How to enable boot logging in windows 10?

Boot logging is one of my favorite features in procmon. But after upgrading to windows 10, I found this function does not always work out.

 

Unable to write PROCMON23.sys.

Make sure that you have permission to write to the %%SystemRoot%%\System32\Drivers directory.

 

 

To work this out, we need to:

1. Delete %%SystemRoot%%\System32\Drivers\PROCMON23.sys. You may not delete this file from current running OS, but you can do this in WinPE.

2. Importent! Please start procmon with the following command:

 C:\procmon\Procmon /BackingFile C:\procmon\log.pml /AcceptEula /Quiet /noconnect

3. Now, it works!