For this example, we will be monitoring the following Registry Key and values.
Next, in the Regedit window go to the path you wish to monitor, highlight the desired path in the address bar and copy the text.
Back in ProcMon click on the filter icon, select the values “Path” and “is” as shown in the screenshot below, then paste in the registry path you saved to your clipboard earlier in step 4 above. Edit the path to correct for HKCU or HKLM (see note directly below), then click “Add”, and then “Ok” to save and apply the filter.
NOTE: Edit the reg path and replace the text “Computer\HKEY_CURRENT_USER” with “HKCU”, or “Computer\HKEY_LOCAL_MACHINE” with “HKLM” as needed. See screenshots below for examples.
Next, and most importantly enable the “Drop Filtered Events” option on the Filter menu.
GATHER PPLOGS: You’re going to run PPLOGS from CMD TWICE, once as USER and once as ADMIN, give the files a descriptive name, pplogs_as_user.zip, pplogs_as_admin.zip etc. Example screenshot: https://www.screencast.com/t/Y988r1u7P5B
PLACE LOGS (and anything else gathered) into a SINGLE ZIP upload as SRXxxxx.ZIP to the SUPPORT INBOX on SHAREFILE: https://policypak.sharefile.com/share/getinfo/rc857a57f16b4d4b9
And remember to click the UPLOAD button!!
Video KB: https://kb.policypak.com/kb/article/506-gathering-and-uploading-logs/