How to collect ProcMon logs to troubleshoot AMP issues at startup

Introduction

As a System Administrator, you may want to obtain detailed logs using the Process Monitor (procmon.exe) to determine, if the FireAMP connector experiences hangs during the computer startup process. These logs will also be requested by Cisco TAC in order to troubleshoot such issues. Process Monitor is a free utility that can help us here. This can be downloaded freely from https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

This document describes the steps on how to collect ProcMon logs and Memory dump if the problem occurs during a system boot process (which means that it's generating BSODs at boot). These logs are required to capture the system events taking place during boot.

Procedure:

1. Set-up the test machines in such a way so that the issue can be reproduced easily.

2. Download and Run the ProcMon tool as administrator. Go to File -> Process Monitor Backing Files and select a Path. 

3. In Procmon Tool, go to Options -> Enable Boot Logging. 

4. Select Generate threat profiling events and Every second.

5. Make sure all of the relevant Filters are selected in Procmon and data is being collected.

6. If you are unable to replicate the crash, you can force crash Windows using the utility NotMyFault64.exe which you can get from https://live.sysinternals.com/files/

The instructions on how to run that are here: https://docs.microsoft.com/en-us/windows/client-management/generate-kernel-or-complete-crash-dump

7. Crash the machine.

8. Boot the machine into Safe Mode and manually collect Procmon.pmb and MEMORY.DMP, both files are in C:\Windows folder. These files are to be shared with Cisco TAC.

7. Optionally, if you are able to boot it into "normal mode" if the PMB files are generated in the C:\Windows folder, then if you launch ProcMon again, you will see the following logs. From this, you can re-save the events by clicking on the Save button.