- Sep 17, 2013
- 1,492
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.
Overview of Process Monitor Capabilities
Process Monitor includes powerful monitoring and filtering capabilities, including:
Official link : https://technet.microsoft.com/en-us/library/bb896645.aspx
Online ebook : https://books.google.co.in/books?id=0KZCAwAAQBAJ&printsec=frontcover
Video tutorial :
Because it loads a kernel driver, Procmon requires administrative rights to capture events,
including the Load and Unload Device Drivers privilege. When you launch Process Monitor it immediately starts monitoring three classes of operation: file system, Registry and process.
It is a very powerful tool which can very useful in logging process activities. Logging the file, process, registry and network events of an application can reveal detailed information of what the process is doing in the system.
The logged events can be used to troubleshoot problems in that application which is showing signs of
The saved data can be sent to someone else who can analyze it to detect the problem with that application.
Even if applications in your system seems to run normally, logging their activities and checking the logged data can reveal problems that are not noticeable by you.
Process monitor is one of the many tools provided by Sysinternals. You can use other tools provided by sysinternals along with process monitor to monitor processes running in the system.
Sysinternal Suite : https://technet.microsoft.com/en-us/sysinternals/bb842062
Capturing events
You can click "capture" icon to start or stop capturing events. Capture data for few minutes. Then stop the capture to analyze it.
The logged data generated in few minutes by process monitor can become huge in size . So never let it capture for a long among of time, otherwise it will eat up all the RAM.
You can click "clear" to clear all the cached data.
Saving the captured trace files
Columns
Types of events Procmon captures
Registry : Registry operations, such as creating, enumerating, querying, and deleting
keys and values.
File System : Operations on local storage and remote file systems, including file systems or devices added while Procmon was running.
Network : UDP and TCP- network activity, including source and destination addresses (but not the actual data that was transmitted or received). Procmon can be configured to resolve network addresses to network names, or just show the IP addresses. The option to Show Resolved Network Addresses is on
the Options menu. You can also toggle it by pressing Ctrl+N.
Process : Process and thread events such as process creation by a parent process, process start, thread create, thread exit, process exit, and the loading of executable images and data files into the process’ address space. (Note that Procmon does not log the unloading of these images.)
Profiling : Generates and logs an event for every process and thread on the system, capturing the kernel and user time charged, memory use, and context switches since the previous profiling event. Process profiling events are always captured. By default, thread profiling events are not captured. Debug output profiling, described later, also falls under this event type.
Operations column
Operation column show what type of operation is being done on specified path by the process
Get online help for what that operation means. You won't get exact wording match on online reference file.
Process & thread operations : https://msdn.microsoft.com/en-us/library/windows/desktop/ms684847(v=vs.85).aspx
File opeartions : https://msdn.microsoft.com/en-us/library/windows/desktop/aa364232(v=vs.85).aspx
Registry operations : https://msdn.microsoft.com/en-us/library/windows/desktop/ms724875(v=vs.85).aspx
network operations : https://msdn.microsoft.com/en-us/library/windows/desktop/ms741394(v=vs.85).aspx
Types of results
Result column shows the status code of a completed operation
Full list of NTSTATUS return values/code : https://msdn.microsoft.com/en-in/library/cc704588.aspx
Common result value/code
Event Properties
You can access the properties for an individual event by double-clicking on the event, or by selecting the Properties menu item from the Event menu or the context menu when you right-click on an event. The Event Properties dialog consists of the Event, Process and Stack pages. You can move to the next or preceding displayed or highlighted event with the arrow buttons at the bottom of the Event Properties dialog.
Process Activity summary
The Process Activity Summary dialog box displays a table listing every process for which data was captured with the current filter applied. Each row in the table shows the process name and PID, a CPU usage graph, the numbers of file, registry and network events, the commit peak and the working set peak, and graphs showing these and other numbers changing over the timeline of the process. You can save all the text information to a CSV file by clicking the Save button.
