Procmon is a Windows program that displays real-time information about all running processes and threads. It can be used to track system resources, identify performance bottlenecks, and troubleshoot deadlocks.
A deadlock is a situation in which two or more processes are waiting for each other to complete an action, resulting in a system lockup. Procmon can be used to identify the processes involved in a deadlock and the resources that they are waiting for. This information can be used to resolve the deadlock by breaking the dependency between the processes.
Procmon is an essential tool for system administrators and developers who need to monitor and troubleshoot performance issues. It is also a valuable tool for anyone who wants to learn more about how Windows works.
You can download Procmon from the relevant link as in the image below. It is a program that you can use without the need for installation.
As soon as you run Procmon, it will instantly start monitoring processes.
1- With this button, we can start capturing processes and stop the capture process.
2- With this button, we can save the processes we have captured.
3- With this button, we can avoid seeing processes that do not work for us by applying a certain filter.
4- This column shows the names of the processes we captured.
5- This column shows us the id of the related process.
6- Shows the operation performed by the Process.
7- It shows the path where the process performs the operation.
8- It shows the result of the operation performed by the process to the path.
9- It shows how many processes were captured during the capture process. (Note: Since some processes are very rarely useful processes, we see them as 137.xxx of 353.xxx event as in the picture, since they are filtered by default.)
Now, let’s examine the deadlock problem between two security products through a real scenario.
Deadlock: A deadlock is a situation in which two or more processes are blocked, each waiting for a resource that is held by the other. This can happen in a variety of situations, such as when two processes are trying to access the same file or same device.
From the owner of the computer where the procmon output was taken, we were informed that the computer was locked in places and was running very slowly in general. When we learned, we got the information that FireEye’s EDR product and McAfee’s AV product are available on the PC.
Let’s examine.
At this point, it is important to have the path information that a security product should not scan or apply an operation to. Since I have the knowledge of the important paths of FireEye HX, I can start with that first.
In the case of HX,
- A security product should not touch any path that contains FireEye,
- A security product should not touch any path containing FeKern,
- A security product should not touch any path containing Mindexer.sys,
So we can start writing our filter accordingly.
The filter we wrote here means to bring me all the process information containing the word “FireEye” in the Path information.
Afterwards, we set the ones with “Process Name” information as “xagt.exe“(the main process of FireEye HX) to exclude from these returns. The reason for this is that we do not want to see the logs that xagt.exe, which is HX’s own process, will write to its own database.
Then click Apply.
As we can see, all operations to Paths containing the word FireEye and the processes that own these operations are listed. In fact, we see that not only McAfee, but also Symantec’s DLP process edpa.exe, performs some operations.
Let’s write a few more filters the other way around to make sure FireEye doesn’t interfere with McAfee either.
Retrieve processes with the word McAfee in their path.
But don’t fetch all of them, only xagt.exe(the main process of FireEye HX).
Likewise, HX performs RegOpenKey operation on several registery paths containing McAfee.
As a result, all paths published by the FireEye manufacturer and McAfee manufacturer in the products should be properly excluded in order to avoid these deadlocks and slowness.
Leave a Reply