Native Process and Service Monitoring makes monitoring processes and services on your devices easy. You can create custom settings to notify you if there is an issue, and automatically attempt to resolve that issue. Process and Service Monitoring have their own settings and policies, so you can easily add/remove monitors as you see fit and apply some/all/none to your devices on a per policy level.
What it Does
- Notifies you if a Process or Service is not running
- Notifies you if a Process or Service is running
- Automatically starts a Process or Service if it is not running
- Automatically stops a Process or Service if it is running
- Notifies you if a Process or Service reaches a custom CPU and/or Memory Threshold
- Facilitates automation through Automated Remediation
- Facilitates customization for multiple Processes and Services through Policies
- Reduces false alerts through optional custom settings (like requiring a logged in user)
What it Doesn't Do
- Prevent a process/service from starting outright. It CAN kill/stop the process/service shortly after it starts, however.
Table of Contents
Getting Started
- Creating your first Process Monitoring Policy
- Creating your first Service Monitoring Policy
- Applying your Process/Service Monitoring Policy to your Assets
Advanced Usage
- Starting Stopped Processes
- Monitoring Resource Usage
- Automating Alert Responses with Automated Remediation
Troubleshooting
FAQ
Getting Started
To get started using Process and Service Monitoring, you will need to make your way to "Process & Service Monitor Policies". This is where you will create, edit, and delete your custom Process and Service Monitor settings through the use of Monitor Policies.
First, head to "Policies" in your Syncro account. Next, select "Policy Modules" and click "Process & Service Monitoring" from the drop-down. (If you are unfamiliar with "Policies", you can learn more about them HERE)
After selecting "Process & Service Monitoring" from the drop-down, you should be ready to create your first Monitoring Policy!
1) Creating your first Process Monitoring Policy
From "Process & Service Monitor Policies", select "New Monitor" in the top-right corner, and click "New Process Monitor" from the drop-down. This will allow you to create a brand new Process Monitoring Policy.
Here, you will see all the settings you can configure for your Process Monitoring Policy. As a test to see this feature in action, let's imagine you want an alert if Notepad is not running for two or more minutes.
For this example, you will want to add the "Process Name" (notepad.exe) to the list of Processes like this:
Process and Service Names are case insensitive, so you can use "Notepad.exe", or "notepad.exe", or even "nOtepAD.ExE" if you feel so inclined. If you are unsure how to format the name, check out HERE.
We will not need to adjust the alerting just yet, since we are looking to only alert us if Notepad is not running for 2 minutes. If you wanted to adjust this setting, you can do so next to "Alert if any processes are" marked in the screenshot above inside the blue box.
Don't forget to give your Process Monitor Policy a name, and click "Create Process Monitor Policy" at the bottom of the page to save your changes! For now, don't worry about the other settings, since we will address them in more detail below. If you would like to set-up Notepad to also automatically start when it is not running, you can skip ahead to HERE.
Now that you have your first Process Monitoring Policy created, let's apply it to your devices HERE!
2) Creating your first Service Monitoring Policy
From "Process & Service Monitor Policies", select "New Monitor" in the top-right corner, and click "New Service Monitor" from the drop-down. This will allow you to create a brand new Service Monitoring Policy.
Here, you will see all the settings you can configure for your Service Monitoring Policy. As a test to see this feature in action, let's imagine you want an alert if the Print Spooler is two minutes for two or more minutes, and you would like the Print Spooler to start.
For this example, you will want to add the "Service Name" (spooler) to the list of Services like this:
Keep in mind, you should be using the service's name instead of its display name. Make sure to open the service properties and get the service name. For example, "Spooler" would be used instead of "Print Spooler":
Process and Service Names are case insensitive, so you can use "Spooler", or "spooler", or even "spOoLer" if you feel so inclined.
We will not need to adjust the alerting just yet, since we are looking to only alert us if the Print Spooler is not running for 2 minutes. If you wanted to adjust this setting, you can do so next to "Alert if any services are" marked in the screenshot above inside the blue box.
Don't forget to give your Service Monitor Policy a name, and click "Create Service Monitor Policy" at the bottom of the page to save your changes! For now, don't worry about the other settings, since we will address them in more detail below.
Now that you have saved your Service Monitor Policy, you are ready to apply it to your devices!
