Monitoring processes on remote Windows machines with Procmon

Process Monitor capture

I do a fair bit of work with VMs somedays, using them for a variety of purposes, including integration tests for Windows installers and building components for different platforms. Much of this work runs headless without a GUI and without manual intervention.

Sometimes things can go awry with a process, such as not shutting down as expected and keeping a handle open to a file that should be deleted, or spawning other processes and threads unexpectedly. When this happens on a Windows VM, it's useful to run Process Monitor a.k.a. Procmon on the remote VM to capture process activity for further investigation. This is the topic of today's post.

I've put together a small PowerShell script module to make the process of running Procmon on a remote Windows VM easier, and will walkthrough how to use it.