Saw this today on the vmware communites page, DEMDev wrote a short explanation on how to use psexec.exe and procmon.exe, to capture things by running procmon as the system user and logging in as another user.
The steps are
* Log on to the console with an admin account
* Copy PSExec.exe and ProcMon.exe to folder C:\X
* Run C:\X\PSExec.exe -accepteula -sd C:\X\ProcMon.exe -accepteula -quiet -backingfile C:\X\Log.PML
* Log off
* Log on “the normal way”, with your test user
* From an elevated prompt, run C:\X\PSExec.exe -accepteula -s C:\X\ProcMon.exe -accepteula -quiet -terminate