File summary
The File Summary dialog box aggregates information about every file and folder operation displayed by the current filter, and it groups the results on separate tabs by path, by folder, and by file extension. For each unique file system path, the dialog box displays how much total time was spent performing I/O to the file; the number of opens, closes, reads, writes, Get ACL, Set ACL and other operations; the total number of operations performed; and the number of bytes read from and written to the file.
Registry summary
The Registry Summary dialog box lists every registry path referenced by registry operations in a table, along with how much total time was spent performing I/O to the key; the number of opens, closes, reads, writes, and other operations; and the sum total of these. Clicking on a column header sorts by the data in that column, and columns can be reordered by dragging the column headers. Double-clicking a row adds a Path rule for the registry path in that row to the current filter. The Filter dialog box can be displayed by clicking the Filter button, and you can save the data to a CSV file.
Stack Summary
The Stack Summary dialog box takes all the stack traces for each Procmontraceable event, identifies the commonalities and divergences in them, and renders them as expandable trees. For each frame within a call stack, you can see how many times its execution resulted in a Procmon-traceable event, the cumulative amount of time spent in the Procmon-captured operations, the name and path of the module, and the absolute offset within it. The Stack Summary also shows function names and the path to and line number within source files for each stack frame if symbolic information is available.
Network Summary
The Network Summary dialog box lists every TCP and UDP endpoint and port present in the filtered trace, along with the corresponding number of connects, disconnects, sends, and receives; the total number of these events; and the numbers of bytes sent and received. Clicking a column header sorts by the data in that column, and columns can be reordered by dragging the column headers. Double-clicking a row sets a Path rule in the filter for that endpoint and port. The Filter dialog box can be displayed by clicking the Filter button, and you can save the data to a CSV file.
The Cross Reference Summary
The Cross Reference Summary dialog box lists all paths displayed by the current filter that have been accessed by more than one process. Each row shows the path, the processes that have written to it, and the processes that have read from it. The columns can be sorted or reordered, and you can save the data to a CSV file. Double-clicking a row, or selecting the row and clicking the Filter On Row button, adds the selected path to the filter.
Process Tree
Pressing Ctrl+T or clicking the Process Tree toolbar button displays the Process Tree dialog box. The Process Tree dialog box displays all the processes that are referenced in the loaded trace in a hierarchy that reflects their parent-child relationships. You can collapse or expand portions of the tree by clicking the plus (+) and minus (–) icons to the left of parent processes in the tree, or selecting those nodes and pressing the left and right arrow keys. Processes that are aligned along the left side of the window have parent processes that have not generated any events in the trace.
The Life Time column shows the timeline of the process relative to the trace or to the boot session, depending on whether the Timelines Cover Displayed Events Only option is selected. With the option selected, a green bar going from edge to edge indicates that the process was running at the time the trace started and was still running when the trace ended. A green bar that begins further to the right indicates the process’ relative start time after the trace had begun. A darker green bar indicates a process that exited during the trace, with its extent indicating when during the trace it exited. If the Timelines Cover Displayed Events Only option is not selected, the graphs indicate the process’ lifetimes relative to the boot session: a green bar closer to the left edge of the column indicates a process that has been running since system startup or that began shortly after.
Counting occurrences
It displays the unique values seen in a trace for the attribute type you specify along with the number of times in the trace an event contained the value.
Boot time activity logging
You can configure Procmon to begin logging system activity from a point very early in the boot process. This is the feature you need if you’re diagnosing issues that occur before, during, or in the absence of user logon, such as those involving boot-start device drivers, autostart services, the logon sequence itself, or shell initialization.
Process Monitor can log activity from a point very early in the boot process during the initialization of boot-start device drivers. Configure Process Monitor to log the next boot by selecting Enable Boot Logging from the Options menu. Process Monitor's driver will log activity at the next boot into a file in the %Windir% directory and will continue logging through the shutdown or until you run Process Monitor again. Thus, if you don't run Process Monitor during a boot session you will capture a trace of the entire boot to shutdown cycle.
