Microsoft ported Procmon from Linux

Microsoft loves Linux

Microsoft has ported the popular Sysinternals Procmon utility to Linux so that users can monitor running processes’ activity.

Procmon is a Windows utility that monitors the system calls, Registry access, and file activity for processes running in the operating system.

This monitoring of processes allows users to diagnose problems with programs crashing, heavy resource utilization, and even potential malware infections.

Procmon for Windows
Procmon for Windows

This week Microsoft has released a Linux version of the popular Procmon utility that Linux users can monitor running processes, as shown in the demo below.

Procmon caption
Procmon caption

When using Procmon on Linux, you can specify the process IDs that you would like to monitor or specific system calls using the following arguments:

Usage: procmon [OPTIONS]
   OPTIONS
      -h/--help                Prints this help screen
      -p/--pids                Comma separated list of process ids to monitor
      -e/--events              Comma separated list of system calls to monitor
      -c/--collect [FILEPATH]  Option to start Procmon in a headless mode
      -f/--file FILEPATH       Open a Procmon trace file

For example, to monitor the process IDs 738 and 2657.

sudo procmon -p 738,2657

To monitor PID 738 for listed all read and write calls, you would use the following command.

sudo procmon -p 738 -e read,write

For more information on how to use Procmon in Linux, you can see its GitHub page.

Building Procmon for Linux

Microsoft provides instructions on building Procmon in on their GitHub page, which we have slightly modified to include all requirements.

To compile Procmon for Linux, Microsoft states that you will need to be running Ubuntu 18.04 LTS or later, have CMake 3.13 or later, and libsqlite3-dev installed.

To set up the development environment to compile Procmon, you should run the following 

sudo apt-get update
sudo apt-get -y install bison build-essential flex git libedit-dev libllvm6.0 llvm-6.0-dev libclang-6.0-dev python zlib1g-dev libelf-dev cmake libsqlite3-dev

Now you need to build BCC using the following commands:

git clone --branch tag_v0.10.0 https://github.com/iovisor/bcc.git
mkdir bcc/build
cd bcc/build
cmake .. -DCMAKE_INSTALL_PREFIX=/usr
make
sudo make install

Finally, you can build Procmon with these commands:

cd ../..
git clone https://github.com/Microsoft/Procmon-for-Linux
cd Procmon-for-Linux
mkdir build
cd build
cmake ..
make
make install

Once Procmon is compiled, it will be installed to /usr/bin/procmon. Unfortunately, Procmon cannot be compiled under WSL due to the lack of Kernel event tracing.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.