Procmon freezes in windowsservercore RRS feed

  • Question

  • Hello there,

    I'm working on deploying some software to a windowsservercore container. Its giving me some errors so I copied procmon in to the container to track it down but procmon also doesn't work. I used the following command for procmon:

    procmon.exe /Quiet /AcceptEula /BackingFile C:\Temp\foo.pml

    If I then do a dir on C:\Temp I get that foo.pml has been created and is 4,194,304 bytes in size.

    The file NEVER goes above this size (on my actual computer it does, and if you've ever used procmon before you'd expect it would). I tried the same thing on a co-workers computer and the exact same thing happens down to the byte. If I do:

    procmon.exe /Terminate
    The file size changes to 900 some bytes and reads as corrupted. I don't see anything in the event logs that indicates the cause of the crash.

    These types of debugging tools are really essential to troubleshooting problems on "remote" machines. Does anyone have any suggestions of alternatives that they know work, or how to get procmon to work? I'm specifically interested in what dll's are being accessed by my process.

    Thank you!

    Thursday, December 29, 2016 9:53 PM

All replies

  • You probably need to ask this question in sysinternals forum. I assume it's due to the fact that servercore OS which Microsoft ships is not the same "servercore" which you can install on bare metal. "Container" version is stripped down version of server core Microsoft should have never called it. At the very minimum "server" service is not startable and a lot of tools rely on that service.
    Sunday, January 22, 2017 4:21 PM
  • Matt, I hit exactly the same issue with the same reason (I need to check what is going on in a container to be able to fix it). Did you find any workaround?

    • Edited by Bart van Kleef Sunday, January 21, 2018 1:01 AM Reference to procmon form
    Sunday, January 21, 2018 12:52 AM
  • Hey Matt,

    Are you trying to do this in a container using Hyper-V isolation or is this a Windows Server container? I'd expect this to work in the former scenario (where a separate kernel exists) but not the latter. In the latter scenario, you can instead monitor process details running Procmon on the host machine.

    • Proposed as answer by WithinRafaelMVP Wednesday, February 21, 2018 9:01 AM
    Wednesday, January 24, 2018 2:28 AM