Circular Logging with Process Monitor

Process Monitor (ProcMon) is the goto utility to capture system events like file system or registry access. It is very useful when you need to collect information from your system for troubleshooting purposes. More often than not, vendors like Microsoft or Citrix ask you to upload a trace file created with ProcMon to enable them to assist you with troubleshooting.

However, some problems are not easy to reproduce and therefore difficult to capture with Process Monitor. ProcMon can capture a lot of data but in the process it creates large logfiles. Leaving ProcMon running for an extended period of time will fill up your disk very soon, especially if it is run in a XenApp environment with dozens of users working on the same machine.

One thing Process Monitor does not do is circular tracing. Circular tracing (or circular logging) works by overwriting old events with new events and keeps the logfile on a given size.

I have written a script that adds this functionality to Process Monitor. It allows you to specify how many log files you would like to keep and how many seconds you want to capture in each log file. 6 log files with each containing 5 minutes (300 seconds) of past events will allow you to keep the required disk space to a minimum while having 30 minutes to react and stop the trace once the error appears.

ProcMon files grow big pretty fast but they can be compressed easily. My script will automatically compress past log files to further limit the disk space required before they are being rolled over.

$LogPath="C:\ProcMon"
$MaxLogs=5
$Counter = 0

do
{
  $Counter = $Counter+1

  #Reset counter if $MaxLogs is reached
  If($Counter -gt $MaxLogs)
  {
     $Counter = 1
  }

  $Logfile = $LogPath+"\Logfile_"+$counter+".pml"
  $Zipfile = $LogPath+"\Logfile_"+$Counter+".zip"
  $ProcMonParameters = "/Backingfile $Logfile /AcceptEula /Minimized /Quiet"

  # Remove old compressed log files to enable roll over
  If(Test-Path $Zipfile)
  {
    Remove-Item $Zipfile
  }

  # Start ProcMon for 5 minutes
  start-process $LogPath\procmon.exe $ProcMonParameters
  Start-Sleep -Seconds 300

  # Terminate ProcMon
  C:\ProcMon\procmon.exe /Terminate
  Start-Sleep 3

  # Compress log files and remove trace files
  Compress-Archive -path $LogPath\"Logfile_"$counter*".pml" -DestinationPath $Zipfile
  Remove-Item $Logpath\*.pml
}
while ($Counter -le $MaxLogs)

One thought on “Circular Logging with Process Monitor

  1. Hey kind sir – Do you have a way to to this part on PS 4.0?
    Compress-Archive -path $LogPath\”Logfile_”$counter*”.pml” -DestinationPath $Zipfile

    I can’t install 5 on the production server or reboot it but really want this function.

    Thank you!!

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s