Procmon: how to inject debug messages and have them included in the output?

Question

question

BobK-5529 asked Apr 19, '22 BobK-5529 commented Apr 20, '22

Procmon: how to inject debug messages and have them included in the output?

Here is the problem, I found the help topic: Injecting Application Debug Messages

This is great! I can write a debug message, send it to the procmon device and it will be in the procmon log.

Unfortunately, this seems nearly useless. I'm hoping I misunderstand something.

It appears that the only way to include the debug messages is to add a Filter clause:

Operation Is Debug Output Profiling then Include.

If I add that to the filter, I see the debug messages. The problem is I also need other filters, such as:

Path Begins with "c:\dir1\dir1\" then Include.

When I add any other clause to the filter, it clears the screen because both clauses are ANDed together, which will never result in any events since the debug events have no path.

Can debug messages be used when using filters?

Thanks.

windows-sysinternals-procmon

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2022-04-20T16:06:43.743Z

RLWA32-6355 answered Apr 20, '22 BobK-5529 commented Apr 20, '22

After building the NativeTest.exe application for use with ProcMon debug messages I set up the following filter.

and the capture results were -

procmonfilter.png (56.3 KiB)

procmondisplay.png (144.0 KiB)

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BobK-5529 · Apr 20 at 04:18 PM

Ah ha! It didn't occur to me to create a Path filter that matches NOTHING. That PATH clause will OR into any additional PATH clause, so my non-empty will still work. Not very intuitive, but it will work.
Thanks!

0 ·

question