Syncro's native Process & Service Monitors make monitoring the processes and services on your devices easy.

Using the Process & Service Monitors policy modules, you can have Syncro:

• notify you if there is an issue (e.g., if a Process or Service reaches a CPU and/or memory threshold), 
• automatically attempt to resolve that issue (e.g., by starting/stopping the Process or Service, through automated remediations, etc.),  and
• reduce false alerts through optional custom settings (such as requiring a logged-in User).

Since Process and Service monitors have their own settings and policies, you can easily add/remove monitors as you see fit and apply some/all/none to your devices on a per-policy level. If you're unfamiliar with Syncro's Policies feature, see the Related Docs for more information.

Note: Although Monitors can kill or stop it shortly after it starts, they can't prevent them from starting in the first place.

Create a New Process or Service Monitor Policy

To create a new Process & Service Monitor, follow these steps:

1. Navigate to the Policies tab/module.
2. In the upper-right, select Process & Service Monitoring from the Policy Modules dropdown button. 
   Syncro displays the Process & Service Monitors Policies page:
   
   Tip: The Policy Modules dropdown button is available on any policy-related page in Syncro.
3. Click +New Monitor, then select either New Process Monitor or New Service Monitor. Syncro displays the new Process or Service Monitor screen.
4. Complete the fields for your Process or Service Monitoring policy. See Process & Service Monitor Fields Reference for details.
5. Click Create Process/Service Monitor Policy. Syncro displays your new monitor policy in the Process & Service Monitor Policies table.
   Tip: You can click Save and Generate Remediation instead. If you decide to do that later, it's available from the Process & Monitor Policies table's ellipses ( . . . ) icon:
   
   See Automate Alert Responses with Automated Remediation for more information.

Process & Service Monitor Fields Reference

Process/Service Monitor Name: Enter a descriptive Name you'll use to identify this Process or Service Monitor policy by later. You can make this Name longer, such as: “Notepad is not running” or Print Spooler Service is not running."

PROCESSES Section

Note: These fields only apply to new Process Monitors.

• Require Logged-In User: Check this box to require a logged-in user to be alerted on user processes but not system processes. 
  • User processes are those that run in user mode, with limited access to system resources. Includes applications like web browsers, word processors, media players, etc. that are initiated and controlled by the user. (Example: The word processor application itself that allows you to type and save the file.)
  • System processes are those that run in kernel mode, with direct access to system resources. They are responsible for managing memory allocation, file system operations, network connections, and other critical functions. These are usually not directly visible to the user. (Example: The process that handles disk access when you save a file in a user application.)
• Delay Monitoring Until: Enter the number of minutes that monitoring should be delayed after process startup.
• Alert If Any Processes Are: Select from Running/Not Running and enter the number of minutes. 

If Not Running is selected above, each Process row Syncro displays includes: 

• Process Name: Enter a name of the process you want to monitor (e.g., notepad.exe). 
  • Process Names are case insensitive, so it doesn't matter whether you use Notepad.exe or notepad.exe. 
  • You can use wildcards in Process names, but be careful: Syncro will monitor everything that matches the wildcard.
• Start Process: Check this box to start the process.
• Run As System: If the Start Process box is checked, you can check this box to run the process as System.
• Process Path (32/64bit): Syncro prefills these paths for you based on the architecture, but you can change them. However, be sure to use Task Manager. Open Task Manager on your Windows Machine, and click the "Details" side tab. You'll see a list of processes on your machine. Right-click a process, then click “Properties” to see the name and path of the process:
  
  Tip: You can also use the environmental variable "%windir%" instead of "C:\Windows" to support Windows directories installed on different drives. See Scripting Overview for more information about supported Environmental Variables.

If Running is selected above, each Process row Syncro displays includes: 

• Process Name: same as described in the “Not Running” case, above.
• Kill Process: Check this box to kill the process.

Tips: Click +Add Process to add another Process row. Click the red X to delete a Process row.

SERVICES Section

Note: These fields only apply to new Service Monitors.

• Consider “Disabled” as “Stopped:” Check this box to categorize any Service that's disabled to be included with those that are Stopped.
• Delay Monitoring Until: Enter the number of minutes that monitoring should be delayed after service startup.
• Alert If Any Processes Are: Select from Stopped/Running and enter the number of minutes.

For each Service row: 

• Service Name: Enter a name of the service you want to monitor (e.g., spooler). 
  • Service Names are case insensitive, so it doesn't matter whether you use Spooler or spooler. However, be sure to open the service properties and get the ACTUAL service name (i.e., use Spooler instead of Print Spooler): 
    
  • You can use wildcards in Service names, but be careful: Syncro will monitor everything that matches the wildcard.
• Start/Stop Service: Check this box to start or stop the service. 

Tips: Click +Add Service to add another Service row. Click the red X to delete a Service row.

RESOURCE USAGE Section

Note: This section only displays when Processes are Not Running or when Services are Stopped.