One useful too in analyzing bootup process in the process tree
Filtering Events
Logging all the activity of a process
Overview of Process Monitor Capabilities
Process Monitor includes powerful monitoring and filtering capabilities, including:
- More data captured for operation input and output parameters
- Non-destructive filters allow you to set filters without losing data
- Capture of thread stacks for each operation make it possible in many cases to identify the root cause of an operation
- Reliable capture of process details, including image path, command line, user and session ID
- Configurable and moveable columns for any event property
- Filters can be set for any data field, including fields not configured as columns
- Advanced logging architecture scales to tens of millions of captured events and gigabytes of log data
- Process tree tool shows relationship of all processes referenced in a trace
- Native log format preserves all data for loading in a different Process Monitor instance
- Process tooltip for easy viewing of process image information
- Detail tooltip allows convenient access to formatted data that doesn't fit in the column
- Cancellable search
- Boot time logging of all operations
Official link : https://technet.microsoft.com/en-us/library/bb896645.aspx
Online ebook : https://books.google.co.in/books?id=0KZCAwAAQBAJ&printsec=frontcover
Video tutorial :
- http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-3-Process-Monitor
- http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-4-Process-Monitor
- http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/WCL304
- http://channel9.msdn.com/Events/TechEd/NorthAmerica/2012/WCL301
- http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/WCA-B306
- http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/WIN-B354
Because it loads a kernel driver, Procmon requires administrative rights to capture events,
including the Load and Unload Device Drivers privilege. When you launch Process Monitor it immediately starts monitoring three classes of operation: file system, Registry and process.
It is a very powerful tool which can very useful in logging process activities. Logging the file, process, registry and network events of an application can reveal detailed information of what the process is doing in the system.
The logged events can be used to troubleshoot problems in that application which is showing signs of
- Not working properly
- Hanging
- Crashing
- Running sluggishly
- Conflicting with other processes
- Using too much cpu, hard disk and other resources
The saved data can be sent to someone else who can analyze it to detect the problem with that application.
Even if applications in your system seems to run normally, logging their activities and checking the logged data can reveal problems that are not noticeable by you.
Process monitor is one of the many tools provided by Sysinternals. You can use other tools provided by sysinternals along with process monitor to monitor processes running in the system.
Sysinternal Suite : https://technet.microsoft.com/en-us/sysinternals/bb842062
Capturing events
You can click "capture" icon to start or stop capturing events. Capture data for few minutes. Then stop the capture to analyze it.
The logged data generated in few minutes by process monitor can become huge in size . So never let it capture for a long among of time, otherwise it will eat up all the RAM.
You can click "clear" to clear all the cached data.
Saving the captured trace files
- To save all the events that has been captured select "All events"
- Set path and select the format
- Click "OK"
- To save only the filtered events select "Events displayed using current filter"
- Set path and select the format
- Click "OK"
Columns
You can select the columns which will be shown by process explorer
Various types of columns
Application Details
- One way to do it by menu options->Select columns
- Another way to do it by right clicking on columns and selecting "Select columns" as shown below
- Tick the column name to show it in process monitor window
Various types of columns
Application Details
- Process Name : The name of the process in which an event occurred.
- Image Path : The full path of the image running in a process.
- Command Line : The command line used to launch a process.
- Company Name : The text of the company name version string embedded in a process image file. This text is optionally defined by the application developer.
- Description : The text of the product description string embedded in a process image file. This text is optionally defined by the application developer.
- Version : The product version number embedded in a process image file. This information is optionally specified by the application developer.
- Sequence Number : The relative position of the operation with respect to all events included in the current filter.
- Event Class : The class (File, Registry, Process) of the event.
- Operation : The specific event operation (e.g. Read, RegQueryValue, etc.).
- Date & Time : Both the date and the time of an operation.
- Time of Day : Only the time of an operation.
- Path : The path of the resource that an event references.
- Detail : Additional information specific to an event.
- Result : The status code of a completed operation.
- Relative Time : The time of the operation relative to Process Monitor's start time or the last time that the Process Monitor display was cleared.
