// MCP TOOL REFERENCE

PROCMON TOOLS

18 tools from the Procmon MCP Server, categorised by risk level.

View the Procmon policy →
// ALL 18 PROCMON TOOLS
READ 14 tools
Read analyze_pe Parse a PE file with pefile: imports, exports, category summary. Read capture_snapshot Point-in-time snapshot of matching processes: processes, modules, network connections. Read check_elevation Whether the server is elevated plus a capability matrix for all tools. Read find_pe_files Recursively discover PE files under a directory. Read get_minifilters Run fltmc filters and instances and return raw parsed lines. Read get_network_connections TCP and/or UDP endpoints with owning process. protocol: tcp, udp, both, all. Read get_process_details Deep process details: modules, handle count, threads, command line, Read get_security_events Security log convenience: IDs 4688, 4624, 4672, 4648 (requires elevation). Read get_system_info OS build, architecture, hostname, SecurityCenter2 AV products, PowerShell version. Read list_drivers Enumerate kernel drivers via Win32_SystemDriver. Read list_etw_providers Parse logman query providers with optional keyword filter. Read list_processes List processes with optional name or PID filter. Read list_services Enumerate services via Win32_Service (name, state, start mode, display name, path). Read query_event_log Query a Windows event log via Get-WinEvent FilterHashtable.
EXECUTE 4 tools
Execute request_elevation Launch a cmd script via UAC (Start-Process -Verb RunAs) to run the given command. Execute start_etw_trace Start a kernel ETW trace via logman (requires elevation). Execute stop_etw_trace Stop ETW trace, run tracerpt to CSV and summary, return parsed preview (requires elevation). Execute timed_capture Repeated snapshots over a duration with optional shell trigger command launched at start.

Route Procmon through PolicyLayer and every one of its 18 tools is checked against your policy before it runs.

GOVERN PROCMON →

Enforced before the call runs. Nothing to install.

// FAQ
How many tools does the Procmon MCP server have? +

The Procmon MCP server exposes 18 tools across 2 categories: Read, Execute.

How do I enforce policies on Procmon tools? +

Route the Procmon server through the PolicyLayer gateway. Define allow, deny, or approval rules per tool in the dashboard; they are enforced on every call before it reaches the server.

What risk categories do Procmon tools fall into? +

Procmon tools are categorised as Read (14), Execute (4). Each category has a recommended default policy.

Enforce policy on every Procmon tool call.

Deterministic rules across all 18 Procmon tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.

GOVERN PROCMON →

Free to start. No card required.

42,500+ MCP servers and 110,000+ tools scanned and risk-classified.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.