How to use Process Monitor to help diagnose publishing issues
In the following article we will show you how to use Process Monitor (procmon) from Sysinternals to collect file system, registry and process events to assist a Patch My PC support engineer with diagnosing publishing issues in both WSUS and ConfigMgr.
Topics covered in this article:
Overview
Sometimes we require more details to help diagnose publishing issues in your environment. Process Monitor, from Sysinternals, commonly referred to as Procmon, is an advanced monitoring tool for Windows that captures real-time file system, registry and process activity.
We often see antivirus engines locking files during publishing and a procmon trace is useful to help flag to security teams the correct antivirus configurations and exclusions to put into place.
A procmon trace is also very useful at revealing competing antivirus products installed on the same server which will exasperate file locks. We often encounter this when customers perform in-place upgrades on servers from Server 2012 > higher. Windows Defender must be explicitly disabled or set to passive mode after an in-place upgrade if you are using a third-party antivirus solution. See the following advice from Microsoft for more information Microsoft Defender Antivirus on Windows Server | Microsoft Learn
Note: Please see the following KB for the recommended antivirus exclusions when publishing apps and updates to ConfigMgr, WSUS and Intune Patch My PC – Recommended antivirus exclusions
Download Procmon from Sysinternals
Procmon can either be downloaded as a zip file (1) or as an executable (2) from the Sysinternals website.
Typically, we recommend downloading the zip file and extracting the contents to disk so they can be used for continuous troubleshooting when working with our engineers on a support case.
Download the zip file from thie website https://learn.microsoft.com/en-us/sysinternals/downloads/procmon or directly from this link https://download.sysinternals.com/files/ProcessMonitor.zip. Once downloaded, extract the contents to a folder.
The extracted zip file will reveal the following files which we will use for troubleshooting.
Run a procmon trace to diagnose publishing issues
Unless otherwise instructed, a procmon trace is run from the same computer where the Patch My PC Publishing Service is installed.
1. Run procmon.exe (1) on the same computer where the Patch My PC Publisher Serviceis installed (2)
2. Agree to the Sysinternals licence terms
3. Procmon will start collecting events straight away. To avoid unnecessarily large capture files, stop the capture until you are ready to reproduce the issue. Stop the trace by clicking the Capture icon on the toolbar.
4. Clear the current trace by clicking the Clear icon on the taskbar.
5. Re-produce the publishing issue by selecting the appropriate products in the Publisher and from the Sync Schedule (1) tab click Run Publishing Service Sync (2).
6. Immediately, in procmon click the Capture icon on the toolbar to begin capturing the publishing events that occur during the sync.
7. Once publishing has completed, click the Capture icon on the toolbar again (see above) to finish the capture. You can verify the sync has completed by reviewing the following log file and observing the *** Report log line. This log line indicates the sync has completed and will report any success and failures.
- %PatchMyPCInstallDirectory%\PatchMyPC.log
8. Save the capture by clicking Save from the File menu.
9. Unless instructed to filter captured events, ensure the following options are selected:-
- Events to save = All events
- Format = Native Process Monitor Format (PML)
- Path = Make a note of the path where the .pml file will be saved
By default, the .pml file will save into the same folder that procmon.exe was launched from and will be named LogFile.PML.
10. Finally, the .pml file will compress very well. Please compress the file before sending it to Patch My PC support.
Send the capture (pml) file to Patch My PC support
IMPORTANT: As well as sharing the capture with us, we also require the relevant log files to help us match failed publishing events with the captured events. Your support engineer will ask for the relevant log files, as listed in the KB Collecting Log Files to Send to Support for SCCM and Intune – Patch My PC.
Even after compressing the .pml file, it is normally too large to send via email. Please upload the captured events and requested log files, in .zip format. We recommend renaming the zip file so its descriptive and can easily identified by your support engineer. For example:-
ProcmonCapture-for-PatchMyPC-from-ContosoLtd.zip
Upload the file(s) to support via https://patchmypc.com/share
Note: The following KB has more details on how to share files with support: Share Large Files with Patch My PC for Support Case