- Duration : The duration of an operation that has completed.
- User Name : The name of the user account in which the process that performed an operation is executing.
- Session ID : The Windows session in which the process that executed an operation is executing.
- Authentication ID : The logon session in which the process that executed an operation is executing.
- Process ID : The Process ID (PID) of the process that executed an operation.
- Thread ID : The Thread ID (TID) of the thread that executed an operation.
- Integrity Level : The integrity level at which the process that executed an operation is running (Windows Vista only).
- Virtualized : The virtualization status of the process that executed an operation (Windows Vista only).
Types of events Procmon captures
Registry : Registry operations, such as creating, enumerating, querying, and deleting
keys and values.
File System : Operations on local storage and remote file systems, including file systems or devices added while Procmon was running.
Network : UDP and TCP- network activity, including source and destination addresses (but not the actual data that was transmitted or received). Procmon can be configured to resolve network addresses to network names, or just show the IP addresses. The option to Show Resolved Network Addresses is on
the Options menu. You can also toggle it by pressing Ctrl+N.
Process : Process and thread events such as process creation by a parent process, process start, thread create, thread exit, process exit, and the loading of executable images and data files into the process’ address space. (Note that Procmon does not log the unloading of these images.)
Profiling : Generates and logs an event for every process and thread on the system, capturing the kernel and user time charged, memory use, and context switches since the previous profiling event. Process profiling events are always captured. By default, thread profiling events are not captured. Debug output profiling, described later, also falls under this event type.
Operations column
Operation column show what type of operation is being done on specified path by the process
Get online help for what that operation means. You won't get exact wording match on online reference file.
Process & thread operations : https://msdn.microsoft.com/en-us/library/windows/desktop/ms684847(v=vs.85).aspx
File opeartions : https://msdn.microsoft.com/en-us/library/windows/desktop/aa364232(v=vs.85).aspx
Registry operations : https://msdn.microsoft.com/en-us/library/windows/desktop/ms724875(v=vs.85).aspx
network operations : https://msdn.microsoft.com/en-us/library/windows/desktop/ms741394(v=vs.85).aspx
Types of results
Result column shows the status code of a completed operation
Full list of NTSTATUS return values/code : https://msdn.microsoft.com/en-in/library/cc704588.aspx
Common result value/code
SUCCESS
The operation succeeded.
BUFFER_OVERFLOW
occurs when a program requests variable-length information, such as data from a registry value, but doesn’t provide a large enough buffer to receive the information because it doesn’t know the actual data size in advance. The system will tell the program how large a buffer is required and might copy as much data as it can into the buffer, but it will not actually overflow the buffer. One typical coding pattern is that after a BUFFER OVERLOW result is received, the program then allocates a large enough buffer and requests the same data again—this time resulting in SUCCESS.
ACCESS DENIED
The operation failed because the security descriptor on the object does not grant the rights to the caller that the caller requested. The failure might also be the result of a file being marked as read-only. This result code is frequently a red flag when troubleshooting.
SHARING VIOLATION
The operation failed because the object is already opened and does not allow the sharing mode that the caller requested.
NAME COLLISION
The caller tried to create an object that already exists.
NAME NOT FOUND, PATH NOT FOUND, NO SUCH FILE
The caller tried to open an object that doesn’t exist. One scenario in which these result codes can arise is when a DLL load routine looks in various directories as part of the DLL search process.
NAME INVALID
The caller requested an object with an invalid name—for example, C:\Windows\”regedit.exe”.
NO MORE ENTRIES, NO MORE FILES
The caller has finished enumerating the contents of a folder or registry key.
END OF FILE
The caller has read to the end of a file.
BUFFER TOO SMALL
Essentially the same as BUFFER OVERFLOW. It’s rarely significant when troubleshooting.
REPARSE
The caller has requested an object that links to another object. For example, HKLM\System \CurrentControlSet might redirect to HKLM\System\ControlSet001.
NOT REPARSE POINT
The requested object does not link to another object.