• Monitor CPU Usage: Check this box to enable the CPU Usage fields below.
• Alert When CPU Usage Is Above: Enter a number for the threshold CPU usage percentage, and another for the number of minutes CPU usage must be at that percentage. Once these conditions are met, Syncro triggers the defined Response Action.
• Monitor Memory Usage: Check this box to enable the Memory Usage fields below.
• Alert When Memory Usage Is Above: Enter a number for the threshold Memory usage percentage, and another for the number of minutes Memory usage must be at that percentage. Once these conditions are met, Syncro takes the Response Action.

RESPONSE Section

• Response Action: Select from Create Alert and Log Activity, Log Activity Only, or None.
• Auto-resolve Alert: Check this box to have Syncro clear the alert when the Process or Service is restarted OR if the CPU or Memory Usage is no longer past the thresholds defined in the monitor.

Tip: The None option allows you to create separate monitor rules for the same process, For example, the first one could simply restart the process if it hasn't been running for 2 mins (without triggering an alert), but a second monitor for the same process could trigger an alert if it remained stopped for 10 mins.

Apply a Process or Service Monitor Policy to your Assets

To apply your Process or Service Monitor Policy module to your Assets, follow these steps:

1. Navigate to the Policies tab.
2. Create a new Policy or edit an existing Policy.
3. Select Monitors from the left side of Syncro's Policy Builder.
4. From the Add a Monitor dropdown menu, select Processes & Services. Syncro displays a Processes & Services section.
5. Click +Add Monitor, then use the dropdown menu to select the Process or Service Monitor policy you previously created.
6. Repeat Step 5 to add as many Processes & Services monitor policies as you want.
7. Click Save Policy.

Syncro will now monitor any devices under this Policy according to your Process and Service Monitoring Policies.

Edit a Process or Service Monitor Policy

To edit an existing Process or Service Monitor Policy:

1. Navigate to the Policies tab.
2. In the upper-right, select Process & Service Monitoring from the Policy Modules dropdown button. 
   Syncro displays the Process & Service Monitors Policies page.
   Tip: The Policy Modules dropdown button is available on any policy-related page in Syncro.
3. Click a hyperlinked policy Name to edit it. (Or, click the ellipses (. . .) icon and select Edit.) 
   Follow the instructions in Create a New Process or Service Monitor Policy to make any changes.
4. Be sure to click Save Changes when finished.

Clone or Delete a Process or Service Monitor Policy

To clone or delete an existing Process or Service Monitor Policy:

1. Navigate to the Policies tab.
2. In the upper-right, select Process & Service Monitoring from the Policy Modules dropdown button. 
   Syncro displays the Process & Service Monitors Policies page.
   Tip: The Policy Modules dropdown button is available on any policy-related page in Syncro.
3. For the Process or Service Monitor Policy you want to clone or remove, click the ellipses (. . . ) icon then select Clone or Delete.

• Clone puts you in edit mode for the Monitor Policy that has the word “Copy” prepended to the original name. Enter a useful name and make any other changes. Be sure to click Save Changes when finished. 
• Selecting Delete will ask you to confirm; click OK.

Monitor Resource Usage Example

Both Process and Service Monitors support alerting on resource usage. Here's an example for Notepad:

Notes:

• Enabling CPU/Memory usage monitoring generates an RMM alert. This is independent of the "Response Action" you configure.
• The Automated Remediation "Trigger Category" for the RMM alert is “Process or Service Resource Monitor.” (Once selected, this may appear simply as the abbreviated “resource_monitor,” which can be useful for scripting.) See also Automate Alert Responses with Automated Remediation.
• Only one process/service listed under the monitoring policy needs to reach the threshold to generate the RMM alert.
• If there is an open RMM alert for the Monitor Policy and a new process/service meets the alert threshold, Syncro will update the currently open alert (rather than create a new RMM alert.)
• For the alert to close and remain closed, all processes/services under the Monitor Policy must be under both the CPU and Memory thresholds. Otherwise, a new alert will be created.
• If a process has multiple PIDs or processes running concurrently, the Monitor Policy calculates the percent usage based on the sum of all processes with the same name. (I.e., if you have multiple Notepad.exe processes running on multiple windows, the resource threshold will alert based on ALL process named Notepad.exe, and not each individual process/window.)
• Resource usage monitoring respects the "Delay Monitoring Until after Startup" setting.

Automate Alert Responses with Automated Remediation

When you click Save and Generate Remediation on a Monitor Policy  instead of Create Process/Service Monitor Policy, Syncro creates a new automated remediation with the Monitoring Policy already specified as a condition:

Syncro provides two automated remediation Trigger Categories for process and service monitors:

• Process or Service Monitor: to monitor that a process/service is running only. After you've selected this Trigger Category, it will appear as “ps_monitor.”
• Process or Service Resource Monitor: to monitor that a process/service to alert for CPU/Memory Usage. After you've selected this Trigger Category, it will appear as “resource_monitor.”

See also: Create Automations for Alerts and Automated Remediations Reference.

Troubleshooting

If "Auto-resolve Alert" is not closing open alerts, note that the auto-resolve feature will only close an RMM alert if ALL processes/services meet the conditions. So if you are monitoring two processes for “Not running,” both processes need to be "Running" for the alert to clear.

If "Start Process" is not starting your process, verify that your process path is correct.