Procmon may not work or it may cause an unexpected slowdown. Use electrifymon to log agent-side file operations; it is lightweight.
An instance occurred where procmon always disappeared after a short period of time. Even when procmon worked, it slowed down the agent machine considerably and resulted in a large amount of data. You can use electrifymon to inject a dll into the agent and its child process to log the file operations.
To activate it, add a registry string value under key:
name: prefix value: c:\ECloud\i686_win32\bin\electrifymon.exe –electrify-log=c:\electrify.log –electrify-localfile=y
On 64-bit Windows, it is c:\ECloud\i686_win32\64\bin\electrifymon.exe.
Then c:\electrify.log will contain the file operations, file name, and the process command line that did the operations.
- Product versions: 5.4.2 and later
- OS versions: Windows