Process Monitor (procmon) is a necessary tool for dynamic malware analysis on any Windows interface. The software provides insight into all the running processes on the computer. I thought I got lucky on finding the software online. In a quick Google search I found the link to download the entirety of the Sysinternals suite right from the Microsoft website. Unfortunately for me, the downloadable was only compatible with Windows 10 or newer and not work on my Windows 7 ISO.
At this point, I begin my typical rabbit-hole search for solutions to Windows problems. I happened upon forums and eventually found a few different .zip files that contained procmon, and I installed them to my environment. Of course, none of them worked. I received numerous errors, including “incompatible driver.” With some versions, the app would trick me. It would run for a moment, then that Windows “procmon.exe stopped responding” dialog would appear and the whole thing would close.
I had heard that procmon would crash if it tried to render too much information, and the filters should be adjusted to only show the desired processes. Unfortunately, I could not keep the application running long enough to tinker with the filters. I had also heard from a group mate, that it may be necessary to allocate more memory to the virtual machine to prevent the application from crashing. This didn’t work either.
A quick message to my group mate and a Discord link later, I had procmon working on Windows 7. Apparently he had the same luck I did: tinkering with settings, filters and trying out a bunch of versions of procmon until he found just the right one. It is a shame that Microsoft doesn’t have a more accessible archive with these legacy applications and it’s a shame that, unless you’re a real computer wizard, you have to download various versions of the software, plug and (try to) play.
Despite this trouble with the software, I did find it useful for my project. Particularly with Lab07-03.exe, a piece of malware that opens every executable file on the system for modification. Without procmon, it is very difficult to evaluate malware. Other applications like Process Explorer or Task Manager don’t quite provide the same insight.
