I was working through some nasty Windows automation problems buried deep in a Cloud Formation template.
Something appeared to be overwriting a certificate private key that we were placing on the system.
The block of automation code that might contain the offending lines is a complex salt configuration.
Being able to automatically enable a procmon trace for just that segment of code would be very handy since I can’t manually trace the automation and it would prevent me from having to trace the entire setup from start to end.
The first oneliner downloads procmon if it is not already present, launch it to do a trace.
The second oneliner terminates the trace.
The examples below are coded as Cloud Formation “commands” that use PowerShell - but you can technically use them anywhere you can kick off PowerShell.
Happy bug hunting!
Oneliner to Download Procmon and Start a Trace
The following oneliner is shown as a cfn-init command because that can be the most syntactically challenging to devise, however, it can be used anywhere. This oneliner is NOT reboot resilient. For a trace to start during a boot, add the parameter /EnableBootLogging and reboot. /EnableBootLogging does NOT persist through multiple reboots.
2-download-and-start-procmon: command: | powershell.exe -ExecutionPolicy Unrestricted -command Invoke-WebRequest -Uri https://live.sysinternals.com/Procmon.exe -Outfile c:\windows\temp\procmon.exe ; Start-Process -FilePath c:\windows\temp\procmon.exe -ArgumentList '/Quiet /AcceptEula /Minimized /BackingFile c:\windows\temp\ProcmonCapture.pml' ; Start-Sleep 10 ; Write-Output "STARTED: Procmon Trace: c:\windows\temp\ProcmonCapture.pml"
Oneliner to Stop a Trace
The following oneliner is shown as a cfn-init command because that can be the most syntactically challenging to devise, however, it can be used anywhere.
5-stop-procmon: command: | powershell.exe -ExecutionPolicy Unrestricted -command Start-Process -FilePath c:\windows\temp\procmon.exe -ArgumentList '/Terminate' ; Write-Output "COMPLETED: Procmon Trace: c:\windows\temp\ProcmonCapture.pml"
This code is also part of the PSHDeepExecutionDebugging repository: https://github.com/DarwinJS/DebugDeepPSHExecution