windowsprocmonprocess-monitor

Procmon command line does not save filtered output


I am using procmon command line.

procmon.exe /Quiet /Minimized /Openlog C:\Python27\code2\logs.pml /LoadConfig C:\Python27\code2\pmc.pmc /SaveAs C:\Python27\code2\output.csv

After running the above command, the procmon UI shows filtered events but the saved file - output.csv contains all the events.

Is there an option to save the filtered output via cmd? If not, is there a way to copy the output to cmd?


Solution

  • I figured it out. I was missing the /SaveApplyFilter option. It's strange I did not find a quick reference on forums either. So adding

    /SaveApplyFilter /SaveAs C:\code2\testing2.csv
    

    achieved the desired result.

    Also, since I was using existing log file, there is no need to use "Drop Filtered Events" while saving the configuration file.

    In case you are capturing logs and want to save them with filters applied, you could enable "Drop Filtered Events" to capture only the required events.