Skip to content

Instantly share code, notes, and snippets.

@MyITGuy

MyITGuy/ProcMonAltitude.psm1

Last active April 2, 2024 18:11
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save MyITGuy/9056847 to your computer and use it in GitHub Desktop.
Save MyITGuy/9056847 to your computer and use it in GitHub Desktop.
Download ZIP
Registry settings to adjust ProcMon driver altitude
Raw
default_filter.md

Common

Column Relation Value Action
Operation contains CREATE Include
Operation contains READ Include
Operation contains QUERY Include
Operation contains WRITE Include
Event Class is File System Include
Result is IS DIRECTORY Exclude
Detail contains Directory Exclude

Uncommon

Determine what Symantec Endpoint Protection (SEP) is interacting with

Column Relation Value Action
Process Name is ccSvcHst.exe Include
Path contains \Symantec\Symantec Endpoint Protection Exclude

Determine what is interacting with the Flexera App Portal Web Extension

Column Relation Value Action
Process Name is FlexeraAppPortalClient.exe 1 Exclude
Process Name is cmd.exe 1 Exclude
Process Name is msedge.exe 12 Exclude
Process Name is System 1 Exclude
Process Name is csrss.exe 1 Exclude
Process Name is lsass.exe 1 Exclude
Process Name is svchost.exe 1 Exclude
Process Name begins with Sysmon 1 Exclude
Process Name begins with Procmon 1 Exclude
Path contains FlexeraAppPortalClient.exe Include

Determine what Ivanti/AppSense Application Manager is interacting with

Column Relation Value Action
Process Name begins with AMAgent Include
Path contains \AppSense Exclude

Determine what Ivanti/AppSense Environment Manager is interacting with

Column Relation Value Action
Process Name begins with EmCore Include
Process Name begins with EmSystem Include
Process Name begins with EmUser Include
Path contains \AppSense Exclude

Determine what Ivanti/AppSense Deployment Agent is interacting with

Column Relation Value Action
Process Name is Cca.exe Include
Path contains \AppSense Exclude

Determine what Ivanti/AppSense Watchdog Agent is interacting with

Column Relation Value Action
Process Name begins with WatchdogAgent Include
Path contains \AppSense Exclude

