question regarding procmon.pmc configuration file name and extenstion

[oasec1]

Is it possible for you to make it so that you're able to change the name and extension of the procmon configuration file? We're analyzing malware and would like to be able to change the filename and extension. The malware is encrypting the configuration file and procmon is failing. We can do that now on the command-line, but it doesn't recognize it. we validated the filename of the configuration file does match what we specify on the command-line.

IMO this would be great functionality as it appears that the pmc extension is now on the files to encrypt list of certain malware.

Thanks
Robert

[Rurik]

I've kept the ProcmonConfiguration.PMC name because that's what SysInternals has always referred to it as. I don't want people to think that this is using an entirely new file format when they may already have PMC's lying around.

However, this should be doable with the --filter (-f) option and pointing it to another filename. It could even be something remotely shared (SMB) if ransomware is corrupting it.

This is equivalent to running: procmon.exe /BackingFile "Noriben.pml" /Quiet /Minimized /LoadConfig "A.DAT", where I have ProcmonConfiguration.PMC named A.DAT.

Please let me know if that works for you

[Rurik]

This issue is a little dated. Closing but please reopen if it still applies.