Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Guides - Privacy & Security Tips
Using Sysinternals Process Monitor to troubleshoot problems in Windows
Message
<blockquote data-quote="viktik" data-source="post: 377696" data-attributes="member: 12848"><p><em>Process Monitor</em> is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, <em>Filemon</em> and <em>Regmon</em>, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.</p><p></p><p><span style="font-size: 15px"><strong>Overview of Process Monitor Capabilities</strong></span></p><p>Process Monitor includes powerful monitoring and filtering capabilities, including:</p><p></p><ul> <li data-xf-list-type="ul">More data captured for operation input and output parameters</li> <li data-xf-list-type="ul">Non-destructive filters allow you to set filters without losing data</li> <li data-xf-list-type="ul">Capture of thread stacks for each operation make it possible in many cases to identify the root cause of an operation</li> <li data-xf-list-type="ul">Reliable capture of process details, including image path, command line, user and session ID</li> <li data-xf-list-type="ul">Configurable and moveable columns for any event property</li> <li data-xf-list-type="ul">Filters can be set for any data field, including fields not configured as columns</li> <li data-xf-list-type="ul">Advanced logging architecture scales to tens of millions of captured events and gigabytes of log data</li> <li data-xf-list-type="ul">Process tree tool shows relationship of all processes referenced in a trace</li> <li data-xf-list-type="ul">Native log format preserves all data for loading in a different Process Monitor instance</li> <li data-xf-list-type="ul">Process tooltip for easy viewing of process image information</li> <li data-xf-list-type="ul">Detail tooltip allows convenient access to formatted data that doesn't fit in the column</li> <li data-xf-list-type="ul">Cancellable search</li> <li data-xf-list-type="ul">Boot time logging of all operations</li> </ul><p>The best way to become familiar with Process Monitor's features is to read through the help file and then visit each of its menu items and options on a live system.</p><p></p><p></p><p></p><p><span style="color: #b30000">Official link </span>: <a href="https://technet.microsoft.com/en-us/library/bb896645.aspx" target="_blank">https://technet.microsoft.com/en-us/library/bb896645.aspx</a></p><p><span style="color: #b30000">Online ebook</span> : <a href="https://books.google.co.in/books?id=0KZCAwAAQBAJ&printsec=frontcover" target="_blank">https://books.google.co.in/books?id=0KZCAwAAQBAJ&printsec=frontcover</a></p><p><span style="color: #b30000">Video tutorial </span>:</p><ol> <li data-xf-list-type="ol"><a href="http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-3-Process-Monitor" target="_blank">http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-3-Process-Monitor</a></li> <li data-xf-list-type="ol"><a href="http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-4-Process-Monitor" target="_blank">http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-4-Process-Monitor</a></li> <li data-xf-list-type="ol"><a href="http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/WCL304" target="_blank">http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/WCL304</a></li> <li data-xf-list-type="ol"><a href="http://channel9.msdn.com/Events/TechEd/NorthAmerica/2012/WCL301" target="_blank">http://channel9.msdn.com/Events/TechEd/NorthAmerica/2012/WCL301</a></li> <li data-xf-list-type="ol"><a href="http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/WCA-B306" target="_blank">http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/WCA-B306</a></li> <li data-xf-list-type="ol"><a href="http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/WIN-B354" target="_blank">http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/WIN-B354</a></li> </ol><p></p><p></p><p></p><p>Because it loads a kernel driver, Procmon requires administrative rights to capture events,</p><p>including the Load and Unload Device Drivers privilege. When you launch Process Monitor it immediately starts monitoring three classes of operation: file system, Registry and process.</p><p></p><p>It is a very powerful tool which can very useful in logging process activities. Logging the file, process, registry and network events of an application can reveal detailed information of what the process is doing in the system.</p><p></p><p>The logged events can be used to troubleshoot problems in that application which is showing signs of</p><ol> <li data-xf-list-type="ol">Not working properly</li> <li data-xf-list-type="ol">Hanging <br /> </li> <li data-xf-list-type="ol">Crashing<br /> </li> <li data-xf-list-type="ol">Running sluggishly</li> <li data-xf-list-type="ol">Conflicting with other processes<br /> </li> <li data-xf-list-type="ol">Using too much cpu, hard disk and other resources</li> </ol><p>All the process monitor does is shows all types of events that has occurred. It up to the user to find out what is causing the problem. He has to find what should not be happening and what is not expected to occur. Then try to solve the problem.</p><p></p><p>The saved data can be sent to someone else who can analyze it to detect the problem with that application.</p><p></p><p>Even if applications in your system seems to run normally, logging their activities and checking the logged data can reveal problems that are not noticeable by you.</p><p></p><p>Process monitor is one of the many tools provided by Sysinternals. You can use other tools provided by sysinternals along with process monitor to monitor processes running in the system.</p><p></p><p><span style="color: #b30059">Sysinternal Suite</span> : <a href="https://technet.microsoft.com/en-us/sysinternals/bb842062" target="_blank">https://technet.microsoft.com/en-us/sysinternals/bb842062</a></p><p></p><p></p><p><span style="color: #0059b3"><u>Capturing events</u></span></p><p></p><p>You can click "capture" icon to start or stop capturing events. Capture data for few minutes. Then stop the capture to analyze it.</p><p>The logged data generated in few minutes by process monitor can become huge in size . So never let it capture for a long among of time, otherwise it will eat up all the RAM.</p><p></p><p>[ATTACH=full]55479[/ATTACH]</p><p></p><p>You can click "clear" to clear all the cached data.</p><p></p><p>[ATTACH=full]55480[/ATTACH]</p><p></p><p></p><p></p><p><span style="color: #0059b3"><u>Saving the captured trace files</u></span></p><p></p><ul> <li data-xf-list-type="ul">To save all the events that has been captured select "All events" <br /> </li> <li data-xf-list-type="ul">Set path and select the format</li> <li data-xf-list-type="ul">Click "OK"</li> </ul><p></p><p><img src="http://p1.pichost.me/i/74/1993250.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /> </p><p></p><ul> <li data-xf-list-type="ul">To save only the filtered events select "Events displayed using current filter"</li> <li data-xf-list-type="ul">Set path and select the format</li> <li data-xf-list-type="ul">Click "OK"</li> </ul><p></p><p></p><p><img src="http://p1.pichost.me/i/74/1993249.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /> </p><p></p><p></p><p></p><p><span style="font-size: 18px"><u><span style="color: rgb(0, 89, 179)">Columns</span></u></span></p><p></p><p>[SPOILER="Columns"]</p><p></p><p>You can select the columns which will be shown by process explorer</p><p></p><ul> <li data-xf-list-type="ul">One way to do it by menu <strong>options->Select columns</strong></li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1993233.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">Another way to do it by right clicking on columns and selecting "Select columns" as shown below</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1993234.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><ul> <li data-xf-list-type="ul">Tick the column name to show it in process monitor window</li> </ul><p></p><p><img src="http://p1.pichost.me/i/74/1992861.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><strong><span style="color: #663300"><u>Various types of columns</u></span></strong></p><p></p><p>Application Details</p><ul> <li data-xf-list-type="ul"><span style="color: #5900b3">Process Name</span> : The name of the process in which an event occurred.<br /> <br /> </li> <li data-xf-list-type="ul"><span style="color: #5900b3">Image Path</span> : The full path of the image running in a process.<br /> <br /> </li> <li data-xf-list-type="ul"><span style="color: #5900b3">Command Line</span> : The command line used to launch a process.<br /> <br /> </li> <li data-xf-list-type="ul"><span style="color: #5900b3">Company Name</span> : The text of the company name version string embedded in a process image file. This text is optionally defined by the application developer.<br /> <br /> </li> <li data-xf-list-type="ul"><span style="color: #5900b3">Description</span> : The text of the product description string embedded in a process image file. This text is optionally defined by the application developer.<br /> <br /> </li> <li data-xf-list-type="ul"><span style="color: #5900b3">Version</span> : The product version number embedded in a process image file. This information is optionally specified by the application developer.