procmon window can't be hidden

[VaultGuy]

Hi guys,

I'm trying to run procmon ( https://technet.microsoft.com/en-gb/sysinternals/bb896645.aspx ) hidden, so I tried the following:

Run("procmon.exe /Nofilter /accepteula /Quiet /Minimized /BackingFile ProcmonTrace.PML", "", @SW_HIDE)

@SW_HIDE doesn't work and procmon always runs in a minimized window.

Procmon in general doesn't seem to respond to "hide" commands. I just started procmon and then this code to test it:

$ProcMonWindowHandle = WinWait("[CLASS:PROCMON_WINDOW_CLASS]","",3)
If $ProcMonWindowHandle = 0 Then MsgBox(1, "Error", "Error")
WinActivate ($ProcMonWindowHandle)
Sleep (2000)
WinSetState ( $ProcMonWindowHandle, "",  @SW_HIDE )

WinActivate works, but WinSetState not. WinClose and WinKill also don't work.

Has anyone experienced this before and maybe has a solution for it ?

[JohnOne]

Does this "procmon" ask for admin?

[Blue_Drache]

Here's a thought.  Since procmon.exe is a high-value target for virus coders, perhaps the operating system is preventing what you wish?

[VaultGuy]

Hi JohnOne,

thanks for your reply.

Procmon indeed asks for admin.

In this small example #RequireAdmin fixed the issue:

#RequireAdmin
$ProcMonWindowHandle = WinWait("[CLASS:PROCMON_WINDOW_CLASS]","",3)
If $ProcMonWindowHandle = 0 Then MsgBox(1, "Error", "Error")
WinActivate ($ProcMonWindowHandle)
Sleep (1000)
WinSetState ( $ProcMonWindowHandle, "",  @SW_HIDE )
Sleep (2000)
WinSetState ( $ProcMonWindowHandle, "",  @SW_SHOW )

My initial script which runs procmon had the following wrapper directive:

#AutoIt3Wrapper_Res_requestedExecutionLevel=requireAdministrator

I thought this was enough to carry the permission level to the procmon child process.

When I add #RequireAdmin, I'm able to use WinSetState correctly.

But the initial @SW_HIDE command still doesn't work:

Run("procmon.exe /Nofilter /accepteula /Quiet /Minimized /BackingFile ProcmonTrace.PML", "", @SW_HIDE)

[JohnOne]

Yes, some windows are simply like that, and refuse to start hidden, firefox or chrome is another I think.

[VaultGuy]

JohnOne thanks for your feedback. It helped much to get me on the right track

Yes, some windows are simply like that, and refuse to start hidden, firefox or chrome is another I think.

 

I kind of worked around it:

Opt('WinWaitDelay', 10)
Run("procmon.exe /Nofilter /accepteula /Quiet /Minimized /BackingFile ProcmonTrace.PML", "", @SW_HIDE)
$ProcMonWindowHandle = WinWait("[CLASS:PROCMON_WINDOW_CLASS]")
WinSetState ( $ProcMonWindowHandle, "", @SW_HIDE )

@SW_HIDE from the run command doesn't work, but "Opt('WinWaitDelay', 10)" hides the window immediately. There's only a minimal flicker of the script in the task bar and that's it.

Good enough for me ... Thanks for the help.

[jguinch]

It works for me, with just removing the /Minimized parameter :

#RequireAdmin
Run("procmon.exe /Nofilter /accepteula /Quiet /BackingFile ProcmonTrace.PML", "", @SW_HIDE)

[VaultGuy]

 

It works for me, with just removing the /Minimized parameter :

#RequireAdmin
Run("procmon.exe /Nofilter /accepteula /Quiet /BackingFile ProcmonTrace.PML", "", @SW_HIDE)

Hey thanks, works for me, too