Using Process Explorer for Troubleshooting a Policy

This topic describes how to troubleshoot a policy with Process Explorer. Process Explorer is used to look at policies that grant administrative privileges, but don't seem to work when:

  • an application is accessed, or
  • actions are supposed to run.

In the example below, the policy allows resource monitor to run but the application is blank due to not having sufficient Windows Privileges. You can use Process Explorer to determine the correct Windows Privileges to add to the policy in order to use the resource monitor application.

Detailed Troubleshooting Steps

  1. Download Process Explorer from the Microsoft website and extract the downloaded ProcessExplorer.zip file locally on your system.

  2. Open Process Explorer.

  3. Next open Resource Monitor as the Administrator.

  4. Navigate back to the Process Explorer Window and find the Resource Monitor application (perfmon.exe).

    step-1

  5. Right-click and select Properties.

  6. Select the Security tab.

  7. Under the Privilege section, you can see all the flags that are enabled in order to use the application.

    step-2

  8. Launch Privilege Manager and navigate to Admin | Application Policies.

  9. Select the policy that elevates privileges to run Resource Monitor.

  10. Under Adjust Process Rights, modify settings.

    process rights

    1. Select Add Administrative Rights or the elevation action you are using.
  11. Under Windows Privileges, click Edit. (For this step you will have to determine which flags are enabled in Process Explorer in order to add the additional Windows Privileges to the action.)

  12. In another window, navigate to the following Microsoft web site @ https://docs.microsoft.com/en-us/windows/win32/secauthz/privilege-constants. The site will show the name of the Windows Privileges, along with the user right information that needs to be added to the action in Privilege Manager.

    For Example: The privileges listed under the properties security tab show SeCreateGlobalPrivilege as enabled. On the Microsoft website for Privilege Constants @ https://docs.microsoft.com/en-us/windows/win32/secauthz/privilege-constants, the user right for SeCreateGlobalPrivilege privilege is: Create global Objects.

  13. Enter the user into the search box and then select the user from the returned list. In this example, enter in Create Global Objects.

    search

  14. Click Add.

  15. Remove any actions you don't need.

  16. Click Update.

  17. Click Save Changes.

Once the agent has received the updated policy, the additional Windows Privileges will be applied to the application next time it is launched.