</li> </ul><p>Event Details</p><ul> <li data-xf-list-type="ul"><span style="color: #5900b3">Sequence Number</span> : The relative position of the operation with respect to all events included in the current filter.<br /> <br /> </li> <li data-xf-list-type="ul"><span style="color: #5900b3">Event Class</span> : The class (File, Registry, Process) of the event.<br /> <br /> </li> <li data-xf-list-type="ul"><span style="color: #5900b3">Operation</span> : The specific event operation (e.g. Read, RegQueryValue, etc.).<br /> <br /> </li> <li data-xf-list-type="ul"><span style="color: #5900b3">Date & Time</span> : Both the date and the time of an operation.<br /> <br /> </li> <li data-xf-list-type="ul"><span style="color: #5900b3">Time of Day</span> : Only the time of an operation.<br /> <br /> </li> <li data-xf-list-type="ul"><span style="color: #5900b3">Path</span> : The path of the resource that an event references.<br /> <br /> </li> <li data-xf-list-type="ul"><span style="color: #5900b3">Detail</span> : Additional information specific to an event.<br /> <br /> </li> <li data-xf-list-type="ul"><span style="color: #5900b3">Result</span> : The status code of a completed operation.<br /> <br /> </li> <li data-xf-list-type="ul"><span style="color: #5900b3">Relative Time</span> : The time of the operation relative to Process Monitor's start time or the last time that the Process Monitor display was cleared.<br /> <br /> </li> <li data-xf-list-type="ul"><span style="color: #5900b3">Duration</span> : The duration of an operation that has completed.</li> </ul><p>Process Management</p><ul> <li data-xf-list-type="ul"><span style="color: #5900b3">User Name</span> : The name of the user account in which the process that performed an operation is executing.<br /> <br /> </li> <li data-xf-list-type="ul"><span style="color: #5900b3">Session ID</span> : The Windows session in which the process that executed an operation is executing.<br /> <br /> </li> <li data-xf-list-type="ul"><span style="color: #5900b3">Authentication ID</span> : The logon session in which the process that executed an operation is executing.<br /> <br /> </li> <li data-xf-list-type="ul"><span style="color: #5900b3">Process ID</span> : The Process ID (PID) of the process that executed an operation.<br /> <br /> </li> <li data-xf-list-type="ul"><span style="color: #5900b3">Thread ID</span> : The Thread ID (TID) of the thread that executed an operation.<br /> <br /> </li> <li data-xf-list-type="ul"><span style="color: #5900b3">Integrity Level</span> : The integrity level at which the process that executed an operation is running (Windows Vista only).<br /> <br /> </li> <li data-xf-list-type="ul"><span style="color: #5900b3">Virtualized </span> : The virtualization status of the process that executed an operation (Windows Vista only).</li> </ul><p>[/SPOILER]</p><p></p><p></p><p><span style="font-size: 18px"></span></p><p><span style="font-size: 18px"><span style="color: #0059b3"><strong><u>Types of events Procmon captures</u></strong></span></span></p><p></p><p><span style="color: #006633"><strong>Registry</strong></span> : Registry operations, such as creating, enumerating, querying, and deleting</p><p>keys and values.</p><p></p><p><span style="color: #006633"><strong>File System</strong></span> : Operations on local storage and remote file systems, including file systems or devices added while Procmon was running.</p><p></p><p><span style="color: #006633"><strong>Network</strong></span> : UDP and TCP- network activity, including source and destination addresses (but not the actual data that was transmitted or received). Procmon can be configured to resolve network addresses to network names, or just show the IP addresses. The option to Show Resolved Network Addresses is on</p><p>the Options menu. You can also toggle it by pressing Ctrl+N.</p><p></p><p><span style="color: #006633"><strong>Process</strong></span> : Process and thread events such as process creation by a parent process, process start, thread create, thread exit, process exit, and the loading of executable images and data files into the process’ address space. (Note that Procmon does not log the unloading of these images.)</p><p></p><p><span style="color: #006633"><strong>Profiling</strong></span> : Generates and logs an event for every process and thread on the system, capturing the kernel and user time charged, memory use, and context switches since the previous profiling event. Process profiling events are always captured. By default, thread profiling events are not captured. Debug output profiling, described later, also falls under this event type.</p><p></p><p></p><p></p><p></p><p><span style="font-size: 18px"><span style="color: #0059b3"><u>Operations column</u></span></span></p><p></p><p>Operation column show what type of operation is being done on specified path by the process</p><p></p><p>Get online help for what that operation means. You won't get exact wording match on online reference file.</p><p></p><p><span style="color: #b30000">Process & thread operations</span> : <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms684847%28v=vs.85%29.aspx" target="_blank">https://msdn.microsoft.com/en-us/library/windows/desktop/ms684847(v=vs.85).aspx</a></p><p><span style="color: #b30000">File opeartions </span> : <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa364232%28v=vs.85%29.aspx" target="_blank">https://msdn.microsoft.com/en-us/library/windows/desktop/aa364232(v=vs.85).aspx</a></p><p><span style="color: #b30000">Registry operations</span> : <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms724875%28v=vs.85%29.aspx" target="_blank">https://msdn.microsoft.com/en-us/library/windows/desktop/ms724875(v=vs.85).aspx</a></p><p><span style="color: #b30000">network operations</span> : <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms741394%28v=vs.85%29.aspx" target="_blank">https://msdn.microsoft.com/en-us/library/windows/desktop/ms741394(v=vs.85).aspx</a></p><p></p><p></p><p></p><p></p><p><span style="font-size: 18px"></span></p><p><span style="font-size: 18px"><span style="color: #0059b3"><strong><u>Types of results</u></strong></span></span></p><p></p><p>Result column shows the status code of a completed operation</p><p></p><p>Full list of NTSTATUS return values/code : <a href="https://msdn.microsoft.com/en-in/library/cc704588.aspx" target="_blank">https://msdn.microsoft.com/en-in/library/cc704588.aspx</a></p><p></p><p></p><p><span style="color: #006600"><u>Common result value/code</u></span></p><p></p><p>[SPOILER="types of results"]</p><p><strong><span style="color: #000000">SUCCESS</span></strong></p><p>The operation succeeded.</p><p></p><p><strong>BUFFER_OVERFLOW </strong></p><p>occurs when a program requests variable-length information, such as data from a registry value, but doesn’t provide a large enough buffer to receive the information because it doesn’t know the actual data size in advance. The system will tell the program how large a buffer is required and might copy as much data as it can into the buffer, but it will not actually overflow the buffer. One typical coding pattern is that after a BUFFER OVERLOW result is received, the program then allocates a large enough buffer and requests the same data again—this time resulting in SUCCESS.</p><p></p><p><strong>ACCESS DENIED</strong></p><p>The operation failed because the security descriptor on the object does not grant the rights to the caller that the caller requested. The failure might also be the result of a file being marked as read-only. This result code is frequently a red flag when troubleshooting.</p><p></p><p><strong>SHARING VIOLATION</strong></p><p>The operation failed because the object is already opened and does not allow the sharing mode that the caller requested.</p><p></p><p><strong>NAME COLLISION </strong></p><p>The caller tried to create an object that already exists.</p><p></p><p><strong>NAME NOT FOUND, PATH NOT FOUND, NO SUCH FILE</strong></p><p>The caller tried to open an object that doesn’t exist. One scenario in which these result codes can arise is when a DLL load routine looks in various directories as part of the DLL search process.</p><p></p><p><strong>NAME INVALID</strong></p><p>The caller requested an object with an invalid name—for example, C:\Windows\”regedit.exe”.</p><p></p><p><strong>NO MORE ENTRIES, NO MORE FILES</strong></p><p>The caller has finished enumerating the contents of a folder or registry key.</p><p></p><p><strong>END OF FILE </strong></p><p>The caller has read to the end of a file.</p><p></p><p><strong>BUFFER TOO SMALL </strong></p><p>Essentially the same as BUFFER OVERFLOW. It’s rarely significant when troubleshooting.</p><p></p><p><strong>REPARSE </strong></p><p>The caller has requested an object that links to another object. For example, HKLM\System \CurrentControlSet might redirect to HKLM\System\ControlSet001.</p><p></p><p><strong>NOT REPARSE POINT </strong></p><p>The requested object does not link to another object.</p><p><strong></strong></p><p><strong>FAST IO DISALLOWED </strong></p><p>Indicates that a low-level optimized mechanism is not available for the requested file system object. It’s rarely significant in troubleshooting.</p><p></p><p><strong>FILE LOCKED WITH ONLY READERS </strong></p><p>Indicates that a file or file mapping was locked and that all users of the file can only read from it.