FAST IO DISALLOWED
Indicates that a low-level optimized mechanism is not available for the requested file system object. It’s rarely significant in troubleshooting.
FILE LOCKED WITH ONLY READERS
Indicates that a file or file mapping was locked and that all users of the file can only read from it.
FILE LOCKED WITH WRITERS
Indicates that a file or file mapping was locked and that at least one user of the file can write to it.
IS DIRECTORY
The requested object is a file system folder.
INVALID DEVICE REQUEST
The specified request is not a valid operation for the target device.
INVALID PARAMETER
An invalid parameter was passed to a service or function.
NOT GRANTED
A requested file lock cannot be granted because of other existing locks.
CANCELLED
An I/O request was canceled—for example, the monitoring of a file system folder for changes.
BAD NETWORK PATH
The network path cannot be located.
BAD NETWORK NAME
The specified share name cannot be found on the remote server.
MEDIA WRITE PROTECTED
The disk cannot be written to because it is write-protected.
KEY DELETED
Illegal operation attempted on a registry key that has been marked for deletion.
NOT IMPLEMENTED
The requested operation is not implemented.
The operation succeeded.
BUFFER_OVERFLOW
occurs when a program requests variable-length information, such as data from a registry value, but doesn’t provide a large enough buffer to receive the information because it doesn’t know the actual data size in advance. The system will tell the program how large a buffer is required and might copy as much data as it can into the buffer, but it will not actually overflow the buffer. One typical coding pattern is that after a BUFFER OVERLOW result is received, the program then allocates a large enough buffer and requests the same data again—this time resulting in SUCCESS.
ACCESS DENIED
The operation failed because the security descriptor on the object does not grant the rights to the caller that the caller requested. The failure might also be the result of a file being marked as read-only. This result code is frequently a red flag when troubleshooting.
SHARING VIOLATION
The operation failed because the object is already opened and does not allow the sharing mode that the caller requested.
NAME COLLISION
The caller tried to create an object that already exists.
NAME NOT FOUND, PATH NOT FOUND, NO SUCH FILE
The caller tried to open an object that doesn’t exist. One scenario in which these result codes can arise is when a DLL load routine looks in various directories as part of the DLL search process.
NAME INVALID
The caller requested an object with an invalid name—for example, C:\Windows\”regedit.exe”.
NO MORE ENTRIES, NO MORE FILES
The caller has finished enumerating the contents of a folder or registry key.
END OF FILE
The caller has read to the end of a file.
BUFFER TOO SMALL
Essentially the same as BUFFER OVERFLOW. It’s rarely significant when troubleshooting.
REPARSE
The caller has requested an object that links to another object. For example, HKLM\System \CurrentControlSet might redirect to HKLM\System\ControlSet001.
NOT REPARSE POINT
The requested object does not link to another object.
FAST IO DISALLOWED
Indicates that a low-level optimized mechanism is not available for the requested file system object. It’s rarely significant in troubleshooting.
FILE LOCKED WITH ONLY READERS
Indicates that a file or file mapping was locked and that all users of the file can only read from it.
FILE LOCKED WITH WRITERS
Indicates that a file or file mapping was locked and that at least one user of the file can write to it.
IS DIRECTORY
The requested object is a file system folder.
INVALID DEVICE REQUEST
The specified request is not a valid operation for the target device.
INVALID PARAMETER
An invalid parameter was passed to a service or function.
NOT GRANTED
A requested file lock cannot be granted because of other existing locks.
CANCELLED
An I/O request was canceled—for example, the monitoring of a file system folder for changes.
BAD NETWORK PATH
The network path cannot be located.
BAD NETWORK NAME
The specified share name cannot be found on the remote server.
MEDIA WRITE PROTECTED
The disk cannot be written to because it is write-protected.
KEY DELETED
Illegal operation attempted on a registry key that has been marked for deletion.
NOT IMPLEMENTED
The requested operation is not implemented.
