Summary
Procmon may not work or it may cause an unexpected slowdown. Use electrifymon to log agent-side file operations; it is lightweight.
Solution
An instance occurred where procmon always disappeared after a short period of time. Even when procmon worked, it slowed down the agent machine considerably and resulted in a large amount of data. You can use electrifymon to inject a dll into the agent and its child process to log the file operations.
To activate it, add a registry string value under key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ElectricAgent\Parameters,
name: prefix value: c:\ECloud\i686_win32\bin\electrifymon.exe --electrify-log=c:\electrify.log --electrify-localfile=y
On 64-bit Windows, it is c:\ECloud\i686_win32\64\bin\electrifymon.exe.
Then c:\electrify.log will contain the file operations, file name, and the process command line that did the operations.