Skip to content

Auditing Sessions: Windows Process Monitoring

The Process Monitoring feature provides detailed monitoring and recording of Windows process activity during brokered PAM sessions, without the use of an agent. When enabled, it captures each process that starts on the target asset, including the process name, timestamp, and, where available, the application or window title. For example, if a user launches Microsoft SQL Server Management Studio (ssms.exe), opens a browser, runs PowerShell, or starts a background utility, these events are recorded as part of the user's session events.

Process Monitoring provides enhanced visibility into Windows process activity for PAM sessions while maintaining its agentless, non-intrusive operation. It is fully integrated into the session recording and Session Intelligence framework, allowing administrators to monitor, audit, and respond to process activity in real time.

How Process Monitoring Works

Enabling Process Monitoring creates an auto-start command on the remote managed host to capture and record Windows processes. Key characteristics of this implementation include:

  • Runs in the user context, not as a system service
  • Agentless operation
  • Requires no additional network ports
  • Operates transparently, without interfering with normal session operations

During an active Windows RDP session (web or proxy), the auto-execution command maintains a persistent connection with the PAM server through a secure, session-bound channel. This channel allows the command to communicate process events to the PAM server in real time. Each new process is recorded as a session event, associated with the active session.

If the auto-execution command is manually terminated by the user, the PAM server detects the loss of its keep-alive connection and records this as a Process Monitor Terminated event. Session Intelligence can use this event to trigger automated responses, such as terminating the session or aborting the associated workflow. The auto-execution command will restart automatically upon the next session initiation.

Deployment Considerations

The Process Monitoring auto-execution command can be deployed using one of the following methods:

  • Remote deployment via 12Port PAM Tasks, using the standard task execution mechanism
  • Administrator distribution, for example via Group Policy Objects (GPO)

Because the command is non-intrusive, it does not affect normal session or native endpoint functionality.

Configuring Process Monitoring

Process Monitoring configuration consists of two primary steps:

  1. Enabling the feature at the asset configuration level
  2. Deploying the Windows auto-start monitoring command on the target host

Process Monitoring is configured per asset (server), not per individual user. Once enabled and deployed, it applies to all brokered sessions on that asset.


1. Enable Process Monitoring in Asset Configuration

By default, the (asset type) Windows Host's Process Monitoring field may be hidden in the asset type configuration. Unhide this field first and then on an Asset itself, set it to one of the following values.

  • Disabled
  • Enabled
  • Enforced

The parameter will be applied to the next session started.


Disabled

When set to Disabled, process monitoring is disabled for brokered sessions using this asset and therefore, process events will not be recorded. All other session and recording capabilities operate as configured.

Enabled

When set to Enabled, process monitoring is active for brokered sessions. If the monitoring command is unavailable or stops responding, the session continues without input restriction, but process events will not be recorded during the outage.

Enforced

When set to Enforced, session interactivity becomes dependent on the monitoring command:

  • User input is blocked until the auto-start monitoring command successfully starts.
  • The command must maintain periodic keep-alive communication with the PAM server.
  • If keep-alive messages are not received for 30 seconds, the session is considered non-compliant.
  • Input blocking is enforced approximately 40–50 seconds after the command stops responding.

In Enforced mode, session access is conditional upon an active and responsive monitoring process.


2. Deploy the Monitoring Command on the Windows Asset

After enabling the Process Monitoring field at the asset level, deploy the monitoring command to the target Windows asset.

Task Name

Windows Enable Process Monitoring

Execute this task against the asset using the standard remote task execution mechanism (Execute > Windows Enable Process Monitoring). This configures the Auto-Start command on the managed Windows Server to be created. This task execution only needs to be performed once per Asset, but there is no negative side effects if it is run additional times.

Tip

This task must complete successfully for the Process Monitoring command to be deployed. Use the Reports > Jobs report to confirm the result.
Enable Task Results - Success

If an account(s) is currently connected or in a disconnected state on the host, the account(s) will need to sign out to complete the deployment process. Alternatively, the host can be restarted.

Windows Enable Process Monitoring Execute Menu Option

Note

The Windows Enable Process Monitoring task must be executed using an asset account with local Administrator privileges on the target asset. Administrative permissions are required to create the auto-start command.


3. Command Lifecycle and Session Behavior

Startup Behavior

Once installed:

  • The command starts automatically at each user logon.
  • Initialization typically completes within a few seconds.
  • The command terminates automatically when the user logs off.