</p><p></p><p><strong>FILE LOCKED WITH WRITERS </strong></p><p>Indicates that a file or file mapping was locked and that at least one user of the file can write to it.</p><p></p><p><strong>IS DIRECTORY</strong></p><p>The requested object is a file system folder.</p><p></p><p><strong>INVALID DEVICE REQUEST </strong></p><p>The specified request is not a valid operation for the target device.</p><p></p><p></p><p><strong>INVALID PARAMETER</strong></p><p>An invalid parameter was passed to a service or function.</p><p></p><p><strong>NOT GRANTED</strong></p><p>A requested file lock cannot be granted because of other existing locks.</p><p></p><p><strong>CANCELLED</strong></p><p>An I/O request was canceled—for example, the monitoring of a file system folder for changes.</p><p></p><p><strong>BAD NETWORK PATH</strong></p><p>The network path cannot be located.</p><p></p><p><strong>BAD NETWORK NAME</strong></p><p>The specified share name cannot be found on the remote server.</p><p></p><p><strong>MEDIA WRITE PROTECTED</strong></p><p>The disk cannot be written to because it is write-protected.</p><p></p><p><strong>KEY DELETED</strong></p><p>Illegal operation attempted on a registry key that has been marked for deletion.</p><p></p><p><strong>NOT IMPLEMENTED</strong></p><p>The requested operation is not implemented.</p><p>[/SPOILER]</p><p></p><p></p><p></p><p></p><p><span style="font-size: 18px"><span style="color: #0059b3"><strong><u>Event Properties</u></strong></span></span></p><p></p><p>You can access the properties for an individual event by double-clicking on the event, or by selecting the Properties menu item from the Event menu or the context menu when you right-click on an event. The Event Properties dialog consists of the Event, Process and Stack pages. You can move to the next or preceding displayed or highlighted event with the arrow buttons at the bottom of the Event Properties dialog.</p><p></p><p>[SPOILER="event properties"]</p><p></p><p></p><p><img src="http://p1.pichost.me/640/74/1992842.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p><img src="http://p1.pichost.me/i/74/1992843.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p><img src="http://p1.pichost.me/640/74/1992844.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p><img src="http://p1.pichost.me/640/74/1992845.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>[/SPOILER]</p><p></p><p><span style="color: #0059b3"></span></p><p><span style="color: #0059b3"><u>Process Activity summary</u></span></p><p></p><p>[ATTACH=full]55481[/ATTACH]</p><p></p><p></p><p>The Process Activity Summary dialog box displays a table listing every process for which data was captured with the current filter applied. Each row in the table shows the process name and PID, a CPU usage graph, the numbers of file, registry and network events, the commit peak and the working set peak, and graphs showing these and other numbers changing over the timeline of the process. You can save all the text information to a CSV file by clicking the Save button.</p><p></p><p></p><p>[SPOILER="process activity summary"]</p><p>[ATTACH=full]55482[/ATTACH]</p><p>[/SPOILER]</p><p></p><p></p><p></p><p><span style="color: #0059b3"><u>File summary</u></span></p><p></p><p>The File Summary dialog box aggregates information about every file and folder operation displayed by the current filter, and it groups the results on separate tabs by path, by folder, and by file extension. For each unique file system path, the dialog box displays how much total time was spent performing I/O to the file; the number of opens, closes, reads, writes, Get ACL, Set ACL and other operations; the total number of operations performed; and the number of bytes read from and written to the file.</p><p></p><p>[SPOILER="file summary"]</p><p><u></u></p><p><u><img src="http://p1.pichost.me/640/74/1992823.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /> </u></p><p>[/SPOILER]</p><p><span style="color: #0059b3"></span></p><p><span style="color: #0059b3"></span></p><p><span style="color: #0059b3"><u>Registry summary</u></span></p><p>The Registry Summary dialog box lists every registry path referenced by registry operations in a table, along with how much total time was spent performing I/O to the key; the number of opens, closes, reads, writes, and other operations; and the sum total of these. Clicking on a column header sorts by the data in that column, and columns can be reordered by dragging the column headers. Double-clicking a row adds a Path rule for the registry path in that row to the current filter. The Filter dialog box can be displayed by clicking the Filter button, and you can save the data to a CSV file.</p><p></p><ul> <li data-xf-list-type="ul">As you can see the highest number of registry events has occurred on path "HKCU\software\FolderProtect\Pwdprompt". Again software "Folder protect" is causing too much registry events which is not expected from it. Uninstalling this software will free the system resources for other software's.</li> </ul><p>[SPOILER="registry summary"]</p><p>[ATTACH=full]55486[/ATTACH]</p><p>[/SPOILER]</p><p></p><p><span style="color: #0059b3"></span></p><p><span style="color: #0059b3"><u>Stack Summary</u></span></p><p></p><p>The Stack Summary dialog box takes all the stack traces for each Procmontraceable event, identifies the commonalities and divergences in them, and renders them as expandable trees. For each frame within a call stack, you can see how many times its execution resulted in a Procmon-traceable event, the cumulative amount of time spent in the Procmon-captured operations, the name and path of the module, and the absolute offset within it. The Stack Summary also shows function names and the path to and line number within source files for each stack frame if symbolic information is available.</p><p></p><p>[SPOILER="stack summary"]</p><p>[ATTACH=full]55487[/ATTACH]</p><p>[/SPOILER]</p><p></p><p><span style="color: #0059b3"></span></p><p><span style="color: #0059b3"><u>Network Summary</u></span></p><p>The Network Summary dialog box lists every TCP and UDP endpoint and port present in the filtered trace, along with the corresponding number of connects, disconnects, sends, and receives; the total number of these events; and the numbers of bytes sent and received. Clicking a column header sorts by the data in that column, and columns can be reordered by dragging the column headers. Double-clicking a row sets a Path rule in the filter for that endpoint and port. The Filter dialog box can be displayed by clicking the Filter button, and you can save the data to a CSV file.</p><p></p><p>[SPOILER="network summary"]</p><p></p><p>[ATTACH=full]55490[/ATTACH]</p><p>[/SPOILER]</p><p><u></u></p><p><u></u></p><p><span style="color: #0059b3"><u>The Cross Reference Summary </u></span></p><p>The Cross Reference Summary dialog box lists all paths displayed by the current filter that have been accessed by more than one process. Each row shows the path, the processes that have written to it, and the processes that have read from it. The columns can be sorted or reordered, and you can save the data to a CSV file. Double-clicking a row, or selecting the row and clicking the Filter On Row button, adds the selected path to the filter.</p><p></p><p>[SPOILER="cross reference summary"]</p><p></p><p>[ATTACH=full]55491[/ATTACH]</p><p>[/SPOILER]</p><p><span style="font-size: 18px"><span style="color: #336600"></span></span></p><p><span style="font-size: 18px"><span style="color: #336600"></span></span></p><p><span style="font-size: 18px"><span style="color: #0059b3"><u>Process Tree</u></span></span></p><p></p><p>Pressing Ctrl+T or clicking the Process Tree toolbar button displays the Process Tree dialog box. The Process Tree dialog box displays all the processes that are referenced in the loaded trace in a hierarchy that reflects their parent-child relationships. You can collapse or expand portions of the tree by clicking the plus (+) and minus (–) icons to the left of parent processes in the tree, or selecting those nodes and pressing the left and right arrow keys. Processes that are aligned along the left side of the window have parent processes that have not generated any events in the trace.</p><p></p><p>The Life Time column shows the timeline of the process relative to the trace or to the boot session, depending on whether the Timelines Cover Displayed Events Only option is selected. With the option selected, a green bar going from edge to edge indicates that the process was running at the time the trace started and was still running when the trace ended. A green bar that begins further to the right indicates the process’ relative start time after the trace had begun. A darker green bar indicates a process that exited during the trace, with its extent indicating when during the trace it exited. If the Timelines Cover Displayed Events Only option is not selected, the graphs indicate the process’ lifetimes relative to the boot session: a green bar closer to the left edge of the column indicates a process that has been running since system startup or that began shortly after.</p><p></p><p>[SPOILER="process tree"]</p><p></p><p>[ATTACH=full]55492[/ATTACH]</p><p></p><p></p><p>[ATTACH=full]55493[/ATTACH]</p><p></p><p>[/SPOILER]</p><p></p><p><span style="font-size: 18px"></span></p><p><span style="font-size: 18px"><span style="color: rgb(0, 89, 179)"><u><strong>Counting occurrences</strong></u></span></span></p><p></p><p>It displays the unique values seen in a trace for the attribute type you specify along with the number of times in the trace an event contained the value.</p><p></p><p>[SPOILER="count occurrences"]</p><p></p><p>Counting occurrences is a very useful feature in creating filter.</p><p></p><p>It can be acceded from Tool menu as shown below</p><p></p><p><img src="http://p1.pichost.me/640/74/1992950.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>Select the column name which you want to count</p><p></p><p><img src="http://p1.pichost.me/i/74/1992951.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>Click <strong>Count</strong></p><p></p><p><img src="http://p1.pichost.me/i/74/1992952.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><ul> <li data-xf-list-type="ul">Total number of each "Result" types that have occurred will be shown<br /> </li> <li data-xf-list-type="ul">Select any one and double click to create a filter for it. In this case i double clicked on value "ACCESS DENIED"</li> </ul><p></p><p><img src="http://p1.pichost.me/i/74/1992953.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">Now only events with result "ACCESS DENIED" will be shown</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992954.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">Similarly you can count and create filter quickly using "count occurrences", which can be used to trace the cause of problem in the system<br /> </li> <li data-xf-list-type="ul">Columns company can be used to quickly know process by which company is generating more events.</li> </ul><p></p><p><img src="http://p1.pichost.me/i/74/1993242.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">event class can be used know which type of event has occurred most and create filter based on any event class.</li> </ul><p><img src="http://p1.pichost.me/i/74/1993243.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><img src="http://p1.pichost.me/i/74/1993244.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><ul> <li data-xf-list-type="ul">Counting process name and creating filter based on it is very helpful in knowing what that process has done during the logging</li> </ul><p></p><p><img src="http://p1.pichost.me/i/74/1993247.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">Counting result and creating filter based on it is very helpful is troubleshooting</li> <li data-xf-list-type="ul">Creating filter based on result value can be helpful in troubleshooting "NAME NOT FOUND", "ACCESS DENIED", "SHARING VIOLATION", NAME NOT FOUND, PATH NOT FOUND, NO SUCH FILE, INVALID DEVICE REQUEST , NOT GRANTED, BAD NETWORK PATH, BAD NETWORK NAME</li> <li data-xf-list-type="ul">These result values causes waste on system resources when it occurs in huge number : BUFFER_OVERFLOW, NAME COLLISION, BUFFER TOO SMALL , CANCELLED, NAME NOT FOUND, PATH NOT FOUND, NO SUCH FILE,</li> </ul><p></p><p><img src="http://p1.pichost.me/i/74/1993248.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>[/SPOILER]</p><p></p><p></p><p></p><p><span style="font-size: 18px"></span></p><p><span style="font-size: 18px"><span style="color: #0059b3"><u>Boot time activity logging</u></span></span></p><p></p><p>You can configure Procmon to begin logging system activity from a point very early in the boot process. This is the feature you need if you’re diagnosing issues that occur before, during, or in the absence of user logon, such as those involving boot-start device drivers, autostart services, the logon sequence itself, or shell initialization.</p><p></p><p>Process Monitor can log activity from a point very early in the boot process during the initialization of boot-start device drivers. Configure Process Monitor to log the next boot by selecting Enable Boot Logging from the Options menu. Process Monitor's driver will log activity at the next boot into a file in the %Windir% directory and will continue logging through the shutdown or until you run Process Monitor again. Thus, if you don't run Process Monitor during a boot session you will capture a trace of the entire boot to shutdown cycle.</p><p></p><p>[SPOILER="Boot time activity logging"]</p><p></p><ul> <li data-xf-list-type="ul">To do so tick "Enable Boot Logging"</li> </ul><p></p><p></p><p><img src="http://p1.pichost.me/i/74/1992813.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">Select as shown below</li> <li data-xf-list-type="ul">click "OK" . <br /> </li> <li data-xf-list-type="ul">Reboot the system</li> </ul><p></p><p><img src="http://p1.pichost.me/i/74/1992814.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><ul> <li data-xf-list-type="ul">process monitor will log all the activity of boot process and continue to log activities after bootup.<br /> </li> <li data-xf-list-type="ul">So the first thing you need to do after the reboot completes is to start process monitor. Starting process monitor will cause it to stop logging process activities.<br /> </li> <li data-xf-list-type="ul">This message box will be shown. Click "yes" and save the collected data in a file.</li> </ul><p></p><p></p><p><img src="http://p1.pichost.me/i/74/1992815.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">After the files have been saved process monitor will automatically open the saved data. This will show all the collected events that has been logged during boot.</li> <li data-xf-list-type="ul">You can analyse the collected data to find the problem that may be occurring during bootup</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992818.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>One useful too in analyzing bootup process in the process tree</p><ul> <li data-xf-list-type="ul">Process tree will show you how the processes got started during boot.</li> <li data-xf-list-type="ul">You can see that some process started, ran for some time and then exited during the boot process.</li> <li data-xf-list-type="ul">Some process stared and is still running in memory</li> <li data-xf-list-type="ul">The tree structure shows which parent process started the child process. <br /> </li> <li data-xf-list-type="ul">You need to check if their is any process which should not be running during boot process. If found you can stop it from starting using Sysinternals Autorun software.</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992816.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><img src="http://p1.pichost.me/640/74/1992817.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">file summary shows all of the files that were acceded during boot.</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992823.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">See all the folders that has been acceded during boot process</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992824.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p><img src="http://p1.pichost.me/640/74/1992825.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">Registry summary show all the registry paths that has been accessed during boot process</li> <li data-xf-list-type="ul">See which paths was accessed most.</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992826.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">network summary shows the network events that occurred during boot process.</li> </ul><p></p><p><img src="http://p1.pichost.me/i/74/1992827.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>[/SPOILER]</p><p></p><p></p><p></p><p></p><p><span style="font-size: 18px"><span style="color: #0059b3"><u>Filtering Events</u></span></span></p><p></p><p>[SPOILER="filtering events"]</p><p></p><p><strong>Include and Exclude Filters</strong></p><p>You can specify event attributes such that Process Monitor will only display or exclude events with matching attribute values. All filters are non-destructive, meaning that they affect only which events Process Monitor displays, not the underlying event data.</p><p></p><p>When an event is selected the Include and Exclude sub-menus in the Event menu allows you to easily add one of the event's attributes to the configured Include or Exclude filters. For example, to only show events executed by a particular process name choose the Process Name entry from the Include submenu. You can also select multiple events and simultaneously configure an attribute filter for all of the unique values contained in the selected events. Process Monitor ORs together all the filters that are related to a particular attribute type and ANDs together filters of different attribute types. For example, if you specified process name include filters for Notepad.exe and Cmd.exe and a path include filter for C:\Windows, Process Monitor would only display events originating in either Notepad.exe or Cmd.exe that specify the C:\Windows directory.</p><p></p><p>More complex filtering options are available in the Filter dialog, which you open by selecting Filter from the Filter menu or by clicking on the Filter toolbar button. A filter entry consists of an attribute field (e.g. Authentication ID, Process Name, etc.), a comparison operation, an attribute value, and a filter type of either Include or Exclude. For convenience, Process Monitor will automatically populate the attribute value drop-down with values that are present in the loaded trace data, but you can enter arbitrary values. Checkboxes allow you to easily disable specific filter entries without having to delete them.