Footnotes

  1. Process interaction allowed. 2 3 4 5 6 7 8 9

  2. Replace with the executable name for whichever web browser is used.

Raw
ProcMonAltitude.psm1
#region Set-ProcMonAltitude
function Set-ProcMonAltitude {
[CmdletBinding()]
PARAM(
[Parameter(Mandatory = $false, Position = 0)]
[int32[]]
$Version = @(23, 24)
,
[Parameter(Mandatory = $false, Position = 1)]
[int32[]]
$Altitude = 20003
)
begin {
Write-Verbose $MyInvocation.MyCommand
}
process {
try {
foreach ($InstanceVersion In $Version) {
$RegistryAccessRule = New-Object System.Security.AccessControl.RegistryAccessRule ("Everyone", ([System.Security.AccessControl.RegistryRights]::Delete -bor [System.Security.AccessControl.RegistryRights]::SetValue), [System.Security.AccessControl.AccessControlType]::Deny)
$Acl = Get-Acl -Path HKLM:"SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)\Instances\Process Monitor $($InstanceVersion) Instance" -ErrorAction SilentlyContinue
$DenyEveryoneDeleteOrSetValue = $false
if ($Acl -is [System.Security.AccessControl.RegistrySecurity]) {
$DenyEveryoneDeleteOrSetValue = ($Acl.Access | Where-Object { (Compare-Object -ReferenceObject $_ -DifferenceObject $RegistryAccessRule -Property RegistryRights, AccessControlType, IdentityReference, IsInherited, InheritanceFlags, PropagationFlags -IncludeEqual).SideIndicator -eq '==' }) -is [System.Security.AccessControl.RegistryAccessRule]
}
if ($DenyEveryoneDeleteOrSetValue -eq $true) {
$RegistryKey = "SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)\Instances\Process Monitor $($InstanceVersion) Instance"
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey($RegistryKey, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::TakeOwnership)
$acl = $key.GetAccessControl()
$acl.RemoveAccessRuleAll($RegistryAccessRule)
$key.SetAccessControl($acl)
$key.Close()
$Acl = Get-Acl -Path HKLM:"SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)\Instances\Process Monitor $($InstanceVersion) Instance" -ErrorAction SilentlyContinue
$DenyEveryoneDeleteOrSetValue = $false
if ($Acl -is [System.Security.AccessControl.RegistrySecurity]) {
$DenyEveryoneDeleteOrSetValue = ($Acl.Access | Where-Object { (Compare-Object -ReferenceObject $_ -DifferenceObject $RegistryAccessRule -Property RegistryRights, AccessControlType, IdentityReference, IsInherited, InheritanceFlags, PropagationFlags -IncludeEqual).SideIndicator -eq '==' }) -is [System.Security.AccessControl.RegistryAccessRule]
}
}
New-Item -Path HKLM:"SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)\Instances\Process Monitor $($InstanceVersion) Instance\Enum" -ItemType Directory -Force | Out-Null
New-ItemProperty -Path HKLM:"SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)" -Name "SupportedFeatures" -Value 3 -PropertyType ([Microsoft.Win32.RegistryValueKind]::DWord) -Force | Out-Null
New-ItemProperty -Path HKLM:"SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)\Instances" -Name "DefaultInstance" -Value "Process Monitor $($InstanceVersion) Instance" -PropertyType ([Microsoft.Win32.RegistryValueKind]::String) -Force | Out-Null
New-ItemProperty -Path HKLM:"SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)\Instances\Process Monitor $($InstanceVersion) Instance" -Name "Altitude" -Value $Altitude -PropertyType ([Microsoft.Win32.RegistryValueKind]::String) -Force | Out-Null
New-ItemProperty -Path HKLM:"SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)\Instances\Process Monitor $($InstanceVersion) Instance" -Name "Flags" -Value 0 -PropertyType ([Microsoft.Win32.RegistryValueKind]::DWord) -Force | Out-Null
New-ItemProperty -Path HKLM:"SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)\Instances\Process Monitor $($InstanceVersion) Instance\Enum" -Name "0" -Value "Root\\LEGACY_PROCMON$($InstanceVersion)\\0000" -PropertyType ([Microsoft.Win32.RegistryValueKind]::String) -Force | Out-Null
New-ItemProperty -Path HKLM:"SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)\Instances\Process Monitor $($InstanceVersion) Instance\Enum" -Name "Count" -Value 1 -PropertyType ([Microsoft.Win32.RegistryValueKind]::DWord) -Force | Out-Null
New-ItemProperty -Path HKLM:"SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)\Instances\Process Monitor $($InstanceVersion) Instance\Enum" -Name "NextInstance" -Value 1 -PropertyType ([Microsoft.Win32.RegistryValueKind]::DWord) -Force | Out-Null
if ($DenyEveryoneDeleteOrSetValue -eq $false) {
$RegistryKey = "SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)\Instances\Process Monitor $($InstanceVersion) Instance"
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey($RegistryKey, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::TakeOwnership)
$acl = $key.GetAccessControl()
$acl.SetAccessRule($RegistryAccessRule)
$key.SetAccessControl($acl)
$key.Close()
}
}
}
catch {
Throw $_
}
}
end {
}
}
#endregion Set-ProcMonAltitude
#region Remove-ProcMonAltitude
function Remove-ProcMonAltitude {
[CmdletBinding()]
PARAM(
[Parameter(Mandatory = $false, Position = 0)]
[int32[]]
$Version = @(23,24)
)
begin {
Write-Verbose $MyInvocation.MyCommand
}
process {
try {
foreach ($InstanceVersion In $Version) {
$RegistryAccessRule = New-Object System.Security.AccessControl.RegistryAccessRule ("Everyone", ([System.Security.AccessControl.RegistryRights]::Delete -bor [System.Security.AccessControl.RegistryRights]::SetValue), [System.Security.AccessControl.AccessControlType]::Deny)
$Acl = Get-Acl -Path HKLM:"SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)\Instances\Process Monitor $($InstanceVersion) Instance" -ErrorAction SilentlyContinue
$DenyEveryoneDeleteOrSetValue = $false
if ($Acl -is [System.Security.AccessControl.RegistrySecurity]) {
$DenyEveryoneDeleteOrSetValue = ($Acl.Access | Where-Object { (Compare-Object -ReferenceObject $_ -DifferenceObject $RegistryAccessRule -Property RegistryRights, AccessControlType, IdentityReference, IsInherited, InheritanceFlags, PropagationFlags -IncludeEqual).SideIndicator -eq '==' }) -is [System.Security.AccessControl.RegistryAccessRule]
}
if ($DenyEveryoneDeleteOrSetValue -eq $true) {
$RegistryKey = "SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)\Instances\Process Monitor $($InstanceVersion) Instance"
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey($RegistryKey, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::TakeOwnership)
$acl = $key.GetAccessControl()
$acl.RemoveAccessRuleAll($RegistryAccessRule)
$key.SetAccessControl($acl)
$key.Close()
}
$Path = "SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)"
if ((Test-Path -Path HKLM:$Path) -eq $true) {
Remove-Item -Path HKLM:$Path -Recurse -Force | Out-Null
}
}
}
catch {
Throw $_
}
}
end {
}
}
#endregion Remove-ProcMonAltitude
#region Get-ProcMonAltitude
function Get-ProcMonAltitude {
[CmdletBinding()]
PARAM(
[Parameter(Mandatory = $false, Position = 0)]
[int32[]]
$Version = @(23, 24)
)
begin {
Write-Verbose $MyInvocation.MyCommand
}
process {
try {
foreach ($InstanceVersion In $Version) {
Get-ItemProperty -Path HKLM:"SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)\Instances\Process Monitor $($InstanceVersion) Instance" | Select-Object -Property @{Name="Version";Expression={$_.PSChildName}},"Altitude"
}
}
catch {
Throw $_
}
}
end {
}
}
#endregion Get-ProcMonAltitude
Raw
remote.ps1
$Content = (Invoke-WebRequest -Uri 'https://api.cacher.io/raw/2e9398a2efc000c057f3/4f060c539995b4b64202/ProcMonAltitude.psm1').Content
$Content | Invoke-Expression
# Set-ProcMonAltitude
Get-ProcMonAltitude
@AGSPhoenix
Copy link

What is this for? Preventing modification of the procmon driver config?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment