Guide | How To Using Sysinternals Process Monitor to troubleshoot problems in Windows

The associated guide may contain user-generated or external content.

viktik

Level 25
Thread author
Verified
Well-known
Sep 17, 2013
1,492
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.

Overview of Process Monitor Capabilities
Process Monitor includes powerful monitoring and filtering capabilities, including:

  • More data captured for operation input and output parameters
  • Non-destructive filters allow you to set filters without losing data
  • Capture of thread stacks for each operation make it possible in many cases to identify the root cause of an operation
  • Reliable capture of process details, including image path, command line, user and session ID
  • Configurable and moveable columns for any event property
  • Filters can be set for any data field, including fields not configured as columns
  • Advanced logging architecture scales to tens of millions of captured events and gigabytes of log data
  • Process tree tool shows relationship of all processes referenced in a trace
  • Native log format preserves all data for loading in a different Process Monitor instance
  • Process tooltip for easy viewing of process image information
  • Detail tooltip allows convenient access to formatted data that doesn't fit in the column
  • Cancellable search
  • Boot time logging of all operations
The best way to become familiar with Process Monitor's features is to read through the help file and then visit each of its menu items and options on a live system.



Official link : https://technet.microsoft.com/en-us/library/bb896645.aspx
Online ebook : https://books.google.co.in/books?id=0KZCAwAAQBAJ&printsec=frontcover
Video tutorial :
  1. http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-3-Process-Monitor
  2. http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-4-Process-Monitor
  3. http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/WCL304
  4. http://channel9.msdn.com/Events/TechEd/NorthAmerica/2012/WCL301
  5. http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/WCA-B306
  6. http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/WIN-B354



Because it loads a kernel driver, Procmon requires administrative rights to capture events,
including the Load and Unload Device Drivers privilege. When you launch Process Monitor it immediately starts monitoring three classes of operation: file system, Registry and process.

It is a very powerful tool which can very useful in logging process activities. Logging the file, process, registry and network events of an application can reveal detailed information of what the process is doing in the system.

The logged events can be used to troubleshoot problems in that application which is showing signs of
  1. Not working properly
  2. Hanging
  3. Crashing
  4. Running sluggishly
  5. Conflicting with other processes
  6. Using too much cpu, hard disk and other resources
All the process monitor does is shows all types of events that has occurred. It up to the user to find out what is causing the problem. He has to find what should not be happening and what is not expected to occur. Then try to solve the problem.

The saved data can be sent to someone else who can analyze it to detect the problem with that application.

Even if applications in your system seems to run normally, logging their activities and checking the logged data can reveal problems that are not noticeable by you.

Process monitor is one of the many tools provided by Sysinternals. You can use other tools provided by sysinternals along with process monitor to monitor processes running in the system.

Sysinternal Suite : https://technet.microsoft.com/en-us/sysinternals/bb842062


Capturing events

You can click "capture" icon to start or stop capturing events. Capture data for few minutes. Then stop the capture to analyze it.
The logged data generated in few minutes by process monitor can become huge in size . So never let it capture for a long among of time, otherwise it will eat up all the RAM.

PROCESS MONITOR 3 SCREENSHOT_24-04-2015_03-27-05.jpg


You can click "clear" to clear all the cached data.

PROCESS MONITOR 3 SCREENSHOT_24-04-2015_03-26-54.jpg




Saving the captured trace files

  • To save all the events that has been captured select "All events"
  • Set path and select the format
  • Click "OK"

1993250.jpg


  • To save only the filtered events select "Events displayed using current filter"
  • Set path and select the format
  • Click "OK"


1993249.jpg




Columns

You can select the columns which will be shown by process explorer

  • One way to do it by menu options->Select columns

1993233.jpg


  • Another way to do it by right clicking on columns and selecting "Select columns" as shown below

1993234.jpg

  • Tick the column name to show it in process monitor window

1992861.jpg


Various types of columns

Application Details
  • Process Name : The name of the process in which an event occurred.

  • Image Path : The full path of the image running in a process.

