limit you to a maximum of 100 seconds as I discovered the hard way that Procmon generates an enormous amount of data and you can easily fill the remote drive if you’re not careful.

To run this script, I recommend opening it in the PowerShell ISE and editing the variables around line 34 to point to the path where you keep your psexec and procmon executables.  Once that’s done, go to the last line of the script and change “remotecomputerhere” to the computer you wish to collect data from and specify the duration anywhere from 10 to 100 seconds.

Note: This script was only tested in my environment and assumes you have full permissions to the target system.  In my case, I ran the script under a domain admin account.

Run the script.  Here’s what it’ll do:

  • Test to verify that the remote system responds to ping and that PowerShell can see procmon.exe and psexec.exe
  • Verify that both the source and target system have at least 500MB free
  • Copies procmon.exe to the c:\windows\temp folder on the remote system
  • Launches procmon.exe on the remote system (uses a seperate process so we can stop it later in the script)
  • Displays a progress bar for the duration specified while we wait for the data collection to complete
  • Stops procmon.exe on the remote system properly such that the generated PML file is valid
  • Copies the PML file to your local machine for analysis
  • Removes procmon.exe and the PML file from the remote machine (always clean up after yourself)
  • Displays the size of the PML file and reminds you to delete it when you’re done (They can get very large!)
  • Launches process monitor on your machine and opens the PML file for your analysis

 

There is still a lot I can do to clean this up and make it a more robust advanced function but at this point it’s working for me reliably so I’m going to call it.  I hope you find this useful!

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">