Then run something like this in a startup script: procmon /LoadConfig C:\hosts.pmc /BackingFile C:\hosts_%DATE:/=-%.pml /Quiet > C:\hosts.log 2>&1 Export that configuration to the file C:\hosts.pmc ( File → Export Configuration.). Start Process Monitor once and configure it to monitor only access to the hosts file ( Filter → Filter.). However, before trying something like that, I'd first try "regular" monitoring (without boot logging). Reg add HKLM\SYSTEM\CurrentControlSet\services\PROCMON23 /v Type /t REG_DWORD /d 0x1 /f Reg add HKLM\SYSTEM\CurrentControlSet\services\PROCMON23 /v Start /t REG_DWORD /d 0x0 /f Reg add HKLM\SYSTEM\CurrentControlSet\services\PROCMON23 /v ImagePath /t REG_SZ /d "System32\Drivers\PROCMON23.sys" /f with a startup script) will do what you want: if not exist %SystemRoot%\System32\Drivers\PROCMON23.sys copy PROCMON23.sys %SystemRoot%\System32\Drivers\
I'm not aware of a regular way to permanently enable boot logging, but it seems that boot logging is controlled by two registry values in the Procmon driver configuration.
0 kommentar(er)
