我知道进程监视器有“启用启动日志记录”功能。
但这只在下次启动时生效。
有没有办法可以在将来每次启动时启用启动日志记录?
答案1
我不知道永久启用启动日志的常规方法,但似乎启动日志由Procmon驱动程序配置中的两个注册表值控制。也许(重新)创建这些值(例如使用启动脚本)可以实现您想要的效果:
if not exist %SystemRoot%\System32\Drivers\PROCMON23.sys copy PROCMON23.sys %SystemRoot%\System32\Drivers\
reg add HKLM\SYSTEM\CurrentControlSet\services\PROCMON23 /v ImagePath /t REG_SZ /d "System32\Drivers\PROCMON23.sys" /f
reg add HKLM\SYSTEM\CurrentControlSet\services\PROCMON23 /v Start /t REG_DWORD /d 0x0 /f
reg add HKLM\SYSTEM\CurrentControlSet\services\PROCMON23 /v Type /t REG_DWORD /d 0x1 /f
但是,在尝试类似操作之前,我会先尝试“常规”监控(不记录启动日志)。启动一次 Process Monitor,并将其配置为仅监控对文件的访问hosts(过滤器 → 过滤器...将该配置导出到文件C:\hosts.pmc(文件 → 导出配置...)然后在启动脚本中运行如下内容:
procmon /LoadConfig C:\hosts.pmc /BackingFile C:\hosts_%DATE:/=-%.pml /Quiet > C:\hosts.log 2>&1
这将使用导出的配置 ( /LoadConfig C:\hosts.pmc) 启动 Process Monitor,在不提示确认过滤器设置的情况下启动监控 ( /Quiet),并将记录的事件记录到包含当前日期的日志文件中 ( /BackingFile C:\hosts_%DATE:/=-%.pml)。表达式%DATE:/=-%生成当前日期,其中正斜杠/被连字符 替换-。如果您的日期格式不是,MM/DD/YYYY则必须相应地修改此表达式。
启动脚本可以通过多种方式配置(Run注册表中的项、计划任务、组策略等)。请参阅以下答案这个问题在 StackOverflow 上查看概述。
答案2
Adam Collett/adjman666 编写了一个 vbscript 来实现这一点,并将其发布到 sysinternals 论坛。为了使其正常工作,\server\procmon 共享需要设置共享和文件权限,以便“域计算机”可以从该位置读取,否则脚本将出现错误并显示“拒绝访问”消息。
'Script to enable boot logging in Process Monitor at every shutdown to ensure we capture all activity, every time.
'Declare the objects used in the script
Dim objFSO, objShell, objRegistry
'Declare the variables used in the script
Dim strProcmon20KeyPath, strInstancesKeyPath, strPMIKeyPath, strStartValueName, strGroupValueName, strTypeValueName, strImagePathValueName
Dim strDefInstanceValueName, strAltitudeValueName, strFlagsValueName, strComputer
'Declare the constants used in the script
Const HKEY_LOCAL_MACHINE = &H80000002
'Create our FileSystem, Shell and Registry objects
Set objFSO=CreateObject("Scripting.FileSystemObject")
Set objShell=WScript.CreateObject("WScript.Shell")
strComputer = "."
Set objRegistry = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
'Set all variables ready for use
strProcmon20KeyPath = "SYSTEM\CurrentControlSet\Services\PROCMON20\"
strInstancesKeyPath = "SYSTEM\CurrentControlSet\Services\PROCMON20\Instances\"
strPMIKeyPath = "SYSTEM\CurrentControlSet\Services\PROCMON20\Instances\Process Monitor Instance\"
strStartValueName = "Start"
strGroupValueName = "Group"
strTypeValueName = "Type"
strImagePathValueName = "ImagePath"
strDefInstanceValueName = "DefaultInstance"
strAltitudeValueName = "Altitude"
strFlagsValueName = "Flags"
'Check for the Process Monitor Executable, copy it in if not already on the system.
If not objFSO.FileExists("C:\Windows\System32\procmon.exe") Then
objFSO.CopyFile "\\server\procmon\procmon.exe", "C:\Windows\System32\", true
End If
'Now import the registry settings, one at a time
objShell.RegWrite "HKEY_LOCAL_MACHINE\" & strProcmon20KeyPath & strStartValueName, "0", "REG_DWORD"
objShell.RegWrite "HKEY_LOCAL_MACHINE\" & strProcmon20KeyPath & strGroupValueName, "FSFilter Activity Monitor", "REG_SZ"
objShell.RegWrite "HKEY_LOCAL_MACHINE\" & strProcmon20KeyPath & strTypeValueName, "1", "REG_DWORD"
objShell.RegWrite "HKEY_LOCAL_MACHINE\" & strProcmon20KeyPath & strImagePathValueName, "System32\Drivers\PROCMON20.SYS", "REG_EXPAND_SZ"
objShell.RegWrite "HKEY_LOCAL_MACHINE\" & strInstancesKeyPath & strDefInstanceValueName, "Process Monitor Instance", "REG_SZ"
objShell.RegWrite "HKEY_LOCAL_MACHINE\" & strPMIKeyPath & strAltitudeValueName, "385200", "REG_SZ"
objShell.RegWrite "HKEY_LOCAL_MACHINE\" & strPMIKeyPath & strFlagsValueName, "0", "REG_DWORD"
'Now copy over the PROCMON20.SYS file to the C:\Windows\System32\Drivers folder
If not objFSO.FileExists("C:\Windows\System32\Drivers\PROCMON20.SYS") Then
objFSO.CopyFile "\\server\procmon\PROCMON20.SYS", "C:\Windows\System32\Drivers\", true
End If
'End of Script