IRPMon icon indicating copy to clipboard operation
IRPMon copied to clipboard

Published 20 hours ago verified publisher icon MartinDrab

IRPMon: not connected

Open romanholidaypancakes opened this issue 4 years ago • 11 comments

how can I use it to make it work

image

version: v1.0-rc2 os: win10 x64 18363

romanholidaypancakes avatar Mar 12 '21 08:03 romanholidaypancakes

Hello,

did you run the program as administrator?

Checking the Monitoring | Capture events should connect to the driver.

Also, you may look at this tutorial Keyboard Monitoring

I hope to release new version during this weekend.

MartinDrab avatar Mar 12 '21 10:03 MartinDrab

i follow this steps:

  1. (run it on administrator)none - ok image

  2. gui image

romanholidaypancakes avatar Mar 12 '21 11:03 romanholidaypancakes

It seems the driver is not loaded.

Do you have Secure Boot disabled? Unfortunately, I am currently not able to make the driver load when the Secure Boot is enabled (I do not own necessary EV certificate yet).

MartinDrab avatar Mar 12 '21 11:03 MartinDrab

i run it on virtual machine. It should not have a secure boot by default.

image

romanholidaypancakes avatar Mar 12 '21 11:03 romanholidaypancakes

i wanna monitor all driver irp code then i need know who(application) connected it.

romanholidaypancakes avatar Mar 12 '21 11:03 romanholidaypancakes

Well, I tried to connect to the driver and all seems to be OK. I did the following:

  • I downloaded the v1.0 RC2 release, the installer,
  • I installed the program (with Run IRPMon server on startup unchecked),
  • I run the program as administrator,
  • in the Connect to the driver window, I selected Device and pressed Ok,
  • now, I can connect to the driver via Monitoring | Capture events.

Since I have 64-bit version of Windows, I run 64-bit version of IRPMon (be careful with that since both versions are installed).

MartinDrab avatar Mar 12 '21 11:03 MartinDrab

  • step 1 image

  • step 2 image

  • step 3 image

  • step 4: (run IRPMon 64-Bit on administrator)none - ok

  • still can't work

  • new vmos: winx64 10.0.17763.737

romanholidaypancakes avatar Mar 12 '21 11:03 romanholidaypancakes

Do not start the IRPMon server service (although it is strange because it seems it is not running anyway). The IRPMon application connects directly to the driver, not the server. The server may be used if you wish to have the GUI on machine other than the driver is... and it is quite unreliable.

MartinDrab avatar Mar 12 '21 16:03 MartinDrab

I changed step 3 to this, still not work image

romanholidaypancakes avatar Mar 15 '21 01:03 romanholidaypancakes

Well, that all seems very strange. Can you provide me with a log from Sysinternals DbgView?

Run DbgView as administrator. You may do it before running the IRPMon installer. The following items need to be checked in the Capture menu:

  • Capture Win32,
  • Capture Global Win32,
  • Capture Kernel,
  • Enable verbose kernel output,
  • Capture kernel.

Before installing IRPMon, uninstall it first (it should have its entry in the Control Panel).

After you run the IRPMon 64-bit application as administrator and see the main window (where you should see the list view for displaying individual requests), you may save the debug log to a file and upload it either here, or send it to me via email ([email protected]).

Alternatively, if the VM is not too big nad your internet connection is strong enough, you may upload it somewhere and I will attemt to reproduce your problem.

MartinDrab avatar Mar 15 '21 20:03 MartinDrab

DESKTOP-VUKB1AQ.LOG

romanholidaypancakes avatar Mar 16 '21 02:03 romanholidaypancakes