The other day I needed to capture a Process Monitor trace on a machine to troubleshoot a problem where the entire OS GUI was “broken” after the resume from screensaver; with “GUI broken” I mean that clicking on any icon on the desktop has no effect, the right click menu does not work etc…, but we are still able to access the Task Manager and run tasks (command line etc…) from the File > New Task (Run…) menu. This suggests the user’s registry is for some reason unloaded during when the screensaver is running, but the point is: if I run Procmon before the screensaver starts and wait for the problem to reproduce (to have a complete trace) then I’m unable to save the trace because I cannot access any running task which a GUI unless I start a new one or reboot the machine. Either way the trace is lost.
Coincidentally also my colleague Stefano had a similar problem and we (he, actually) found a couple of command line switches that can be used to control Procmon for such situations, in particular “/BackingFile” and “/Terminate”: /backingfile tells Procmon where to automatically save the trace, while /terminate actually starts a new instance of Procmon, terminates all other Procmon instances and exits.
So now I can start Procmon like:
procmon /quiet /minimized /backingfile c:\temp\trace.pml
before the screensaver starts, wait for the problem to reproduce, resume the OS and even without access to the GUI and from the Task Manager run:
procmon /terminate
Now I can safely reboot the machine and have my trace to analyze; of course you can also use those (and other) command line switches in a batch file or scripts if you need to automate the tool.
Carlo
PingBack from http://mstechnews.info/2008/10/how-to-automate-process-monitor/