</p><p></p><ul> <li data-xf-list-type="ul">"reset filter" will reset all the changes done by the user in the filter</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992860.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">These are the columns that you can see in process monitor. <br /> </li> <li data-xf-list-type="ul">Filter can be created based on the column name</li> </ul><p></p><p><img src="http://p1.pichost.me/i/74/1992861.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p><span style="color: #b30059"><u>Creating filter which shows activity by only process "QHWatchdong.exe"</u></span></p><p></p><ul> <li data-xf-list-type="ul">Click "Filter" icon to create the filter</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992847.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">Select "process name"</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992848.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">select the logic operator</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992849.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">Enter name of the process "qhwatchdog.exe"</li> <li data-xf-list-type="ul">Click "Add" to add the new filter. Click "Apply" to apply the filters.</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992852.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">Now only activity by process name "qhwatchdog.exe" will be shown</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992851.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">You can create filter fast by right clicking the process name and selecting the "include QHWatchdog.exe ".</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992850.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><span style="color: #b35900"><u>Removing filter</u></span></p><ul> <li data-xf-list-type="ul">To remove the newly created filter, open the filter setting.</li> <li data-xf-list-type="ul">Select and remove the filter created by you</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992853.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><span style="color: #006600"><u>Create filter based on Operations column</u></span></p><p></p><ul> <li data-xf-list-type="ul">Right click on the Operation of an process.</li> <li data-xf-list-type="ul">Click on Include or exclude to create the desired filter. here i selected "Include RegQuerykey".</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992854.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">Now only process activity with operation "RegQuerykey" will be shown.</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992855.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><u></u></p><p><u></u></p><p><span style="color: #006600"><u>Creating filter based on path column</u></span></p><p></p><ul> <li data-xf-list-type="ul">Right click on the Path of an process event</li> <li data-xf-list-type="ul">Select "Edit filter..."</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992856.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><ul> <li data-xf-list-type="ul">you may edit the filter before adding it</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992857.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">Filter edited.</li> <li data-xf-list-type="ul">Click "Add" and "apply"</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992858.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">Now only those process events are shown which occurred on path "D:\SOFTWARE"</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992859.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>Similarly you can create filter based on any column name.</p><p></p><p>[/SPOILER]</p><p></p><p></p><p></p><p><span style="font-size: 18px"><span style="color: #0059b3"><u>Logging all the activity of a process</u></span></span></p><p></p><p>[SPOILER="logging activity of a process"]</p><p></p><p>You can log all the file, process, registry and network events of an application.</p><p></p><p>The logged events of any application can be saved in a file.</p><p></p><p></p><ul> <li data-xf-list-type="ul">Start process monitor.</li> <li data-xf-list-type="ul">Run an application and do anything that you want to monitor.</li> <li data-xf-list-type="ul">Stop capturing Events ( Ctrl+E )</li> <li data-xf-list-type="ul">Right click the process and select "include ....". In this case the CCleaneer64.exe .</li> </ul><p></p><p></p><p><img src="http://p1.pichost.me/640/74/1992867.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">Now only the events by CCleaner64.exe will be shown</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992868.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">Process activity summary show the summary of various events by the CCleaner64.exe</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992869.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">You can check the File summary, registry summary, network and stack summary</li> <li data-xf-list-type="ul">File summary showing all the file accessed by CClener64.exe</li> <li data-xf-list-type="ul">Similarly you can see the registry keys accessed by it.</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992870.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>[/SPOILER]</p></blockquote><p></p>
[QUOTE="viktik, post: 377696, member: 12848"] [I]Process Monitor[/I] is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, [I]Filemon[/I] and [I]Regmon[/I], and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit. [SIZE=4][B]Overview of Process Monitor Capabilities[/B][/SIZE] Process Monitor includes powerful monitoring and filtering capabilities, including: [LIST] [*]More data captured for operation input and output parameters [*]Non-destructive filters allow you to set filters without losing data [*]Capture of thread stacks for each operation make it possible in many cases to identify the root cause of an operation [*]Reliable capture of process details, including image path, command line, user and session ID [*]Configurable and moveable columns for any event property [*]Filters can be set for any data field, including fields not configured as columns [*]Advanced logging architecture scales to tens of millions of captured events and gigabytes of log data [*]Process tree tool shows relationship of all processes referenced in a trace [*]Native log format preserves all data for loading in a different Process Monitor instance [*]Process tooltip for easy viewing of process image information [*]Detail tooltip allows convenient access to formatted data that doesn't fit in the column [*]Cancellable search [*]Boot time logging of all operations [/LIST] The best way to become familiar with Process Monitor's features is to read through the help file and then visit each of its menu items and options on a live system. [COLOR=#b30000]Official link [/COLOR]: [URL]https://technet.microsoft.com/en-us/library/bb896645.aspx[/URL] [COLOR=#b30000]Online ebook[/COLOR] : [URL]https://books.google.co.in/books?id=0KZCAwAAQBAJ&printsec=frontcover[/URL] [COLOR=#b30000]Video tutorial [/COLOR]: [LIST=1] [*][URL]http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-3-Process-Monitor[/URL] [*][URL]http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-4-Process-Monitor[/URL] [*][URL]http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/WCL304[/URL] [*][URL]http://channel9.msdn.com/Events/TechEd/NorthAmerica/2012/WCL301[/URL] [*][URL]http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/WCA-B306[/URL] [*][URL]http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/WIN-B354[/URL] [/LIST] Because it loads a kernel driver, Procmon requires administrative rights to capture events, including the Load and Unload Device Drivers privilege. When you launch Process Monitor it immediately starts monitoring three classes of operation: file system, Registry and process. It is a very powerful tool which can very useful in logging process activities. Logging the file, process, registry and network events of an application can reveal detailed information of what the process is doing in the system. The logged events can be used to troubleshoot problems in that application which is showing signs of [LIST=1] [*]Not working properly [*]Hanging [*]Crashing [*]Running sluggishly [*]Conflicting with other processes [*]Using too much cpu, hard disk and other resources [/LIST] All the process monitor does is shows all types of events that has occurred. It up to the user to find out what is causing the problem. He has to find what should not be happening and what is not expected to occur. Then try to solve the problem. The saved data can be sent to someone else who can analyze it to detect the problem with that application. Even if applications in your system seems to run normally, logging their activities and checking the logged data can reveal problems that are not noticeable by you. Process monitor is one of the many tools provided by Sysinternals. You can use other tools provided by sysinternals along with process monitor to monitor processes running in the system. [COLOR=#b30059]Sysinternal Suite[/COLOR] : [URL]https://technet.microsoft.com/en-us/sysinternals/bb842062[/URL] [COLOR=#0059b3][U]Capturing events[/U][/COLOR] You can click "capture" icon to start or stop capturing events. Capture data for few minutes. Then stop the capture