  • Command Line : The command line used to launch a process.

  • Company Name : The text of the company name version string embedded in a process image file. This text is optionally defined by the application developer.

  • Description : The text of the product description string embedded in a process image file. This text is optionally defined by the application developer.

  • Version : The product version number embedded in a process image file. This information is optionally specified by the application developer.
Event Details
  • Sequence Number : The relative position of the operation with respect to all events included in the current filter.

  • Event Class : The class (File, Registry, Process) of the event.

  • Operation : The specific event operation (e.g. Read, RegQueryValue, etc.).

  • Date & Time : Both the date and the time of an operation.

  • Time of Day : Only the time of an operation.

  • Path : The path of the resource that an event references.

  • Detail : Additional information specific to an event.

  • Result : The status code of a completed operation.

  • Relative Time : The time of the operation relative to Process Monitor's start time or the last time that the Process Monitor display was cleared.

  • Duration : The duration of an operation that has completed.
Process Management
  • User Name : The name of the user account in which the process that performed an operation is executing.

  • Session ID : The Windows session in which the process that executed an operation is executing.

  • Authentication ID : The logon session in which the process that executed an operation is executing.

  • Process ID : The Process ID (PID) of the process that executed an operation.

  • Thread ID : The Thread ID (TID) of the thread that executed an operation.

  • Integrity Level : The integrity level at which the process that executed an operation is running (Windows Vista only).

  • Virtualized : The virtualization status of the process that executed an operation (Windows Vista only).



Types of events Procmon captures


Registry : Registry operations, such as creating, enumerating, querying, and deleting
keys and values.

File System : Operations on local storage and remote file systems, including file systems or devices added while Procmon was running.

Network : UDP and TCP- network activity, including source and destination addresses (but not the actual data that was transmitted or received). Procmon can be configured to resolve network addresses to network names, or just show the IP addresses. The option to Show Resolved Network Addresses is on
the Options menu. You can also toggle it by pressing Ctrl+N.

Process : Process and thread events such as process creation by a parent process, process start, thread create, thread exit, process exit, and the loading of executable images and data files into the process’ address space. (Note that Procmon does not log the unloading of these images.)

Profiling : Generates and logs an event for every process and thread on the system, capturing the kernel and user time charged, memory use, and context switches since the previous profiling event. Process profiling events are always captured. By default, thread profiling events are not captured. Debug output profiling, described later, also falls under this event type.




Operations column

Operation column show what type of operation is being done on specified path by the process

Get online help for what that operation means. You won't get exact wording match on online reference file.

Process & thread operations : https://msdn.microsoft.com/en-us/library/windows/desktop/ms684847(v=vs.85).aspx
File opeartions : https://msdn.microsoft.com/en-us/library/windows/desktop/aa364232(v=vs.85).aspx
Registry operations : https://msdn.microsoft.com/en-us/library/windows/desktop/ms724875(v=vs.85).aspx
network operations : https://msdn.microsoft.com/en-us/library/windows/desktop/ms741394(v=vs.85).aspx





Types of results


Result column shows the status code of a completed operation

Full list of NTSTATUS return values/code : https://msdn.microsoft.com/en-in/library/cc704588.aspx


Common result value/code

SUCCESS
The operation succeeded.

BUFFER_OVERFLOW
occurs when a program requests variable-length information, such as data from a registry value, but doesn’t provide a large enough buffer to receive the information because it doesn’t know the actual data size in advance. The system will tell the program how large a buffer is required and might copy as much data as it can into the buffer, but it will not actually overflow the buffer. One typical coding pattern is that after a BUFFER OVERLOW result is received, the program then allocates a large enough buffer and requests the same data again—this time resulting in SUCCESS.

ACCESS DENIED
The operation failed because the security descriptor on the object does not grant the rights to the caller that the caller requested. The failure might also be the result of a file being marked as read-only. This result code is frequently a red flag when troubleshooting.

SHARING VIOLATION
The operation failed because the object is already opened and does not allow the sharing mode that the caller requested.

NAME COLLISION
The caller tried to create an object that already exists.

NAME NOT FOUND, PATH NOT FOUND, NO SUCH FILE
The caller tried to open an object that doesn’t exist. One scenario in which these result codes can arise is when a DLL load routine looks in various directories as part of the DLL search process.

NAME INVALID
The caller requested an object with an invalid name—for example, C:\Windows\”regedit.exe”.

NO MORE ENTRIES, NO MORE FILES
The caller has finished enumerating the contents of a folder or registry key.

END OF FILE
The caller has read to the end of a file.

BUFFER TOO SMALL
Essentially the same as BUFFER OVERFLOW. It’s rarely significant when troubleshooting.

REPARSE
The caller has requested an object that links to another object. For example, HKLM\System \CurrentControlSet might redirect to HKLM\System\ControlSet001.

NOT REPARSE POINT
The requested object does not link to another object.

FAST IO DISALLOWED

Indicates that a low-level optimized mechanism is not available for the requested file system object. It’s rarely significant in troubleshooting.

FILE LOCKED WITH ONLY READERS
Indicates that a file or file mapping was locked and that all users of the file can only read from it.

FILE LOCKED WITH WRITERS
Indicates that a file or file mapping was locked and that at least one user of the file can write to it.

IS DIRECTORY
The requested object is a file system folder.

INVALID DEVICE REQUEST
The specified request is not a valid operation for the target device.


INVALID PARAMETER
An invalid parameter was passed to a service or function.

NOT GRANTED
A requested file lock cannot be granted because of other existing locks.

CANCELLED
An I/O request was canceled—for example, the monitoring of a file system folder for changes.

BAD NETWORK PATH
The network path cannot be located.

BAD NETWORK NAME
The specified share name cannot be found on the remote server.

MEDIA WRITE PROTECTED
The disk cannot be written to because it is write-protected.

KEY DELETED
Illegal operation attempted on a registry key that has been marked for deletion.

NOT IMPLEMENTED
The requested operation is not implemented.




Event Properties

You can access the properties for an individual event by double-clicking on the event, or by selecting the Properties menu item from the Event menu or the context menu when you right-click on an event. The Event Properties dialog consists of the Event, Process and Stack pages. You can move to the next or preceding displayed or highlighted event with the arrow buttons at the bottom of the Event Properties dialog.

1992842.jpg



1992843.jpg



1992844.jpg



1992845.jpg


Process Activity summary


PROCESS MONITOR 3 SCREENSHOT_24-04-2015_04-10-27.jpg



The Process Activity Summary dialog box displays a table listing every process for which data was captured with the current filter applied. Each row in the table shows the process name and PID, a CPU usage graph, the numbers of file, registry and network events, the commit peak and the working set peak, and graphs showing these and other numbers changing over the timeline of the process. You can save all the text information to a CSV file by clicking the Save button.


PROCESS MONITOR 3 SCREENSHOT_24-04-2015_04-17-27.jpg



File summary

The File Summary dialog box aggregates information about every file and folder operation displayed by the current filter, and it groups the results on separate tabs by path, by folder, and by file extension. For each unique file system path, the dialog box displays how much total time was spent performing I/O to the file; the number of opens, closes, reads, writes, Get ACL, Set ACL and other operations; the total number of operations performed; and the number of bytes read from and written to the file.


1992823.jpg


Registry summary

The Registry Summary dialog box lists every registry path referenced by registry operations in a table, along with how much total time was spent performing I/O to the key; the number of opens, closes, reads, writes, and other operations; and the sum total of these. Clicking on a column header sorts by the data in that column, and columns can be reordered by dragging the column headers. Double-clicking a row adds a Path rule for the registry path in that row to the current filter. The Filter dialog box can be displayed by clicking the Filter button, and you can save the data to a CSV file.

  • As you can see the highest number of registry events has occurred on path "HKCU\software\FolderProtect\Pwdprompt". Again software "Folder protect" is causing too much registry events which is not expected from it. Uninstalling this software will free the system resources for other software's.
PROCESS MONITOR 3 SCREENSHOT_24-04-2015_05-07-50.jpg


Stack Summary


The Stack Summary dialog box takes all the stack traces for each Procmontraceable event, identifies the commonalities and divergences in them, and renders them as expandable trees. For each frame within a call stack, you can see how many times its execution resulted in a Procmon-traceable event, the cumulative amount of time spent in the Procmon-captured operations, the name and path of the module, and the absolute offset within it. The Stack Summary also shows function names and the path to and line number within source files for each stack frame if symbolic information is available.

PROCESS MONITOR 3 SCREENSHOT_24-04-2015_05-24-32.jpg


Network Summary

The Network Summary dialog box lists every TCP and UDP endpoint and port present in the filtered trace, along with the corresponding number of connects, disconnects, sends, and receives; the total number of these events; and the numbers of bytes sent and received. Clicking a column header sorts by the data in that column, and columns can be reordered by dragging the column headers. Double-clicking a row sets a Path rule in the filter for that endpoint and port. The Filter dialog box can be displayed by clicking the Filter button, and you can save the data to a CSV file.

PROCESS MONITOR 3 SCREENSHOT_24-04-2015_05-27-53.jpg


The Cross Reference Summary
The Cross Reference Summary dialog box lists all paths displayed by the current filter that have been accessed by more than one process. Each row shows the path, the processes that have written to it, and the processes that have read from it. The columns can be sorted or reordered, and you can save the data to a CSV file. Double-clicking a row, or selecting the row and clicking the Filter On Row button, adds the selected path to the filter.

PROCESS MONITOR 3 SCREENSHOT_24-04-2015_05-34-05.jpg


Process Tree


Pressing Ctrl+T or clicking the Process Tree toolbar button displays the Process Tree dialog box. The Process Tree dialog box displays all the processes that are referenced in the loaded trace in a hierarchy that reflects their parent-child relationships. You can collapse or expand portions of the tree by clicking the plus (+) and minus (–) icons to the left of parent processes in the tree, or selecting those nodes and pressing the left and right arrow keys. Processes that are aligned along the left side of the window have parent processes that have not generated any events in the trace.

The Life Time column shows the timeline of the process relative to the trace or to the boot session, depending on whether the Timelines Cover Displayed Events Only option is selected. With the option selected, a green bar going from edge to edge indicates that the process was running at the time the trace started and was still running when the trace ended. A green bar that begins further to the right indicates the process’ relative start time after the trace had begun. A darker green bar indicates a process that exited during the trace, with its extent indicating when during the trace it exited. If the Timelines Cover Displayed Events Only option is not selected, the graphs indicate the process’ lifetimes relative to the boot session: a green bar closer to the left edge of the column indicates a process that has been running since system startup or that began shortly after.

PROCESS MONITOR 3 SCREENSHOT_24-04-2015_05-36-07.jpg



PROCESS MONITOR 3 SCREENSHOT_24-04-2015_05-37-26.jpg


Counting occurrences


It displays the unique values seen in a trace for the attribute type you specify along with the number of times in the trace an event contained the value.

Counting occurrences is a very useful feature in creating filter.

It can be acceded from Tool menu as shown below

1992950.jpg


Select the column name which you want to count

1992951.jpg


Click Count

1992952.jpg

  • Total number of each "Result" types that have occurred will be shown
  • Select any one and double click to create a filter for it. In this case i double clicked on value "ACCESS DENIED"

1992953.jpg


  • Now only events with result "ACCESS DENIED" will be shown

1992954.jpg


  • Similarly you can count and create filter quickly using "count occurrences", which can be used to trace the cause of problem in the system
  • Columns company can be used to quickly know process by which company is generating more events.

