How to enable boot logging in windows 10?

Boot logging is one of my favorite features in procmon. But after upgrading to windows 10, I found this function does not always work out.

 

Unable to write PROCMON23.sys.

Make sure that you have permission to write to the %%SystemRoot%%\System32\Drivers directory.

 

 

To work this out, we need to:

1. Delete %%SystemRoot%%\System32\Drivers\PROCMON23.sys. You may not delete this file from current running OS, but you can do this in WinPE.

2. Importent! Please start procmon with the following command:

 C:\procmon\Procmon /BackingFile C:\procmon\log.pml /AcceptEula /Quiet /noconnect

3. Now, it works!

Comments

  • Anonymous
    December 09, 2015
    I unhidde it and then rename procmon23.sys I could then run: C:procmonProcmon /BackingFile C:procmonlog.pml /AcceptEula /Quiet /noconnect and enable logging.