Event Properties
You can access the properties for an individual event by double-clicking on the event, or by selecting the Properties menu item from the Event menu or the context menu when you right-click on an event. The Event Properties dialog consists of the Event, Process and Stack pages. You can move to the next or preceding displayed or highlighted event with the arrow buttons at the bottom of the Event Properties dialog.
Process Activity summary
The Process Activity Summary dialog box displays a table listing every process for which data was captured with the current filter applied. Each row in the table shows the process name and PID, a CPU usage graph, the numbers of file, registry and network events, the commit peak and the working set peak, and graphs showing these and other numbers changing over the timeline of the process. You can save all the text information to a CSV file by clicking the Save button.
File summary
The File Summary dialog box aggregates information about every file and folder operation displayed by the current filter, and it groups the results on separate tabs by path, by folder, and by file extension. For each unique file system path, the dialog box displays how much total time was spent performing I/O to the file; the number of opens, closes, reads, writes, Get ACL, Set ACL and other operations; the total number of operations performed; and the number of bytes read from and written to the file.
Registry summary
The Registry Summary dialog box lists every registry path referenced by registry operations in a table, along with how much total time was spent performing I/O to the key; the number of opens, closes, reads, writes, and other operations; and the sum total of these. Clicking on a column header sorts by the data in that column, and columns can be reordered by dragging the column headers. Double-clicking a row adds a Path rule for the registry path in that row to the current filter. The Filter dialog box can be displayed by clicking the Filter button, and you can save the data to a CSV file.
- As you can see the highest number of registry events has occurred on path "HKCU\software\FolderProtect\Pwdprompt". Again software "Folder protect" is causing too much registry events which is not expected from it. Uninstalling this software will free the system resources for other software's.
Stack Summary
The Stack Summary dialog box takes all the stack traces for each Procmontraceable event, identifies the commonalities and divergences in them, and renders them as expandable trees. For each frame within a call stack, you can see how many times its execution resulted in a Procmon-traceable event, the cumulative amount of time spent in the Procmon-captured operations, the name and path of the module, and the absolute offset within it. The Stack Summary also shows function names and the path to and line number within source files for each stack frame if symbolic information is available.
Network Summary
The Network Summary dialog box lists every TCP and UDP endpoint and port present in the filtered trace, along with the corresponding number of connects, disconnects, sends, and receives; the total number of these events; and the numbers of bytes sent and received. Clicking a column header sorts by the data in that column, and columns can be reordered by dragging the column headers. Double-clicking a row sets a Path rule in the filter for that endpoint and port. The Filter dialog box can be displayed by clicking the Filter button, and you can save the data to a CSV file.
The Cross Reference Summary
The Cross Reference Summary dialog box lists all paths displayed by the current filter that have been accessed by more than one process. Each row shows the path, the processes that have written to it, and the processes that have read from it. The columns can be sorted or reordered, and you can save the data to a CSV file. Double-clicking a row, or selecting the row and clicking the Filter On Row button, adds the selected path to the filter.
Process Tree
Pressing Ctrl+T or clicking the Process Tree toolbar button displays the Process Tree dialog box. The Process Tree dialog box displays all the processes that are referenced in the loaded trace in a hierarchy that reflects their parent-child relationships. You can collapse or expand portions of the tree by clicking the plus (+) and minus (–) icons to the left of parent processes in the tree, or selecting those nodes and pressing the left and right arrow keys. Processes that are aligned along the left side of the window have parent processes that have not generated any events in the trace.
The Life Time column shows the timeline of the process relative to the trace or to the boot session, depending on whether the Timelines Cover Displayed Events Only option is selected. With the option selected, a green bar going from edge to edge indicates that the process was running at the time the trace started and was still running when the trace ended. A green bar that begins further to the right indicates the process’ relative start time after the trace had begun. A darker green bar indicates a process that exited during the trace, with its extent indicating when during the trace it exited. If the Timelines Cover Displayed Events Only option is not selected, the graphs indicate the process’ lifetimes relative to the boot session: a green bar closer to the left edge of the column indicates a process that has been running since system startup or that began shortly after.