to analyze it. The logged data generated in few minutes by process monitor can become huge in size . So never let it capture for a long among of time, otherwise it will eat up all the RAM. [ATTACH=full]55479[/ATTACH] You can click "clear" to clear all the cached data. [ATTACH=full]55480[/ATTACH] [COLOR=#0059b3][U]Saving the captured trace files[/U][/COLOR] [LIST] [*]To save all the events that has been captured select "All events" [*]Set path and select the format [*]Click "OK" [/LIST] [IMG]http://p1.pichost.me/i/74/1993250.jpg[/IMG] [LIST] [*]To save only the filtered events select "Events displayed using current filter" [*]Set path and select the format [*]Click "OK" [/LIST] [IMG]http://p1.pichost.me/i/74/1993249.jpg[/IMG] [SIZE=5][U][COLOR=rgb(0, 89, 179)]Columns[/COLOR][/U][/SIZE] [SPOILER="Columns"] You can select the columns which will be shown by process explorer [LIST] [*]One way to do it by menu [B]options->Select columns[/B] [/LIST] [IMG]http://p1.pichost.me/640/74/1993233.jpg[/IMG] [LIST] [*]Another way to do it by right clicking on columns and selecting "Select columns" as shown below [/LIST] [IMG]http://p1.pichost.me/640/74/1993234.jpg[/IMG] [LIST] [*]Tick the column name to show it in process monitor window [/LIST] [IMG]http://p1.pichost.me/i/74/1992861.jpg[/IMG] [B][COLOR=#663300][U]Various types of columns[/U][/COLOR][/B] Application Details [LIST] [*][COLOR=#5900b3]Process Name[/COLOR] : The name of the process in which an event occurred. [*][COLOR=#5900b3]Image Path[/COLOR] : The full path of the image running in a process. [*][COLOR=#5900b3]Command Line[/COLOR] : The command line used to launch a process. [*][COLOR=#5900b3]Company Name[/COLOR] : The text of the company name version string embedded in a process image file. This text is optionally defined by the application developer. [*][COLOR=#5900b3]Description[/COLOR] : The text of the product description string embedded in a process image file. This text is optionally defined by the application developer. [*][COLOR=#5900b3]Version[/COLOR] : The product version number embedded in a process image file. This information is optionally specified by the application developer. [/LIST] Event Details [LIST] [*][COLOR=#5900b3]Sequence Number[/COLOR] : The relative position of the operation with respect to all events included in the current filter. [*][COLOR=#5900b3]Event Class[/COLOR] : The class (File, Registry, Process) of the event. [*][COLOR=#5900b3]Operation[/COLOR] : The specific event operation (e.g. Read, RegQueryValue, etc.). [*][COLOR=#5900b3]Date & Time[/COLOR] : Both the date and the time of an operation. [*][COLOR=#5900b3]Time of Day[/COLOR] : Only the time of an operation. [*][COLOR=#5900b3]Path[/COLOR] : The path of the resource that an event references. [*][COLOR=#5900b3]Detail[/COLOR] : Additional information specific to an event. [*][COLOR=#5900b3]Result[/COLOR] : The status code of a completed operation. [*][COLOR=#5900b3]Relative Time[/COLOR] : The time of the operation relative to Process Monitor's start time or the last time that the Process Monitor display was cleared. [*][COLOR=#5900b3]Duration[/COLOR] : The duration of an operation that has completed. [/LIST] Process Management [LIST] [*][COLOR=#5900b3]User Name[/COLOR] : The name of the user account in which the process that performed an operation is executing. [*][COLOR=#5900b3]Session ID[/COLOR] : The Windows session in which the process that executed an operation is executing. [*][COLOR=#5900b3]Authentication ID[/COLOR] : The logon session in which the process that executed an operation is executing. [*][COLOR=#5900b3]Process ID[/COLOR] : The Process ID (PID) of the process that executed an operation. [*][COLOR=#5900b3]Thread ID[/COLOR] : The Thread ID (TID) of the thread that executed an operation. [*][COLOR=#5900b3]Integrity Level[/COLOR] : The integrity level at which the process that executed an operation is running (Windows Vista only). [*][COLOR=#5900b3]Virtualized [/COLOR] : The virtualization status of the process that executed an operation (Windows Vista only). [/LIST] [/SPOILER] [SIZE=5] [COLOR=#0059b3][B][U]Types of events Procmon captures[/U][/B][/COLOR][/SIZE] [COLOR=#006633][B]Registry[/B][/COLOR] : Registry operations, such as creating, enumerating, querying, and deleting keys and values. [COLOR=#006633][B]File System[/B][/COLOR] : Operations on local storage and remote file systems, including file systems or devices added while Procmon was running. [COLOR=#006633][B]Network[/B][/COLOR] : UDP and TCP- network activity, including source and destination addresses (but not the actual data that was transmitted or received). Procmon can be configured to resolve network addresses to network names, or just show the IP addresses. The option to Show Resolved Network Addresses is on the Options menu. You can also toggle it by pressing Ctrl+N. [COLOR=#006633][B]Process[/B][/COLOR] : Process and thread events such as process creation by a parent process, process start, thread create, thread exit, process exit, and the loading of executable images and data files into the process’ address space. (Note that Procmon does not log the unloading of these images.) [COLOR=#006633][B]Profiling[/B][/COLOR] : Generates and logs an event for every process and thread on the system, capturing the kernel and user time charged, memory use, and context switches since the previous profiling event. Process profiling events are always captured. By default, thread profiling events are not captured. Debug output profiling, described later, also falls under this event type. [SIZE=5][COLOR=#0059b3][U]Operations column[/U][/COLOR][/SIZE] Operation column show what type of operation is being done on specified path by the process Get online help for what that operation means. You won't get exact wording match on online reference file. [COLOR=#b30000]Process & thread operations[/COLOR] : [URL='https://msdn.microsoft.com/en-us/library/windows/desktop/ms684847%28v=vs.85%29.aspx']https://msdn.microsoft.com/en-us/library/windows/desktop/ms684847(v=vs.85).aspx[/URL] [COLOR=#b30000]File opeartions [/COLOR] : [URL='https://msdn.microsoft.com/en-us/library/windows/desktop/aa364232%28v=vs.85%29.aspx']https://msdn.microsoft.com/en-us/library/windows/desktop/aa364232(v=vs.85).aspx[/URL] [COLOR=#b30000]Registry operations[/COLOR] : [URL='https://msdn.microsoft.com/en-us/library/windows/desktop/ms724875%28v=vs.85%29.aspx']https://msdn.microsoft.com/en-us/library/windows/desktop/ms724875(v=vs.85).aspx[/URL] [COLOR=#b30000]network operations[/COLOR] : [URL='https://msdn.microsoft.com/en-us/library/windows/desktop/ms741394%28v=vs.85%29.aspx']https://msdn.microsoft.com/en-us/library/windows/desktop/ms741394(v=vs.85).aspx[/URL] [SIZE=5] [COLOR=#0059b3][B][U]Types of results[/U][/B][/COLOR][/SIZE] Result column shows the status code of a completed operation Full list of NTSTATUS return values/code : [URL]https://msdn.microsoft.com/en-in/library/cc704588.aspx[/URL] [COLOR=#006600][U]Common result value/code[/U][/COLOR] [SPOILER="types of results"] [B][COLOR=#000000]SUCCESS[/COLOR][/B] The operation succeeded. [B]BUFFER_OVERFLOW [/B] occurs when a program requests variable-length information, such as data from a registry value, but doesn’t provide a large enough buffer to receive the information because it doesn’t know the actual data size in advance. The system will tell the program how large a buffer is required and might copy as much data as it can into the buffer, but it will not actually overflow the buffer. One typical coding pattern is that after a BUFFER OVERLOW result is received, the program then allocates a large enough buffer and requests the same data again—this time resulting in SUCCESS. [B]ACCESS DENIED[/B] The operation failed because the security descriptor on the object does not grant the rights to the caller that the caller requested. The failure might also be the result of a file being marked as read-only. This result code is frequently a red flag when troubleshooting. [B]SHARING VIOLATION[/B] The operation failed because the object is already opened and does not allow the sharing mode that the caller requested. [B]NAME COLLISION [/B] The caller tried to create an object that already exists. [B]NAME NOT FOUND, PATH NOT FOUND, NO SUCH FILE[/B] The caller tried to open an object that doesn’t exist. One scenario in which these result codes can arise is when a DLL load routine looks in various directories as part of the DLL search process. [B]NAME INVALID[/B] The caller requested an object with an invalid name—for example, C:\Windows\”regedit.exe”. [B]NO MORE ENTRIES, NO MORE FILES[/B] The caller has finished enumerating the contents of a folder or registry key. [B]END OF FILE [/B] The caller has read to the end of a file. [B]BUFFER TOO SMALL [/B] Essentially the same as BUFFER OVERFLOW. It’s rarely significant when troubleshooting. [B]REPARSE [/B] The caller has requested an object that links to another object. For example, HKLM\System \CurrentControlSet might redirect to HKLM\System\ControlSet001. [B]NOT REPARSE POINT [/B] The requested object does not link to another object. [B] FAST IO DISALLOWED [/B] Indicates that a low-level optimized mechanism is not available for the requested file system object. It’s rarely significant in troubleshooting. [B]FILE LOCKED WITH ONLY READERS [/B] Indicates that a file or file mapping was locked and that all users of the file can only read from it. [B]FILE LOCKED WITH WRITERS [/B] Indicates that a file or file mapping was locked and that at least one user of the file can write to it. [B]IS DIRECTORY[/B] The requested object is a file system folder. [B]INVALID DEVICE REQUEST [/B] The specified request is not a valid operation for the target device. [B]INVALID PARAMETER[/B] An invalid parameter was passed to a service or function. [B]NOT GRANTED[/B] A requested file lock cannot be granted because of other existing locks. [B]CANCELLED[/B] An I/O request was canceled—for example, the monitoring of a file system folder for changes. [B]BAD NETWORK PATH[/B] The network path cannot be located. [B]BAD NETWORK NAME[/B] The specified share name cannot be found on the remote server. [B]MEDIA WRITE PROTECTED[/B] The disk cannot be written to because it is write-protected. [B]KEY DELETED[/B] Illegal operation attempted on a registry key that has been marked for deletion. [B]NOT IMPLEMENTED[/B] The requested operation is not implemented. [/SPOILER] [SIZE=5][COLOR=#0059b3][B][U]Event Properties[/U][/B][/COLOR][/SIZE] You can access the properties for an individual event by double-clicking on the event, or by selecting the Properties menu item from the Event menu or the context menu when you right-click on an event. The Event Properties dialog consists of the Event, Process and Stack pages. You can move to the next or preceding displayed or highlighted event with the arrow buttons at the bottom of the Event Properties dialog. [SPOILER="event properties"] [IMG]http://p1.pichost.me/640/74/1992842.jpg[/IMG] [IMG]http://p1.pichost.me/i/74/1992843.jpg[/IMG] [IMG]http://p1.pichost.me/640/74/1992844.jpg[/IMG] [IMG]http://p1.pichost.me/640/74/1992845.jpg[/IMG] [/SPOILER] [COLOR=#0059b3] [U]Process Activity summary[/U][/COLOR] [ATTACH=full]55481[/ATTACH] The Process Activity Summary dialog box displays a table listing every process for which data was captured with the current filter applied. Each row in the table shows the process name and PID, a CPU usage graph, the numbers of file, registry and network events, the commit peak and the working set peak, and graphs showing these and other numbers changing over the timeline of the process. You can save all the text information to a CSV file by clicking the Save button. [SPOILER="process activity summary"] [ATTACH=full]55482[/ATTACH] [/SPOILER] [COLOR=#0059b3][U]File summary[/U][/COLOR] The File Summary dialog box aggregates information about every file and folder operation displayed by the current filter, and it groups the results on separate tabs by path, by folder, and by file extension. For each unique file system path, the dialog box displays how much total time was spent performing I/O to the file; the number of opens, closes, reads, writes, Get ACL, Set ACL and other operations; the total number of operations performed; and the number of bytes read from and written to the file. [SPOILER="file summary"] [U] [IMG]http://p1.pichost.me/640/74/1992823.jpg[/IMG] [/U] [/SPOILER] [COLOR=#0059b3] [U]Registry summary[/U][/COLOR] The Registry Summary dialog box lists every registry path referenced by registry operations in a table, along with how much total time was spent performing I/O to the key; the number of opens, closes, reads, writes, and other operations; and the sum total of these. Clicking on a column header sorts by the data in that column, and columns can be reordered by dragging the column headers. Double-clicking a row adds a Path rule for the registry path in that row to the current filter. The Filter dialog box can be displayed by clicking the Filter button, and you can save the data to a CSV file. [LIST] [*]As you can see the highest number of registry events has occurred on path "HKCU\software\FolderProtect\Pwdprompt". Again software "Folder protect" is causing too much registry events which is not expected from it. Uninstalling this software will free the system resources for other software's. [/LIST] [SPOILER="registry summary"] [ATTACH=full]55486[/ATTACH] [/SPOILER] [COLOR=#0059b3] [U]Stack Summary[/U][/COLOR] The Stack Summary dialog box takes all the stack traces for each Procmontraceable event, identifies the commonalities and divergences in them, and renders them as expandable trees. For each frame within a call stack, you can see how many times its execution resulted in a Procmon-traceable event, the cumulative amount of time spent in the Procmon-captured operations, the name and path of the module, and the absolute offset within it. The Stack Summary also shows function names and the path to and line number within source files for each stack frame if symbolic information is available. [SPOILER="stack summary"] [ATTACH=full]55487[/ATTACH] [/SPOILER] [COLOR=#0059b3] [U]Network Summary[/U][/COLOR] The Network Summary dialog box lists every TCP and UDP endpoint and port present in the filtered trace, along with the corresponding number of connects, disconnects, sends, and receives; the total number of these events; and the numbers of bytes sent and received. Clicking a column header sorts by the data in that column, and columns can be reordered by dragging the column headers. Double-clicking a row sets a Path rule in the filter for that endpoint and port. The Filter dialog box can be displayed by clicking the Filter button, and you can save the data to a CSV file. [SPOILER="network summary"] [ATTACH=full]55490[/ATTACH] [/SPOILER] [U] [/U] [COLOR=#0059b3][U]The Cross Reference Summary [/U][/COLOR] The Cross Reference Summary dialog box lists all paths displayed by the current filter that have been accessed by more than one process. Each row shows the path, the processes that have written to it, and the processes that have read from it. The columns can be sorted or reordered, and you can save the data to a CSV file. Double-clicking a row, or selecting the row and clicking the Filter On Row button, adds the selected path to the filter. [SPOILER="cross reference summary"] [ATTACH=full]55491[/ATTACH] [/SPOILER] [SIZE=5][COLOR=#336600] [/COLOR] [COLOR=#0059b3][U]Process Tree[/U][/COLOR][/SIZE] Pressing Ctrl+T or clicking the Process Tree toolbar button displays the Process Tree dialog box. The Process Tree dialog box displays all the processes that are referenced in the loaded trace in a hierarchy that reflects their parent-child relationships. You can collapse or expand portions of the tree by clicking the plus (+) and minus (–) icons to the left of parent processes in the tree, or selecting those nodes and pressing the left and right arrow keys. Processes that are aligned along the left side of the window have parent processes that have not generated any events in the trace. The Life Time column shows the timeline of the process relative to the trace or to the boot session, depending on whether the Timelines Cover Displayed Events Only option is selected. With the option selected, a green bar going from edge to edge indicates that the process was running at the time the trace started and was still running when the trace ended. A green bar that begins further to the right indicates the process’ relative start time after the trace had begun. A darker green bar indicates a process that exited during the trace, with its extent indicating when during the trace it exited. If the Timelines Cover Displayed Events Only option is not selected, the graphs indicate the process’ lifetimes relative to the boot session: a green bar closer to the left edge of the column indicates a process that has been running since system startup or that began shortly after. [SPOILER="process tree"] [ATTACH=full]55492[/ATTACH] [ATTACH=full]55493[/ATTACH] [/SPOILER] [SIZE=5] [COLOR=rgb(0, 89, 179)][U][B]Counting occurrences[/B][/U][/COLOR][/SIZE] It displays the unique values seen in a trace for the attribute type you specify along with the number of times in the trace an event contained the value. [SPOILER="count occurrences"] Counting occurrences is a very useful feature in creating filter. It can be acceded from Tool menu as shown below [IMG]http://p1.pichost.me/640/74/1992950.jpg[/IMG] Select the column name which you want to count [IMG]http://p1.pichost.me/i/74/1992951.jpg[/IMG] Click [B]Count[/B] [IMG]http://p1.pichost.me/i/74/1992952.jpg[/IMG] [LIST] [*]Total number of each "Result" types that have occurred will be shown [*]Select any one and double click to create a filter for it. In this case i double clicked on value "ACCESS DENIED" [/LIST] [IMG]http://p1.pichost.me/i/74/1992953.jpg[/IMG] [LIST] [*]Now only events with result "ACCESS DENIED" will be shown [/LIST] [IMG]http://p1.pichost.me/640/74/1992954.jpg[/IMG] [LIST] [*]Similarly you can count and create filter quickly using "count occurrences", which can be used to trace the cause of problem in the system [*]Columns company can be used to quickly know process by which company is generating more events. [/LIST] [IMG]http://p1.pichost.me/i/74/1993242.jpg[/IMG] [LIST] [*]event class can be used know which type of event has occurred most and create filter based on any event class. [/LIST] [IMG]http://p1.pichost.me/i/74/1993243.jpg[/IMG] [IMG]http://p1.pichost.me/i/74/1993244.jpg[/IMG] [LIST] [*]Counting process name and creating filter based on it is very helpful in knowing what that process has done during the logging [/LIST] [IMG]http://p1.pichost.me/i/74/1993247.jpg[/IMG] [LIST] [*]Counting