question

avinashupadhyay-1971 avatar image
0 Votes"
avinashupadhyay-1971 asked cooldadtx commented

setup procmon as a background task to run at a specific time and capture a specific process

I want to capture some details around a w3wp process which triggers at a particular time and fails intermittently.
How can I setup procmon with a process filter to run independently (may be Task Scheduler ) at a specific time, capture the log and save it for future review. and then exit out?

windows-sysinternals-procmon
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

cooldadtx avatar image
0 Votes"
cooldadtx answered cooldadtx commented

You can schedule procman to run via Task Scheduler. The challenge is when. If you have a specific time then you can set that. If you don't know when then it becomes harder as you are limited in startup options.

To stop procman from running you can either set a run length limit in Task Scheduler or you can tell procmon to stop collecting after a certain interval or event size limit.

Note however that I don't believe using procmon is the correct solution here. The biggest issue is that you're talking about IIS. The process by itself isn't sufficient to identify the site being run. If you are like most other companies then your IIS is hosting more than 1 site. There will be no easy way using procmon to tell it to monitor just 1 site out of all of them. w3wp is the process IIS uses to run all sites and therefore each app pool is going to have its own instance. Within the app pool any related sites are going to be running. Depending upon your IIS configuration you may be monitoring the wrong process or more than just the site you care about.

Personally I think the better option is to use IIS's custom logging directly, your own custom logging within your app, AppInsights for on premise or the older IIS monitoring tools. These will allow you more fine grained control over the site(s) to monitor and they will better integrate with how web apps actually work.

· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

thank you @cooldadtx , in my case I am hosting a single website, now there are multiple w3wp worker processes though, for various app pools. I want to capture a w3wp process(lets say via PID) for a particular app pool running two w3wp worker processes. Lets says I have identified a time to be able to replicate the issue, how can I setup the filter correctly (possibly arguments in task scheduler).

These are asp.net calls which are getting resource (ISAPI module) locked during an API call from another software. From the FRT logs I captured for 500 Internal server errors, I suspect McAfee is messing up with the asp.net calls and intermittently causes the 500 errors.

The application logs is not of much help, I have gone through that.
What all additional IIS logging can be enabled, and what specific old IIS monitoring tool are you referring to? could you please provide a specific tool which may be able to tell me what resource is getting locked?

0 Votes 0 ·
cooldadtx avatar image cooldadtx avinashupadhyay-1971 ·

You cannot use the PID as it changes. The only way to identify it in procmon is by process name and as you already noticed there are multiples. Since procmon doesn't understand IIS it won't be able to distinguish between them and there aren't any process data points that would help it tell the difference anyway.

One possible workaround would be to use Powershell as the started process. Within PS have it get the running app pool that you care about by name using something like this (not tested).

$id = dir 'IIS:\AppPools\<poolname>\WorkerProcesses\' | Select-Object -expand processId


Assuming it was running you now have the PID. Then call procmon although I don't see any cmdline arg that allows a PID so I assume you'll have to dynamically create a filter that you can pass to the program to filter by PID.

But if you're having file locking issues then personally I would just first try excluding the IIS webroot from Mcafee. If the problem goes away you know. Alternatively have procmon monitor everything (otherwise it might miss Mcafee calls). Just having procmon monitor the site might tell you there is a file lock issue but won't tell you who else has locked it. Monitoring the folder that is having the issue and all processes would narrow down all processes trying to use the files in the folder at the given time.

1 Vote 1 ·

This is the error that gets registered in the FRT trace for failed 500 errors.
Also please note that the issue is intermittent where 98% calls are successful and the rest fails. only way to get it running is to perform a IISRESET or app pool recycle.

MODULE_SET_RESPONSE_ERROR_STATUS

Warning-

ModuleName="IsapiModule", Notification="EXECUTE_REQUEST_HANDLER", HttpStatus="500", HttpReason="Internal Server Error", HttpSubStatus="0", ErrorCode="The requested resource is in use.
(0x800700aa)", ConfigExceptionInfo=""

Any clues on this? I am unsure how and where to check as to why this error.

0 Votes 0 ·
Show more comments