Share via

PROCMON 4.1.0.0 deletes backing files

Bauer Matthias KBL CDYF13 0 Reputation points
2025-03-27T08:55:14.9466667+00:00

I start procmon over powershell. It starts creating output.pml, output-1.pml up to output-22.pml. In the background the file output.pml up to output-5.pml are deleted. I'm not using the ring buffer. If I analyze the backing files entries from the beginning are missing. Why is procmon deleteing the backing files? I have 600GByte of free disk sapce. 

Start-Process -FilePath "procmon.exe" -ArgumentList "/Quiet /Minimized /Backingfile output.pml /LoadConfig ProcessMonitorPmcFile.pmc" -Verbose -PassThru

Start-Process -FilePath "procmon.exe" -ArgumentList "/OpenLog output.pml /SaveApplyFilter /SaveAs temp_output.csv" -Wait -Verbose -PassThru
Sysinternals
Sysinternals

Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bauer Matthias KBL CDYF13 0 Reputation points
    2025-03-31T13:09:07.3566667+00:00

    with the python script I can enable the ring buffer and set it to 255 minutes which solves my problem. Procmon creates 1 large file (arround 100 GByte) with all captures I'm locking for.

    User's image

    file_name = "ProcessMonitorPmcFile.pmc"
from procmon_parser import load_configuration, dump_configuration, Rule
with open(file_name, "rb") as f:
     config = load_configuration(f)

# Print the entire dictionary
print(config)
config["Columns"] = [600]  # Example widths in pixels
config["ColumnCount"] = len(config['Columns'])
config["ColumnMap"] = [40071]  # Example column types (adjust as needed)

new_rules = [ 
            Rule('EVENT_CLASS', 'is', 'Registry', 'exclude'), 
            Rule('EVENT_CLASS', 'is', 'Network', 'exclude'), 
            Rule('EVENT_CLASS', 'is', 'Process', 'exclude'), 
            Rule('EVENT_CLASS', 'is', 'Profiling', 'exclude'), 
            Rule('PATH', 'BEGINS_WITH', 'D:\\SW\\2025\\mma\\S005_SB\\', 'include'), 
            Rule('OPERATION', 'is', 'CreateFile',  'include')]
config["FilterRules"] = new_rules
config["DestructiveFilter"] = 1
config["FlightRecorder"] = b'\x01\x00\x00\x00'
config["RingBufferMin"] = b'\xFF\x00\x00\x00'
print(config)

with open(file_name, "wb") as f:
     dump_configuration(config, f)


from procmon_parser import load_configuration, dump_configuration, Rule
with open(file_name, "rb") as f:
     config = load_configuration(f)


print(config["FilterRules"])
print(config["Columns"])
print(config["ColumnCount"])
print(config["ColumnMap"])
    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.