If a user disconnects from the session (without logging off of the managed host):

  • The command continues running in the user context.
  • It loses its active connection to the PAM server.
  • Communication is re-established upon reconnection.

If the Process Monitoring task is enabled while a user session is already active, the user must log off and log on from the host for the command to start.


4. Command Initialization and Enforcement Handshake

When the command starts, or when a disconnected session is reconnected:

  • The command reports its version to the internal PAM server logs using the Info level.
  • The log message format is:
    TENANT:<TenantName>; Remote Process Monitor Version: 0.1.<datestamp>

This message confirms successful initialization.

For assets configured with Enforced monitoring:

  • User input remains blocked until the PAM server receives this version message.
  • After successful validation and keep-alive confirmation, user input is enabled.


5. Process Event Reporting

Once active, the command monitors the Windows operating system's process creation events.

For each new process, the following information is captured by the PAM server:

  • Process name
  • Process ID (PID)
  • Process Owner
  • Executable path
  • Command line
  • Window title (if available)

Each reported process is recorded as a Process type session event and becomes available in the:

Process Monitoring Session Events Report Example

Sample Session Events report highlighting the Process recording.


6. Monitoring Integrity and Failure Handling

If the monitoring command:

  • Terminates unexpectedly, or
  • Is manually stopped by the user

The PAM server detects loss of the keep-alive communication.

The resulting behavior is as follows:

  • After approximately 30 seconds without keep-alive messages, the command is considered non-responsive.
  • After approximately 40–50 seconds:
    • An Alert-level event is recorded.
    • If the asset is configured in Enforced mode, user input is blocked.

This mechanism ensures monitoring integrity and prevents unmonitored interactive activity in Enforced sessions.

Verifying Process Monitoring Status

To determine whether Process Monitoring is currently enabled on a Windows host, execute the following task:

Windows Status

This task inspects the asset configuration and returns the current state of the monitoring auto-start command on the managed Windows Server, along with other useful host information.

Note

The Windows Status task must be executed using an account with local Administrator privileges on the target asset. Administrative permissions are required to query the relevant auto-start command and return the monitoring configuration details.


Interpreting the Task Result

When the task completes, the Job's Result field includes the current status of the monitoring auto-start command.

Possible results:

  • Disabled
    The auto-start command is not present or configured to start at user logon.
  • Enabled (Version=x.x.<datestamp>)
    The auto-start command is present. The reported version reflects the version of the embedded monitoring command currently configured on the asset.

The version number corresponds to the command and allows administrators to verify that the expected command version is deployed.

Process Monitoring Status Check - Enabled

Window Status Result example highlighting an Enabled Process Monitoring feature.

Process Monitoring Status Check - Disabled

Window Status Result example highlighting a Disabled Process Monitoring feature.

Disabling Process Monitoring

To fully disable Process Monitoring on a Windows host, both the configuration setting and the auto-start command must be removed.

Disabling the feature consists of two steps:

  1. Set the Process Monitoring field on the asset to Disabled.
  2. Execute the command removal task Windows Disable Process Monitoring on the target asset.

Process Monitoring is considered fully disabled only after both steps are completed.


1. Disable the Field in Asset Configuration

On the Edit Asset page:

  1. Locate the Process Monitoring field.
  2. Set the value to Disabled.
  3. Save the configuration.

This stops the recording logic at the PAM server level:

  • No input blocking will occur.
  • No monitoring integrity checks will be performed.
  • No new sessions will expect the monitoring command to connect.

However, if the monitoring command is still present on the asset, it may continue to start on user logon until removed.


2. Remove the Monitoring Command from the Asset

Execute the following task against the asset:

Windows Disable Process Monitoring

This task removes the auto-start command that was created originally on the host. If an account(s) is currently connected or in a disconnected state on the host, the account(s) will need to sign out to complete the removal process. Alternatively, the host can be restarted.

After it is removed:

  • The process monitoring command is removed and will no longer start automatically at user logon.
  • No further process monitoring events will be generated, even if the Process Monitoring field is set back to Enabled or Enforced.
  • Existing running instances of the command will terminate when the user logs off from the host.

Note

The Windows Disable Process Monitoring task must be executed using an account with local Administrator privileges on the target asset. Administrative permissions are required to remove the auto-start command.


Active Session Considerations

If a monitored session is currently active:

  • Disabling the configuration field takes effect on the next new session.
  • The running command will continue operating until the user logs off from the host.
  • To ensure complete removal, the user must log off from the host after the disable task is executed successfully.