3) Applying your Process/Service Monitoring Policy to your Assets
Have your first Process or Service Monitor Policy ready? If so, let's apply it to an Asset RMM Policy and see it in action!
First, head to "Policies" in your Syncro account (if Policies are unfamiliar, please check out our Policies article HERE).
Next, select a Policy to edit it, and scroll down to the "PROCESS & SERVICE MONITORS" section underneath "ALERTS". It should look something like this:
Here, you can click "Add Monitor" to attach your Process or Service Monitoring Policy. Any devices under this "Asset RMM Policy" will now monitor your new Process and Service Monitoring Policies (once you save your changes to the Asset RMM Policy of course).
Advanced Usage
4) Starting Stopped Processes
Unlike Services, starting Processes requires the Processes' Path in order to start. Syncro has the option to supply a 32bit and 64bit path to use, and will automatically detect the System's architecture to use the correct path.
To locate a Process Path, you can use Task Manager. If you open Task Manager on your Windows Machine, and head to "Details", you will see a list of processes on your machine. If you right-click a process in this list, and click "Properties", you can see the name and path of the process.
Here is an example from a Windows 10 Pro:
Now that you have the Process name and the Process path, you can apply it to you Process Monitoring Policy like this:
In this example, I used the environmental variable "%windir%" instead of "C:\Windows" to support Windows directories installed on different drives, so you can do the same. You can read more about supported Environmental Variables HERE.
Once you save the Process Monitor, you should now see Notepad open up under the logged-in user after 2 minutes of it being closed! Try it out!
5) Monitoring Resource Usage
Both Process and Service Monitoring support Alerting on Resource Usage. When enabling Resource Usage on a Monitoring Policy, any listed processes/services will trigger an RMM alert. Here is an example for Notepad:
Important notes:
- Enabling CPU/Memory usage monitoring will generate an RMM alert. This is independent of the "Response Action" you can configure.
- The Automated Remediation "Trigger Category" for the RMM alert is "resource_monitor".
- Only one process/service listed under the monitoring policy needs to reach the threshold in order for the RMM alert to generate
- If there is an open RMM alert for this monitoring policy, and a new process/service meets the threshold to alert, it will update the current open alert. It will not create a new RMM alert.
- For the alert to close and remain closed, all processes/services under the policy must be under both the CPU and Memory thresholds. Otherwise, a new alert will be created.
- If a process has multiple PIDs or processes running concurrently, the resource monitor will calculate the percent usage based on the sum of all processes with the same name.
- So if you have multiple Notepad.exe processes running on multiple windows, the resource threshold will alert based on ALL process named "Notepad.exe", and not each individual process/window.
- Resource usage monitoring respects the setting "Delay Monitoring Until after startup".
6) Automating Alert Responses with Automated Remediation
You may have seem that "Save and Generate Remediation" button at the bottom of your Process and Service Monitoring Policies, and wondered what it did. Or you may have heard you can automate actions based on alerts generated by your Monitoring Policies. Either way, you came to the right place!
When you are on a Monitoring Policy, you can click "Save and Generate Remediation" to save your changes, and start creating an Automated Remediation!
This button will begin creating a new Automated Remediation with the Monitoring Policy already specified as a condition. In the screenshot below, it will be in the red box:
This example AR will run a reboot script whenever Notepad.exe is not running for 2 minutes. It will not run on any other alerts from other Process or Service Monitoring Policies, and will not fire for Resource Usage. If you want to fire for Resource Usage, you will want to use the "Trigger Category" is "resource_monitor" instead of "ps_monitor" (currently shown in blue above).
You can also learn more about using Automated Remediation HERE.
Troubleshooting
1) "Auto-resolve Alert" is not closing open alerts.
- The Auto-resolve will only close an RMM alert if ALL processes/services meet the conditions.
- So if you are monitoring two processes for "not running", both processes will need to be "running" in order for the alert to clear.
2) "Start Process" is not starting my process.
- Make sure your process path is correct. More information on getting this right can be found HERE
FAQ
Q: Can I use wildcards in Process/Service names?
A: Yes, you can! Be careful, however, as it will monitor everything that matches the wildcard.
- For example, you can use "*.exe" to monitor ALL processes with a name ending in ".exe" (NOT RECOMMENDED)