Microsoft ProcMon - Process Monitor for Linux

Isaac

6 minutes

Windows and Linux logos, ProcMon

Microsoft has wanted to sell that it has that uncertain love for Linux, in fact, they have contributed to the development of the kernel to integrate, for example, its HyperV. Also, as you well know, they are members of the Linux Foundation, and they have bought the famous open source platform GitHub. To this we must add that some programs such as Edge, PowerShell, ProcMon, etc. are carrying, open FAT, also to use in GNU / Linux or that they have integrated a Linux subsystem in their Windows 10 ...

But beware, do not confuse love with interest, and what drives Microsoft is pure interest. Despite all those gestures it has made, it is still a company that seeks profits, and it will always seek them. If that means moving closer to Linux it will, and if that means moving away it will too. Do not hesitate.

Background

windows 95 logo

I don't know if you know that Microsoft has been testing some of their mythical Windows 95 features in Windows 10. The latest Redmond operating system has become a kind of rolling release with which they are doing some experiments like these that their users may like more or less.

Some of the programs Windows 95 have been rescued today, as they are now gaining in importance. For example, Image Resizer, which would be very practical for images that are to be posted on social networks, etc. In short, he intends to bring a series of his power toys to its modern system with some improvements and adaptations to the new times.

Among the latests Moravia's compositions Power Toy Utilities are:

  • Fancy Zones
  • image Resizer
  • Keyboard manager
  • Power Rename
  • etc.

Well, besides that, there are some other open source tools that Microsoft has on GitHub, and some of them also for GNU / Linux.

ProcMon or Process Monitor

Windows ProcessMonitor

Another tool from which Microsoft has released its source code and you have it on GitHub is Process Monitor or ProcMon. A much more modern utility for Windows that is used to monitor and display the activity of a Microsoft Windows operating system in real time, specifically reading activity from the Windows registry.

Especially interesting for sysadmins, forensics and debugging. For tasks that can range from simply knowing the activity of the system, to failed access attempts (read / write) in registry keys to detect problems, filter by keys, processes, ID, or specific values ​​to locate what you are looking for, know the use of dynamic DLL libraries used by software applications, detect FS or file system errors, etc.

This utility was the result of merging two of the old tools that Microsoft used previously and that are called:

  • FileMon- was created by Mark Russinovich and Bryce Cogswell, two NuMega Technologies employees. This later became SysInternals and was bought by Microsoft in 2006. Its name is a contraction of File + Monitor, and as its name suggests it is dedicated to monitoring file system activity.
  • RegMon: his twin sister shares the same origin. In this case, it was aimed at forensic analysis using data from the Windows registry. Its name comes from the contraction of Registry + Monitor.

After being merged into one, ProcMon would be released for Windows 2000 for the first time and then for Windows XP SP2, to end up being updated for subsequent versions. But despite being freeware, it was not open source until now.

ProcMon for Linux

You may think that why I am telling you all this, and that it has nothing to do with Linux even though it has been opened. But the truth is that this is not the case, since there is a version of ProcMon also available for Linux. Therefore, if you like and want to try this tool also on your GNU / Linux distro, from now on you can.

ProcMon is a new adaptation of the classic ProcMon Sysinternals original. This is to provide developers with an efficient way to monitor or trace the activity of system calls (syscalls). But of course, in Linux there is no Windows-style registry, so it is not a simple port, that is why you have to make use of BCC (BPF Compiler Collection), that is, a toolkit, or group of tools , for the manipulation and tracing of programs for the Linux kernel.

Additionally, Microsoft has released the code in GitHub under MIT license. By the way, a source code that is written using C ++ programming language.

Install ProcMon

To begin, the first thing will be install ProcMon in your favorite distro. You should know that it has a series of dependencies that you have to satisfy beforehand. Also, although the code page only talks about Ubuntu, it might work on other distros as well.

The first thing to do is satisfy dependencies which are basically three:

  • BCC (BPF Compiler Collection)
  • cmake (to build the code)
  • libsqlite3-dev (SQL database engine)

For this, you can run the following commands:

sudo apt-get -y install bison build-essential flex git libedit-dev libllvm6.0 llvm-6.0-dev libclang-6.0-dev python zlib1g-dev libelf-dev


git clone --branch tag_v0.10.0 https://github.com/iovisor/bcc.git
mkdir bcc/build
cd bcc/build
cmake .. -DCMAKE_INSTALL_PREFIX=/usr
make
sudo make install

With that we would already have the dependencies, the following would be to go for ProcMon himself:

git clone https://github.com/Microsoft/Procmon-for-Linux
cd Procmon-for-Linux
mkdir build
cd build
cmake ..
make

If you want you could also build the DEB package ProcMon in Ubuntu in a simple way:

cd build
cpack ..

Use ProcMon

Once you have it installed, the following is start enjoying this tool. Its use is quite simple, since it does not have an immense amount of options. You also have to keep in mind that it needs privileges, so you should run it as root or, better, with sudo in front of it.

La ProcMon syntax to use it from the terminal is:

procmon [opciones]

Where [options] will be some of these:

  • -ho –help: show the help of the program.
  • -p or –pids: to indicate the comma-separated processes you want to monitor. You can only use one. It will be specified by its ID, that is, a number.
  • -eo –events: comma separated list of system calls you want to monitor. You can use only one. You will have to specify them by name.
  • -co –collect / path / file: start procmon in headless mode. That is, without the features of its interface that you can see in the previous GIF. A very practical mode for some tests or scripted automations. The path will specify the file where all the activity of the command output will be recorded so that you can later see it.
  • -fo –file / path / file: run ProcMon to map some specific file.
  • No options: then start ProcMon and it will show all running processes and syscalls on the system.
  • Combined: several options can be combined without problem.

If you want some practical examples, you can see these execution examples:

sudo procmon

sudo procmon -p 44

sudo procmon -p 44,800

sudo procmon -c /home/registro.db

sudo procmon -p 4 -e read,write,open

sudo procmon -f /home/usuario/programas/prueba

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Fernando said
    ago 4 years

    I've been using it on Windows since it came out. And that years ago there were many similar tools.
    But this was a simple executable file, simple and practical ..

    Let's see how it goes on Linux.

    Reply to Fernando