VaultGuy

procmon window can't be hidden

8 posts in this topic

Hi guys,

I'm trying to run procmon ( https://technet.microsoft.com/en-gb/sysinternals/bb896645.aspx ) hidden, so I tried the following:

Run("procmon.exe /Nofilter /accepteula /Quiet /Minimized /BackingFile ProcmonTrace.PML", "", @SW_HIDE)

@SW_HIDE doesn't work and procmon always runs in a minimized window.

Procmon in general doesn't seem to respond to "hide" commands. I just started procmon and then this code to test it:

$ProcMonWindowHandle = WinWait("[CLASS:PROCMON_WINDOW_CLASS]","",3)
If $ProcMonWindowHandle = 0 Then MsgBox(1, "Error", "Error")
WinActivate ($ProcMonWindowHandle)
Sleep (2000)
WinSetState ( $ProcMonWindowHandle, "",  @SW_HIDE )

WinActivate works, but WinSetState not. WinClose and WinKill also don't work.

Has anyone experienced this before and maybe has a solution for it :bye: ?

Share this post


Link to post
Share on other sites



Here's a thought.  Since procmon.exe is a high-value target for virus coders, perhaps the operating system is preventing what you wish?


Lofting the cyberwinds on teknoleather wings, I am...The Blue Drache

Share this post


Link to post
Share on other sites

Hi JohnOne,

thanks for your reply.

Procmon indeed asks for admin.

In this small example #RequireAdmin fixed the issue:

#RequireAdmin
$ProcMonWindowHandle = WinWait("[CLASS:PROCMON_WINDOW_CLASS]","",3)
If $ProcMonWindowHandle = 0 Then MsgBox(1, "Error", "Error")
WinActivate ($ProcMonWindowHandle)
Sleep (1000)
WinSetState ( $ProcMonWindowHandle, "",  @SW_HIDE )
Sleep (2000)
WinSetState ( $ProcMonWindowHandle, "",  @SW_SHOW )

My initial script which runs procmon had the following wrapper directive:

#AutoIt3Wrapper_Res_requestedExecutionLevel=requireAdministrator

I thought this was enough to carry the permission level to the procmon child process.

When I add #RequireAdmin, I'm able to use WinSetState correctly.

But the initial @SW_HIDE command still doesn't work:

Run("procmon.exe /Nofilter /accepteula /Quiet /Minimized /BackingFile ProcmonTrace.PML", "", @SW_HIDE)

Share this post


Link to post
Share on other sites

JohnOne thanks for your feedback. It helped much to get me on the right track :)

Yes, some windows are simply like that, and refuse to start hidden, firefox or chrome is another I think.

 

I kind of worked around it:

Opt('WinWaitDelay', 10)
Run("procmon.exe /Nofilter /accepteula /Quiet /Minimized /BackingFile ProcmonTrace.PML", "", @SW_HIDE)
$ProcMonWindowHandle = WinWait("[CLASS:PROCMON_WINDOW_CLASS]")
WinSetState ( $ProcMonWindowHandle, "", @SW_HIDE )

@SW_HIDE from the run command doesn't work, but "Opt('WinWaitDelay', 10)" hides the window immediately. There's only a minimal flicker of the script in the task bar and that's it.

Good enough for me ... Thanks for the help.

Share this post


Link to post
Share on other sites

 

It works for me, with just removing the /Minimized parameter :

#RequireAdmin
Run("procmon.exe /Nofilter /accepteula /Quiet /BackingFile ProcmonTrace.PML", "", @SW_HIDE)

Hey thanks, works for me, too :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now