Counting occurrences
It displays the unique values seen in a trace for the attribute type you specify along with the number of times in the trace an event contained the value.
Counting occurrences is a very useful feature in creating filter.
It can be acceded from Tool menu as shown below
Select the column name which you want to count
Click Count
It can be acceded from Tool menu as shown below
Select the column name which you want to count
Click Count
- Total number of each "Result" types that have occurred will be shown
- Select any one and double click to create a filter for it. In this case i double clicked on value "ACCESS DENIED"
- Now only events with result "ACCESS DENIED" will be shown
- Similarly you can count and create filter quickly using "count occurrences", which can be used to trace the cause of problem in the system
- Columns company can be used to quickly know process by which company is generating more events.
- event class can be used know which type of event has occurred most and create filter based on any event class.
- Counting process name and creating filter based on it is very helpful in knowing what that process has done during the logging
- Counting result and creating filter based on it is very helpful is troubleshooting
- Creating filter based on result value can be helpful in troubleshooting "NAME NOT FOUND", "ACCESS DENIED", "SHARING VIOLATION", NAME NOT FOUND, PATH NOT FOUND, NO SUCH FILE, INVALID DEVICE REQUEST , NOT GRANTED, BAD NETWORK PATH, BAD NETWORK NAME
- These result values causes waste on system resources when it occurs in huge number : BUFFER_OVERFLOW, NAME COLLISION, BUFFER TOO SMALL , CANCELLED, NAME NOT FOUND, PATH NOT FOUND, NO SUCH FILE,
Boot time activity logging
You can configure Procmon to begin logging system activity from a point very early in the boot process. This is the feature you need if you’re diagnosing issues that occur before, during, or in the absence of user logon, such as those involving boot-start device drivers, autostart services, the logon sequence itself, or shell initialization.
Process Monitor can log activity from a point very early in the boot process during the initialization of boot-start device drivers. Configure Process Monitor to log the next boot by selecting Enable Boot Logging from the Options menu. Process Monitor's driver will log activity at the next boot into a file in the %Windir% directory and will continue logging through the shutdown or until you run Process Monitor again. Thus, if you don't run Process Monitor during a boot session you will capture a trace of the entire boot to shutdown cycle.
- To do so tick "Enable Boot Logging"
- Select as shown below
- click "OK" .
- Reboot the system
- process monitor will log all the activity of boot process and continue to log activities after bootup.
- So the first thing you need to do after the reboot completes is to start process monitor. Starting process monitor will cause it to stop logging process activities.
- This message box will be shown. Click "yes" and save the collected data in a file.
- After the files have been saved process monitor will automatically open the saved data. This will show all the collected events that has been logged during boot.
- You can analyse the collected data to find the problem that may be occurring during bootup
One useful too in analyzing bootup process in the process tree
- Process tree will show you how the processes got started during boot.
- You can see that some process started, ran for some time and then exited during the boot process.
- Some process stared and is still running in memory
- The tree structure shows which parent process started the child process.
- You need to check if their is any process which should not be running during boot process. If found you can stop it from starting using Sysinternals Autorun software.
- file summary shows all of the files that were acceded during boot.
- See all the folders that has been acceded during boot process
- Registry summary show all the registry paths that has been accessed during boot process
- See which paths was accessed most.
- network summary shows the network events that occurred during boot process.
Filtering Events
Include and Exclude Filters
You can specify event attributes such that Process Monitor will only display or exclude events with matching attribute values. All filters are non-destructive, meaning that they affect only which events Process Monitor displays, not the underlying event data.
When an event is selected the Include and Exclude sub-menus in the Event menu allows you to easily add one of the event's attributes to the configured Include or Exclude filters. For example, to only show events executed by a particular process name choose the Process Name entry from the Include submenu. You can also select multiple events and simultaneously configure an attribute filter for all of the unique values contained in the selected events. Process Monitor ORs together all the filters that are related to a particular attribute type and ANDs together filters of different attribute types. For example, if you specified process name include filters for Notepad.exe and Cmd.exe and a path include filter for C:\Windows, Process Monitor would only display events originating in either Notepad.exe or Cmd.exe that specify the C:\Windows directory.