1993242.jpg


  • event class can be used know which type of event has occurred most and create filter based on any event class.
1993243.jpg


1993244.jpg



  • Counting process name and creating filter based on it is very helpful in knowing what that process has done during the logging

1993247.jpg


  • Counting result and creating filter based on it is very helpful is troubleshooting
  • Creating filter based on result value can be helpful in troubleshooting "NAME NOT FOUND", "ACCESS DENIED", "SHARING VIOLATION", NAME NOT FOUND, PATH NOT FOUND, NO SUCH FILE, INVALID DEVICE REQUEST , NOT GRANTED, BAD NETWORK PATH, BAD NETWORK NAME
  • These result values causes waste on system resources when it occurs in huge number : BUFFER_OVERFLOW, NAME COLLISION, BUFFER TOO SMALL , CANCELLED, NAME NOT FOUND, PATH NOT FOUND, NO SUCH FILE,

1993248.jpg




Boot time activity logging


You can configure Procmon to begin logging system activity from a point very early in the boot process. This is the feature you need if you’re diagnosing issues that occur before, during, or in the absence of user logon, such as those involving boot-start device drivers, autostart services, the logon sequence itself, or shell initialization.

Process Monitor can log activity from a point very early in the boot process during the initialization of boot-start device drivers. Configure Process Monitor to log the next boot by selecting Enable Boot Logging from the Options menu. Process Monitor's driver will log activity at the next boot into a file in the %Windir% directory and will continue logging through the shutdown or until you run Process Monitor again. Thus, if you don't run Process Monitor during a boot session you will capture a trace of the entire boot to shutdown cycle.

  • To do so tick "Enable Boot Logging"


1992813.jpg


  • Select as shown below
  • click "OK" .
  • Reboot the system

1992814.jpg



  • process monitor will log all the activity of boot process and continue to log activities after bootup.
  • So the first thing you need to do after the reboot completes is to start process monitor. Starting process monitor will cause it to stop logging process activities.
  • This message box will be shown. Click "yes" and save the collected data in a file.


1992815.jpg


  • After the files have been saved process monitor will automatically open the saved data. This will show all the collected events that has been logged during boot.
  • You can analyse the collected data to find the problem that may be occurring during bootup

1992818.jpg


One useful too in analyzing bootup process in the process tree
  • Process tree will show you how the processes got started during boot.
  • You can see that some process started, ran for some time and then exited during the boot process.
  • Some process stared and is still running in memory
  • The tree structure shows which parent process started the child process.
  • You need to check if their is any process which should not be running during boot process. If found you can stop it from starting using Sysinternals Autorun software.

1992816.jpg


1992817.jpg


  • file summary shows all of the files that were acceded during boot.

1992823.jpg


  • See all the folders that has been acceded during boot process

1992824.jpg



1992825.jpg


  • Registry summary show all the registry paths that has been accessed during boot process
  • See which paths was accessed most.

1992826.jpg


  • network summary shows the network events that occurred during boot process.

1992827.jpg




Filtering Events

Include and Exclude Filters
You can specify event attributes such that Process Monitor will only display or exclude events with matching attribute values. All filters are non-destructive, meaning that they affect only which events Process Monitor displays, not the underlying event data.

When an event is selected the Include and Exclude sub-menus in the Event menu allows you to easily add one of the event's attributes to the configured Include or Exclude filters. For example, to only show events executed by a particular process name choose the Process Name entry from the Include submenu. You can also select multiple events and simultaneously configure an attribute filter for all of the unique values contained in the selected events. Process Monitor ORs together all the filters that are related to a particular attribute type and ANDs together filters of different attribute types. For example, if you specified process name include filters for Notepad.exe and Cmd.exe and a path include filter for C:\Windows, Process Monitor would only display events originating in either Notepad.exe or Cmd.exe that specify the C:\Windows directory.

More complex filtering options are available in the Filter dialog, which you open by selecting Filter from the Filter menu or by clicking on the Filter toolbar button. A filter entry consists of an attribute field (e.g. Authentication ID, Process Name, etc.), a comparison operation, an attribute value, and a filter type of either Include or Exclude. For convenience, Process Monitor will automatically populate the attribute value drop-down with values that are present in the loaded trace data, but you can enter arbitrary values. Checkboxes allow you to easily disable specific filter entries without having to delete them.

  • "reset filter" will reset all the changes done by the user in the filter

1992860.jpg


  • These are the columns that you can see in process monitor.
  • Filter can be created based on the column name

1992861.jpg



Creating filter which shows activity by only process "QHWatchdong.exe"

  • Click "Filter" icon to create the filter

1992847.jpg


  • Select "process name"

1992848.jpg


  • select the logic operator

1992849.jpg


  • Enter name of the process "qhwatchdog.exe"
  • Click "Add" to add the new filter. Click "Apply" to apply the filters.

1992852.jpg


  • Now only activity by process name "qhwatchdog.exe" will be shown

1992851.jpg


  • You can create filter fast by right clicking the process name and selecting the "include QHWatchdog.exe ".

1992850.jpg


Removing filter
  • To remove the newly created filter, open the filter setting.
  • Select and remove the filter created by you

1992853.jpg


Create filter based on Operations column

  • Right click on the Operation of an process.
  • Click on Include or exclude to create the desired filter. here i selected "Include RegQuerykey".

1992854.jpg


  • Now only process activity with operation "RegQuerykey" will be shown.

1992855.jpg




Creating filter based on path column

  • Right click on the Path of an process event
  • Select "Edit filter..."

1992856.jpg

  • you may edit the filter before adding it

1992857.jpg


  • Filter edited.
  • Click "Add" and "apply"

1992858.jpg


  • Now only those process events are shown which occurred on path "D:\SOFTWARE"

1992859.jpg


Similarly you can create filter based on any column name.



Logging all the activity of a process

You can log all the file, process, registry and network events of an application.

The logged events of any application can be saved in a file.


  • Start process monitor.
  • Run an application and do anything that you want to monitor.
  • Stop capturing Events ( Ctrl+E )
  • Right click the process and select "include ....". In this case the CCleaneer64.exe .


1992867.jpg


  • Now only the events by CCleaner64.exe will be shown

1992868.jpg


  • Process activity summary show the summary of various events by the CCleaner64.exe

1992869.jpg


  • You can check the File summary, registry summary, network and stack summary
  • File summary showing all the file accessed by CClener64.exe
  • Similarly you can see the registry keys accessed by it.

1992870.jpg
 

Attachments

  • PROCESS MONITOR 3 SCREENSHOT_24-04-2015_04-17-35.jpg
    PROCESS MONITOR 3 SCREENSHOT_24-04-2015_04-17-35.jpg
    222.6 KB · Views: 1,361
  • PROCESS MONITOR 3 SCREENSHOT_24-04-2015_04-17-52.jpg
    PROCESS MONITOR 3 SCREENSHOT_24-04-2015_04-17-52.jpg
    231.1 KB · Views: 1,257
  • PROCESS MONITOR 3 SCREENSHOT_24-04-2015_04-24-12.jpg
    PROCESS MONITOR 3 SCREENSHOT_24-04-2015_04-24-12.jpg
    81.8 KB · Views: 1,118
Last edited:

viktik

Level 25
Thread author
Verified
Well-known
Sep 17, 2013
1,492
Logging Shutdown

You can log all the activity of running processes during shutdown using process monitor.
It can be used to check whether the shutdown is happening properly or not.

To do this by just using process monitor you will have to log the bootup procedure. then reboot the system while process monitor is still logging. thus log the shutdown procedure as well.
  • start process monitor.
  • Tick "Enable Boot Logging"

1992813.jpg


  • Select as shown below
  • click "OK" .
1992814.jpg


  • Reboot the system. Don't run any other program. Let it reboot completely. The booting events will be logged and process monitor will continue to log all activities.
  • Reboot the system again. This time process monitor will log the shutdown events.
  • After system starts, run process monitor.
  • This message box will be shown. Click "yes" and save the collected data.


1992815.jpg


  • process monitor will automatically open the saved file.
  • The saved file has logged the both the bootup and shutdown events.


Another better way to log shutdown events is by using process monitor and PsExec.exe (command-line utility by sysinternals)

PsExec : https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

In this case both the procmon.exe & Psexec.exe is stored in path "C:\temp\sysinternals"

To log the shutdown events
  • Run CMD.exe as Administrator
  • Run PsExec command "C:\temp\sysinternals\PsExec -s -d C:\temp\sysinternals\Procmon.exe /AcceptEula /Quiet /BackingFile C:\Procmon.pml" . PsExec will run the procmon.exe and save the logged events in C:\procmon.pml file. The moment this command is executed successfully the process monitor will start logging events until complete shutdown occurs.
  • So shutdown the system to log the shutdown events

1992937.jpg


  • Start the system
  • Run process monitor
  • Open the saved file. In this case from location "C:\procmon.pml"
  • You can see all the logged events during shutdown using process monitor.
Process tree showing life time of processes during shutdown.
1992938.jpg


  • User installed processes closing early shown in dark green color, which is expected from it.
  • Processes by microsoft are running to the end of shutdown which is expected

1992939.jpg


  • You may tick "only show processes still running at end of current trace" to see which processes continued running to the end of shutdown
  • Its good that antivirus like "360 Total security" and "Comodo internet security" is running till the end of shutdown. This is good for keeping the computer safe from malwares.

1992941.jpg



Troubleshooting slow bootup

Using process monitor you can log all the process activities during bootup.
Analyzing the logged files you can find out what is causing slow boot.

If you found out which application or is causing slow boot then you can takeone of following measures to rectify the problem

  • You can try to do settings in that application which would solve the problem.
  • You can remove the autorun entry of faulty applications and dll files which are causing problem. Make sure you do not remove a critical autorun entry which is required to correctly boot the system.
  • You can uninstall the application which is causing the problem if you don't need it

  • Log the bootup events using process monitor
  • Open the saved file

Using process tree
  • Open process tree window
  • Expand the life time column

Parent process is responsible for starting all of it child process. If it has to start multiple child process and one of the child process is taking long time to start , then it will cause delayed start of other child process.

  • process "system" with PID 4 is the parent process for "smss" with PID 392
  • proces "smss" with PID 392 is parent process of the child processes "autochk" with PID 412, "smss" with PID 560 and one more "smss" with PID 628
  • Similarly process"smss" with PID 560 is the parent process of the child processes "csrss" with PID 568 and "wininit" with PID 636


1992892.jpg


  • Dlhost.exe has started with delay. Because of it igfxsrvs.exe & mobsync.exe also got delayed becasue it can only start after Dlhost.exe has started. This is not desired.
  • While other child processes of parent process "svchost" with PID 372 are starting smoothly. this is what bootup should look like.
1992963.jpg


  • Again process "igfxtray" got delayed start. It delayed the start of other child processes of parent process "explorer" with PID 2208.
  • Igfxtray started, ran for brief amount of time then exited. It is also not necessary or critical application. So it can be removed from bootup using sysinternals Autoruns.

1992964.jpg


Autoruns : https://technet.microsoft.com/en-in/sysinternals/bb963902.aspx

  • Start the Autorun as administrator
  • Find "IgfxTray.exe"
  • Untick the entry. Now this application will not load at bootup procedure.
  • caution : be very careful when disabling application from autorun entry. Make sure you disable only those ones which not necessary.

1992899.jpg



Using duration filter

One thing you can do is create a duration filter

1992972.jpg


  • Create a filter which will show events which took more than 1 second to complete as shown below

1992973.jpg


  • svchost.exe with PID 308 caused file event which took about 30 seconds each. the result was labled CANCELLED. it is complete waste of time. Since svchost.exe is Microsoft application and is critical in running windows OS, it must not be removed from bootup.
  • Searchindexer.exe is a search indexer service. It can be safely disabled from Windows services setting.
1992975.jpg


  • mbamservice.exe and autoupdate.exe ran for brief amount of time then exited.
  • Events by these processes took seconds to complete.
  • They are not very critical in bootup procedure. So they can be removed from bootup entry by using Autoruns.

1992976.jpg



1992977.jpg



Counting the occurrences of result

  • As you can see processes are generating events which are leading to results like "NAME NOT FOUND", "BUFFER OVERFLOW" whose counts is very significant to the count of "SUCCESS".
  • So applications are generating these events at bootup that is leading to waste of time and system resource. These events comprises of about 18% of result "SUCCESS". So about 18% of events generated by various processes during bootup ends up being complete waste.
  • Its all the fault of that software developer and its settings. You can't do much about it

1992986.jpg




Case of FoxitReader consuming computer resources

Troubleshooting with process monitor

I logged all the events for a duration of few minutes while running Foxit reader software

After monitoring the events i found out that pdf reader named "Foxit reader.exe" is generating a lot of file & registry events. For a pdf reader which has opened few pdf files , these high number of file and registry events compared to others is not good. It is consuming computer resources which could have been used by other processes.

1992833.jpg


  • Continuously generating File I/O operations & Registry operations

1992834.jpg


  • Foxitreader.exe is uselessly queries registry keys and files.

1992836.jpg


  • Foxitreader is doing too much registry query on something related to foxitCloudCheckEnable.
  • Reasons could be many. Its registry setting may have gone wrong. It may be missing some files.
  • You may update the software to newer version to see if solves the problem. You may reinstall the software. You may try to do settings that can solve this problem.
  • If everything fails the ultimate solution is to uninstall this software and replace with other pdf reader.
  • You may report the problems you find to the concerned software developer, so that they may solve the problem in next version.

1992838.jpg


1992837.jpg


  • Solution found : I installed the newer version of FoxitReader.
  • As you can see the file and registry events by Foxitreader.exe has reduced significantly.
1992839.jpg


  • :) All activity returns to normal.

1992840.jpg



Troubleshooting Qihu 360 total security 6


  • Capture the events for few minutes.
  • Stop capturing

1993471.jpg


  • Count occurrences of "result"
  • Double click "NAME NOT FOUND" to create a filter that will show only events that caused result "NAME NOT FOUND"

1993472.jpg


  • Open file summary window
  • As you can see below, "C:\windows\system32\lsm.exe" has been searched most
  • double click on it to create a filter which will show only events with path "C:\windows\system32\lsm.exe"

1993473.jpg


  • Count occurrences of "process name"
  • This shows that four processes has been searching for "C:\windows\system32\lsm.exe"
  • It means that these individual processes are not the culprit of this problem. The problem lies in some other file that has been loaded in each of these processes. We need to search it
  • Double click on "promptService64.exe" to create a filter
  • Do not close this window as we will require it later

1993474.jpg


  • Right click on "promptservice64.exe" and select "properties"

1993475.jpg

  • Goto stack tab. this is where you will find the files that is being executed by the processor.
  • All of the files are from Microsoft, except "360FsFlt.sys"

1993476.jpg


  • This driver belongs to company "Qihu 360 software"

1993477.jpg


  • Now to investigate process OCam.exe double click on it to create a filter

1993478.jpg


  • Right click on "ocam.exe" and select properties

1993479.jpg


  • Open stack tab
  • by searching all the files in execution, i found that all the files are from company Microsoft except "360AvFlt.sys"

1993480.jpg


  • 360Avflt.sys is a driver file by company 360.cn which belongs to Qihu 360

1993481.jpg


  • To investigate iexplore.exe double click on it to create a filter

1993482.jpg

  • right click on oexplore.exe and select "properties"


1993483.jpg


  • again 360FsFlt.sys is being executed in this process which belongs to company Qihu 360

1993484.jpg


  • So we have found the culprit causing the searching of file "C:\windows\system32\lsm.exe"
  • It is company Qihu 360 whose antivirus product 360 total security has been installed n the system.
  • I can;t do any setting in Qihu 360 total security to solve this problem
  • So the ultimate solution is to uninstall the Qihu 360 total security which in reality solved the problem
Here is a youtube demo of this troubleshooting

 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top