result and creating filter based on it is very helpful is troubleshooting [*]Creating filter based on result value can be helpful in troubleshooting "NAME NOT FOUND", "ACCESS DENIED", "SHARING VIOLATION", NAME NOT FOUND, PATH NOT FOUND, NO SUCH FILE, INVALID DEVICE REQUEST , NOT GRANTED, BAD NETWORK PATH, BAD NETWORK NAME [*]These result values causes waste on system resources when it occurs in huge number : BUFFER_OVERFLOW, NAME COLLISION, BUFFER TOO SMALL , CANCELLED, NAME NOT FOUND, PATH NOT FOUND, NO SUCH FILE, [/LIST] [IMG]http://p1.pichost.me/i/74/1993248.jpg[/IMG] [/SPOILER] [SIZE=5] [COLOR=#0059b3][U]Boot time activity logging[/U][/COLOR][/SIZE] You can configure Procmon to begin logging system activity from a point very early in the boot process. This is the feature you need if you’re diagnosing issues that occur before, during, or in the absence of user logon, such as those involving boot-start device drivers, autostart services, the logon sequence itself, or shell initialization. Process Monitor can log activity from a point very early in the boot process during the initialization of boot-start device drivers. Configure Process Monitor to log the next boot by selecting Enable Boot Logging from the Options menu. Process Monitor's driver will log activity at the next boot into a file in the %Windir% directory and will continue logging through the shutdown or until you run Process Monitor again. Thus, if you don't run Process Monitor during a boot session you will capture a trace of the entire boot to shutdown cycle. [SPOILER="Boot time activity logging"] [LIST] [*]To do so tick "Enable Boot Logging" [/LIST] [IMG]http://p1.pichost.me/i/74/1992813.jpg[/IMG] [LIST] [*]Select as shown below [*]click "OK" . [*]Reboot the system [/LIST] [IMG]http://p1.pichost.me/i/74/1992814.jpg[/IMG] [LIST] [*]process monitor will log all the activity of boot process and continue to log activities after bootup. [*]So the first thing you need to do after the reboot completes is to start process monitor. Starting process monitor will cause it to stop logging process activities. [*]This message box will be shown. Click "yes" and save the collected data in a file. [/LIST] [IMG]http://p1.pichost.me/i/74/1992815.jpg[/IMG] [LIST] [*]After the files have been saved process monitor will automatically open the saved data. This will show all the collected events that has been logged during boot. [*]You can analyse the collected data to find the problem that may be occurring during bootup [/LIST] [IMG]http://p1.pichost.me/640/74/1992818.jpg[/IMG] One useful too in analyzing bootup process in the process tree [LIST] [*]Process tree will show you how the processes got started during boot. [*]You can see that some process started, ran for some time and then exited during the boot process. [*]Some process stared and is still running in memory [*]The tree structure shows which parent process started the child process. [*]You need to check if their is any process which should not be running during boot process. If found you can stop it from starting using Sysinternals Autorun software. [/LIST] [IMG]http://p1.pichost.me/640/74/1992816.jpg[/IMG] [IMG]http://p1.pichost.me/640/74/1992817.jpg[/IMG] [LIST] [*]file summary shows all of the files that were acceded during boot. [/LIST] [IMG]http://p1.pichost.me/640/74/1992823.jpg[/IMG] [LIST] [*]See all the folders that has been acceded during boot process [/LIST] [IMG]http://p1.pichost.me/640/74/1992824.jpg[/IMG] [IMG]http://p1.pichost.me/640/74/1992825.jpg[/IMG] [LIST] [*]Registry summary show all the registry paths that has been accessed during boot process [*]See which paths was accessed most. [/LIST] [IMG]http://p1.pichost.me/640/74/1992826.jpg[/IMG] [LIST] [*]network summary shows the network events that occurred during boot process. [/LIST] [IMG]http://p1.pichost.me/i/74/1992827.jpg[/IMG] [/SPOILER] [SIZE=5][COLOR=#0059b3][U]Filtering Events[/U][/COLOR][/SIZE] [SPOILER="filtering events"] [B]Include and Exclude Filters[/B] You can specify event attributes such that Process Monitor will only display or exclude events with matching attribute values. All filters are non-destructive, meaning that they affect only which events Process Monitor displays, not the underlying event data. When an event is selected the Include and Exclude sub-menus in the Event menu allows you to easily add one of the event's attributes to the configured Include or Exclude filters. For example, to only show events executed by a particular process name choose the Process Name entry from the Include submenu. You can also select multiple events and simultaneously configure an attribute filter for all of the unique values contained in the selected events. Process Monitor ORs together all the filters that are related to a particular attribute type and ANDs together filters of different attribute types. For example, if you specified process name include filters for Notepad.exe and Cmd.exe and a path include filter for C:\Windows, Process Monitor would only display events originating in either Notepad.exe or Cmd.exe that specify the C:\Windows directory. More complex filtering options are available in the Filter dialog, which you open by selecting Filter from the Filter menu or by clicking on the Filter toolbar button. A filter entry consists of an attribute field (e.g. Authentication ID, Process Name, etc.), a comparison operation, an attribute value, and a filter type of either Include or Exclude. For convenience, Process Monitor will automatically populate the attribute value drop-down with values that are present in the loaded trace data, but you can enter arbitrary values. Checkboxes allow you to easily disable specific filter entries without having to delete them. [LIST] [*]"reset filter" will reset all the changes done by the user in the filter [/LIST] [IMG]http://p1.pichost.me/640/74/1992860.jpg[/IMG] [LIST] [*]These are the columns that you can see in process monitor. [*]Filter can be created based on the column name [/LIST] [IMG]http://p1.pichost.me/i/74/1992861.jpg[/IMG] [COLOR=#b30059][U]Creating filter which shows activity by only process "QHWatchdong.exe"[/U][/COLOR] [LIST] [*]Click "Filter" icon to create the filter [/LIST] [IMG]http://p1.pichost.me/640/74/1992847.jpg[/IMG] [LIST] [*]Select "process name" [/LIST] [IMG]http://p1.pichost.me/640/74/1992848.jpg[/IMG] [LIST] [*]select the logic operator [/LIST] [IMG]http://p1.pichost.me/640/74/1992849.jpg[/IMG] [LIST] [*]Enter name of the process "qhwatchdog.exe" [*]Click "Add" to add the new filter. Click "Apply" to apply the filters. [/LIST] [IMG]http://p1.pichost.me/640/74/1992852.jpg[/IMG] [LIST] [*]Now only activity by process name "qhwatchdog.exe" will be shown [/LIST] [IMG]http://p1.pichost.me/640/74/1992851.jpg[/IMG] [LIST] [*]You can create filter fast by right clicking the process name and selecting the "include QHWatchdog.exe ". [/LIST] [IMG]http://p1.pichost.me/640/74/1992850.jpg[/IMG] [COLOR=#b35900][U]Removing filter[/U][/COLOR] [LIST] [*]To remove the newly created filter, open the filter setting. [*]Select and remove the filter created by you [/LIST] [IMG]http://p1.pichost.me/640/74/1992853.jpg[/IMG] [COLOR=#006600][U]Create filter based on Operations column[/U][/COLOR] [LIST] [*]Right click on the Operation of an process. [*]Click on Include or exclude to create the desired filter. here i selected "Include RegQuerykey". [/LIST] [IMG]http://p1.pichost.me/640/74/1992854.jpg[/IMG] [LIST] [*]Now only process activity with operation "RegQuerykey" will be shown. [/LIST] [IMG]http://p1.pichost.me/640/74/1992855.jpg[/IMG] [U] [/U] [COLOR=#006600][U]Creating filter based on path column[/U][/COLOR] [LIST] [*]Right click on the Path of an process event [*]Select "Edit filter..." [/LIST] [IMG]http://p1.pichost.me/640/74/1992856.jpg[/IMG] [LIST] [*]you may edit the filter before adding it [/LIST] [IMG]http://p1.pichost.me/640/74/1992857.jpg[/IMG] [LIST] [*]Filter edited. [*]Click "Add" and "apply" [/LIST] [IMG]http://p1.pichost.me/640/74/1992858.jpg[/IMG] [LIST] [*]Now only those process events are shown which occurred on path "D:\SOFTWARE" [/LIST] [IMG]http://p1.pichost.me/640/74/1992859.jpg[/IMG] Similarly you can create filter based on any column name. [/SPOILER] [SIZE=5][COLOR=#0059b3][U]Logging all the activity of a process[/U][/COLOR][/SIZE] [SPOILER="logging activity of a process"] You can log all the file, process, registry and network events of an application. The logged events of any application can be saved in a file. [LIST] [*]Start process monitor. [*]Run an application and do anything that you want to monitor. [*]Stop capturing Events ( Ctrl+E ) [*]Right click the process and select "include ....". In this case the CCleaneer64.exe . [/LIST] [IMG]http://p1.pichost.me/640/74/1992867.jpg[/IMG] [LIST] [*]Now only the events by CCleaner64.exe will be shown [/LIST] [IMG]http://p1.pichost.me/640/74/1992868.jpg[/IMG] [LIST] [*]Process activity summary show the summary of various events by the CCleaner64.exe [/LIST] [IMG]http://p1.pichost.me/640/74/1992869.jpg[/IMG] [LIST] [*]You can check the File summary, registry summary, network and stack summary [*]File summary showing all the file accessed by CClener64.exe [*]Similarly you can see the registry keys accessed by it. [/LIST] [IMG]http://p1.pichost.me/640/74/1992870.jpg[/IMG] [/SPOILER] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