More complex filtering options are available in the Filter dialog, which you open by selecting Filter from the Filter menu or by clicking on the Filter toolbar button. A filter entry consists of an attribute field (e.g. Authentication ID, Process Name, etc.), a comparison operation, an attribute value, and a filter type of either Include or Exclude. For convenience, Process Monitor will automatically populate the attribute value drop-down with values that are present in the loaded trace data, but you can enter arbitrary values. Checkboxes allow you to easily disable specific filter entries without having to delete them.
Creating filter which shows activity by only process "QHWatchdong.exe"
Removing filter
Create filter based on Operations column
Creating filter based on path column
Similarly you can create filter based on any column name.
You can specify event attributes such that Process Monitor will only display or exclude events with matching attribute values. All filters are non-destructive, meaning that they affect only which events Process Monitor displays, not the underlying event data.
When an event is selected the Include and Exclude sub-menus in the Event menu allows you to easily add one of the event's attributes to the configured Include or Exclude filters. For example, to only show events executed by a particular process name choose the Process Name entry from the Include submenu. You can also select multiple events and simultaneously configure an attribute filter for all of the unique values contained in the selected events. Process Monitor ORs together all the filters that are related to a particular attribute type and ANDs together filters of different attribute types. For example, if you specified process name include filters for Notepad.exe and Cmd.exe and a path include filter for C:\Windows, Process Monitor would only display events originating in either Notepad.exe or Cmd.exe that specify the C:\Windows directory.
More complex filtering options are available in the Filter dialog, which you open by selecting Filter from the Filter menu or by clicking on the Filter toolbar button. A filter entry consists of an attribute field (e.g. Authentication ID, Process Name, etc.), a comparison operation, an attribute value, and a filter type of either Include or Exclude. For convenience, Process Monitor will automatically populate the attribute value drop-down with values that are present in the loaded trace data, but you can enter arbitrary values. Checkboxes allow you to easily disable specific filter entries without having to delete them.
- "reset filter" will reset all the changes done by the user in the filter
- These are the columns that you can see in process monitor.
- Filter can be created based on the column name
Creating filter which shows activity by only process "QHWatchdong.exe"
- Click "Filter" icon to create the filter
- Select "process name"
- select the logic operator
- Enter name of the process "qhwatchdog.exe"
- Click "Add" to add the new filter. Click "Apply" to apply the filters.
- Now only activity by process name "qhwatchdog.exe" will be shown
- You can create filter fast by right clicking the process name and selecting the "include QHWatchdog.exe ".
Removing filter
- To remove the newly created filter, open the filter setting.
- Select and remove the filter created by you
Create filter based on Operations column
- Right click on the Operation of an process.
- Click on Include or exclude to create the desired filter. here i selected "Include RegQuerykey".
- Now only process activity with operation "RegQuerykey" will be shown.
Creating filter based on path column
- Right click on the Path of an process event
- Select "Edit filter..."
- you may edit the filter before adding it
- Filter edited.
- Click "Add" and "apply"
- Now only those process events are shown which occurred on path "D:\SOFTWARE"
Similarly you can create filter based on any column name.
Logging all the activity of a process
You can log all the file, process, registry and network events of an application.
The logged events of any application can be saved in a file.
The logged events of any application can be saved in a file.
- Start process monitor.
- Run an application and do anything that you want to monitor.
- Stop capturing Events ( Ctrl+E )
- Right click the process and select "include ....". In this case the CCleaneer64.exe .
- Now only the events by CCleaner64.exe will be shown
- Process activity summary show the summary of various events by the CCleaner64.exe
- You can check the File summary, registry summary, network and stack summary
- File summary showing all the file accessed by CClener64.exe
- Similarly you can see the registry keys accessed by it.
Attachments
Last edited: