VMware Horizon Community
mpral
Contributor
Contributor
‎09-10-2011 11:33 AM

Monitor activities in Virtual Environment using ProcMon

Hi,

Is there a way to use ProcMon to monitor activities (file/registry/process) within Virtual environment (in a ThinApp app).

Below are steps tried

1. Copied ProcMon file as part of a Virtual package (into Program files\AppName folder)

2. Launched regedit (virtual one - used for troubleshooting entry point)

3. Launched ProcMon from within virtual env and monitor activity

4 Create reg entry within virtual environment

5.No activity has been logged by ProcMon for "RegCreateKey" in ProcMon.

Please let me kno if there is any way to use ProcMon to monitor activities in virtual world.

Thanks,

Charan

Tags (1)
0 Kudos
5 Replies
shrivastavaa
Enthusiast
Enthusiast
‎09-11-2011 07:14 AM

Charan,

For record Proc mon should definately capture registry APIs; I have used it many times but honestly you are better using log monitor

Now I do not think copying ProcMon in the package will do any good; infact it may not run at all if it depends on a driver. So if you really want to proceed with ProcMon run it outside the bubble and monitor it.

Now if you intend to see the ThinApp behavior for creating/opening registry files, you are out of luck. I may be able to help you if you tell me what exactly you are trying.

0 Kudos
Phil_Helmling
VMware Employee
VMware Employee
‎09-11-2011 06:00 PM

Charan, you don't need to put procmon.exe into the package, but you will need to run it from an entry point. The easiest way to do this is to enable the CMD.EXE entry point and then navigate to the directory that has procmon.exe and run it. Be aware that you will need to run it once natively first to initialise it. You will then see what the package is doing. I also setup a standard filter when running as native basically removing all standard processes.

HTH

Phil

0 Kudos
shrivastavaa
Enthusiast
Enthusiast
‎09-11-2011 08:01 PM

Phil,

I still do not see the point of running proc mon virtually. It wil just make ThinApp launch the ProcMon which means; ThinApp intercepts the call (generated by procmon application) before procmon itself. Regarding monitoring other virtual processes; it should act as same as running it natively.

What additional benefits you saw when you ran it inside the bubble?

0 Kudos
mpral
Contributor
Contributor
‎09-11-2011 10:56 PM

Hi Phil / Sri,

Thanks for your response !

Agreed i need not put procmon.exe into package. I also tried to run ProcMon from entry point (cmd.exe) but it still does not seem to monitor activities within bubble (virtual environment).

PFA images - which shows activity for registry changes when regedit is launched from start menu of the machine but not from Regedit.exe (entry point shortcut).

ProcMon.jpg

RegActivity.jpg

Sri,

What i am trying to achieve here is monitor registry activity using regedit entry point and Procmon (launched using cmd.exe entry point). Objective of doing this is - it'd help great deal in monitoring activities of files/ registry/process as and when issue occurrence which helps great deal in troubleshooting (except for relying only on LogMonitor which would give dump of entire activity of launch).

I'm sure i've used this in App-V for troubleshooting and monitoring activities within bubble.

Please let me know if you have any method to do so in ThinApp.

Thanks,

Charan

Preview file
103 KB
Preview file
95 KB
0 Kudos
shrivastavaa
Enthusiast
Enthusiast
‎09-12-2011 12:02 AM

As I said; you uare better doing this with log monitor. First it will help you eliminate all the calls made by ThinApp runtime. Which will not add any value to the logs. Next if you do want to use proc mon try it outside the bubble (you will hardly see any change while running it inside bubble)

As for App-V they intercepts things at kernel (unlike ThinApp which does it at user mode); the architecture is quite different as well.

Aditya

0 Kudos