
This will be the setup that we want to monitor with procmon and compare how the altitude affects the trace. Let’s dive into an example where our disp+work.exe process opens an instrumented file such that the Windows Defender gets active. Demo: Process Monitor Trace With Reduced Altitude This permission entry will prevent procmon to reset to the default altitude. Use Type: Deny and check Set Value, as well as Delete. Then, add a new permission entry and select Everyone as Principal. Therefore, right-click on Instances, select Permissions and click on the Advanced button. In older versions of procmon you may have to prevent procmon to overwrite this manually set altitude when it gets started. Restart procmon and check whether the altitude of its minifilter driver has been adjusted by using fltmc instances in an elevated PowerShell. Therefore, open regedit.exe and navigate to the key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PROCMON24\Instances\Process Monitor 24 Instance and reduce the Altitude value from the default 385200 to, for example, 40000.


The altitude of procmon can be set in the registry. The idea behind reducing the altitude of the PROCMON24 minifilter is that additional information may get available that is otherwise invisible to procmon, because the correspondent filter driver is below PROCMON24 in the filter stack. You can see, in general, the altitude of anti-virus filter drivers are lower than the altitude of our PROCMON24 minifilter. The Microsoft documentation defines different load order groups for filter drivers and also lists unique altitude values that have been assigned to filter drivers ( ). The lower the altitude of a filter driver, the nearer it is to the file system. Filter drivers are set to unique altitude values that describe their relative order towards the file system. This is where the altitude of a minifilter driver comes into play. For example, anti-virus software can use minifilter drivers to intercept and prevent IO operations. However, different applications may use filter drivers for other purposes. This minifilter driver is required such that procmon is able to intercept IO operations and log them. You can see that by starting the procmon executable, the PROCMON24 minifilter driver was loaded.

The output of this command lists the minifilter drivers that are active on your operating system. You may ask yourself: What is this altitude you are speaking about and why should I want to reduce it? Well, after you downloaded and successfully started procmon, you can run fltmc instances in an elevated cmd or PowerShell. In this blog post, I present how to reduce the altitude of the procmon in the filter driver stack. The Process Monitor (also known as procmon) is part of Microsoft’s Sysinternals Suite and a well-known tool for troubleshooting a Windows system.
