Procmon utilities to identify missing dependencies
18/01/2018 Stuart Moore ID: 294965
The uilities and tools included in the attached zip can be used to help analyze Procmon log files, either filter the resulting output files, identify missing dependencies or compare two files to identify dependencies that may be referenced in one file but missing from another. These tools can help identify when processes may be searching many paths but may fail to find the file, or find it eventually. PowerShell scripts are provided that will co-ordinate the collection of data from Procmon.
- Download attached file procmon-analysis-v1.7z, includes Procmon.exe, tools and PowerShell scripts required to analyze Procmon activity.
- Extract the zip
- Recommended tools: Notepad++ and the JSON Viewer Notepad++ plugin to view the resulting output files
Filter Procmon Tool
FilterProcmon.exe can take a CSV of a procmon trace on std in and output the events in the trace in JSON format. The JSON event format is the input for many other tools. You can filter by process name (-p), Result (-r) and Operation (-o) by using the appropriate command line arguments. Required CSV headings:
- Time of Day
- Process Name
FilterProcmon.exe [-p <processname> ... -o <operation> ... -r <result> ...]
MissingDependencies.exe takes a JSON event log on std in and filters the events into the following categories:
- Operations on filenames that never had a successful result
- Operations on registry keys that never had a successful result
- Operations on CLSIDS (joined across HKCU, HKLM & HKCR) that never had a successful result
Identify Missing Dependencies
Included in the zip, are two PowerShell scripts, start-capture.ps1 and end-capture.ps1, these scripts can be used to automate, and simplify the process of collecting the results ensuring the correct data is collected.
- Run .\start-capture.ps1
- Reproduce the problem in the application
- Run .\end-capture.ps1
- Provide a comma seperated list of executables you would like to analyze
- Provide the name of the json output file e.g. appname_missing.json
Missing Dependencies Comparison
This tool takes the output of two traces run through missing dependencies. It displays all items that were missing only in the first.
MissingDependenciesComparison.exe -1 pathtoconfig -2 pathtoconfig
Comparing successful vs unsuccessful runs
If you have an environment where the application works successfully and one that doesn't, it may be helpful to reproduce the steps in each environment and then compare the two dependency files to highlight the problem preventing the application from working.
- Repeat the steps described in 'Identify Missing Dependencies' on a machine where the application works
- Run .\compare-capture.ps1 input_file1.json input_file2.json
- The results are the items that are missing in input file 1 but NOT in input file 2
Sample scripts and utilities are not supported under any Cloudhouse standard support program or service, they are provided for debug and diagnostic purposes only. The sample scripts and utilities are provided AS IS without warranty of any kind. Cloudhouse further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Cloudhouse, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Cloudhouse has been advised of the possibility of such damages.