The Ultimate Guide to Procmon

Microsoft has created a new tool for Windows OS administrators to use, called Procmon. The tool allows admins to view what all the processes are doing on their machine and determine which of them should be stopped or killed in order to remedy any problems they may have encountered.

The “Procmon” is a command-line tool that can be used to monitor various processes on a computer. It is available for free download from Microsoft.

Procmon. To trace down all types of Windows activities, use the notorious Windows Sysinternals program. It’s well-known for being able to hunt out rogue software installers who are changing registry keys without permission or checking a virus’s trails.

This article is for you if you need to analyze the Windows registry, file system, process, or network activities and have elected to utilize procmon.

You’ll learn all there is to know about using the procmon software in this Ultimate Guide, from installation to basic use to diverse use cases that can help you trace down all types of activities.

Prerequisites

This Ultimate Guide will work on virtually all Windows systems, but you’ll need the following items for completeness (and to avoid running procmon on a Windows 3.1 computer):

• A computer running Windows Vista, Windows Server 2008, or later (x86 or x64)

That concludes our discussion. In the sections that follow, you’ll learn how to obtain and install procmon. Procmon v3.6 will be used throughout the guide on a Windows 10 Build 1909 x64 computer.

Obtaining and Using Procmon

You’ll need procmon installed on your Windows PC to get started. You may receive it in two ways: via a standard download or through what Windows Sysinternals refers to as Live from Sysinternals.

The Time-Honored Method

Procmon is a single program that does not need installation. It’s available for download as a ZIP file. Once you’ve downloaded it, use your preferred program to extract the ZIP file. If you’ve saved it to your home folder, you’ll find a PowerShell code snippet below. This code line will build a folder with all of the necessary files at ProcessMonitor.

Expand-Archive -Destination ProcessMonitor -Path ‘ProcessMonitor.zip’

You will find five files in the ProcessMonitor folder:

• Before starting procmon, you must accept the licensing agreement in Eula.txt.
• procmon.chm — This is the help file that includes all of the documentation that has been supplied.
• Procmon.exe — This is the primary EXE that will start the right instance of Procmon (x86 or x64).
• The x64 procmon binary is Procmon64.exe.
• The alpha 64 procmon binary is Procmon64a.exe.

Invoke the ProcessMonitorprocmon.exe file to start procmon.

Procmon only runs with elevated permissions, so if you have UAC enabled, you’ll be required to approve this when you launch it. There is a workaround for this, which will be discussed further down in this Guide.

Live from Sysinternals

If you’d rather not (or can’t) download an EXE, you can also use the Live from Sysinternals folder. To do this, open up File Explorer and paste in \live.sysinternals.comtools. You’ll then see a folder like any ol’ network share containing all of the Sysinternals files including procmon.

Live from Sysinternals

Scroll down until you locate procmon, double-click it, and procmon is up and running!

Changing the way Procmon starts

Procmon starts up by default, inviting you to approve an end-user licensing agreement (EULA) and opening a window. You may change the default behavior by using the command-line.

For example, you may use the /Minimized flag to start procmon in a minimized mode.

Perhaps you’re using procmon for the first time and don’t want to see the EULA prompt. The /AcceptEula option may be used to deactivate this on startup.

AcceptEula.procmon.exe

Procmon identifies whether you’re running a 64-bit or 32-bit OS when you start it, which is less probable these days. It will begin a 64-bit process if you’re on a 64-bit computer, and vice versa. Use the /Run32 flag if you’re on a 64-bit computer and want to run procmon as a 32-bit process or read a log file (more on that later) created by a 32-bit machine.

Other command-line options in Procmon may be used to customize behavior, as you’ll see in the next sections.

Intro to Procmon

If you’re using procmon for the first time, the choices might be overwhelming. Don’t worry, you’ll learn almost all you need to know in this Guide! Below is an example of a typical procmon capture in action.

Procmon’s default process view

Procmon starts recording a variety of Windows events as soon as you start it.

You may start procmon.exe /NoConnect from the command line if you don’t want it to start recording events automatically.

As you can see in the picture above, there are a variety of icons in the Operation column, each indicating a distinct kind of Windows event. Procmon records events from the following five classes:

• Registry
• Filesystem
• Network
• Processes
• Creating an event profile

In a single list window with seven columns, each event in all classes is represented:

• Time of day — The date and time of the occurrence.
• Process name — This is the name of the process that caused the event to occur.
• The process identifier (PID) is a number that is assigned to each process.
• Operation — The sort of event, such as whether the process opened a file or altered the value of a registry entry.
• Path — The path to the item with which the event interacted, such as a file or registry path.
• Result — This column will have a variety of values to represent the event’s outcome. This result may be as simple as SUCCESS or as detailed as REPARSE, BUFFER OVERFLOW, NAME NOT FOUND, and so forth.
• Detail — Once you’ve pinpointed an event you’d want to watch, this column offers all of the nitty-gritty details.

Right-click on any column header and choose Select columns if you don’t want to view a certain column or want to see what additional columns you have. A dialog window will appear, allowing you to change the displayed columns.

Changing the columns in procmon

Double-click an event in the event window. The Event, Process, and Stack tabs include a wealth of information about the process and the event itself.

Window for event attributes in Procmon

Captures: Enabling and Disabling

The capturing procedure is completely under your control. You have the option of turning off the whole capture process or turning off capturing by event class.

A magnifying glass symbol may be seen on the top menu bar (below). The capture is disabled if the magnifying glass has a red X over it. Otherwise, the recording is turned on.

Procmon is constantly recording events.

Procmon should not be left capturing events for longer than necessary. It stores all of those events in virtual memory, and if you’re not cautious, you may crash Windows! As you’ll see a little later, you can adjust this behavior.

You may also regulate the capture of each event type if you want to be more picky. In the Operation column of the menu bar, you’ll see five of the identical icons. You may activate and disable whole event classes by clicking these buttons.

The many The many types of Windows events

Hover your cursor over each icon to discover what kind of activity it represents.

Procmon adds an event filter as soon as you click an icon, as you can see. A popup similar to the one below may appear depending on how many events have been collected thus far.

The many The many types of Windows events

The furthest icon to the right (the black and green graph) is disabled by default. If you want to activate this event class when procmon starts up, type.procmon.exe /Profiling on the command line.

By glancing at the bottom of the window, you can see how many events there are. As you can see in the screenshot below, procmon has processed 84,334 events, however only 15,912 (or 18%) of them are visible due to the event filter. These events are also being kept in virtual memory, as you can see (more on that later).

The number of events in the window is the number of events in the window.

Filters for Events

To understand procmon, you undoubtedly need to understand the concept of Filters for Events. Filters for Events are how you separate the signal from the noise. Filters for Events hide all of the events you’re not interested in. Above, you applied Filters for Events by entire event classes but you can get a whole lot more granular.

There are multiple ways to interact with Filters for Events. Let’s start out simple. Click on the Filter menu item at the top. You’ll see many different options to work with filters.

Menu selections may be filtered

Filters for Viewing

Procmon builds a filter for you by default. Select Filter from the Filter menu item…. A Filter for Process Monitoring box will appear, with two sections: one for filtering your Rules for filtering and the other for examining all of the rules you’ve created. Here’s an example of what I’m talking about.

Rules for filtering

When you start procmon, it will display you the aforementioned filters by default. If you want to conceal this box, run procmon with the /Quiet switch.

You should see that without creating any filters of your own, procmon is also using a built-in set of Rules for filtering. If you scroll down in the Filter for Process Monitoring box, you’ll see many different types of rules defined. Here you can view each category, operator, value, and action to take on each rule.

These filters are applied because you’ll typically not need to see the events these filterss exclude. But, if you want to see all events, you can also just remove all of the default filters or click on Filter —> Advanced Output should be enabled. as shown below.

Advanced Output should be enabled.

For example, a few rules at the top display Process Name for the Column value, is for Relation, several procmon-related processes for the Value column’s value, and an Exclude Action. These rules, in simple English, instruct procmon not to show (exclude) a process with the name procmon.exe, for example.

Managing Event Rules for filtering

You will almost certainly need to create your own rules, depending on your use case. There are many methods for adding rules.

The Filter for Process Monitoring Box in Action

You saw how the Filter for Process Monitoring box looked and all of the rules in the previous section. You may also add, change, and remove rules from this box.

Let’s imagine you just want to know when the explorer.exe process looked for a registry entry.

Adding Filters for Events

Fill in the following fields in the Filter for Process Monitoring box:

1. Select the left-hand dropdown menu. This table displays all of the different types of events that may be filtered on. There are quite a few, as you can see below!

   Each item in this list corresponds to a column in the main display, as indicated in the diagram below. Process Name is the best option for this article.

Filter for Process Monitoring

2. Select a category, then an operator. The dropdown box will remain by default, but if you click on it, you will see a variety of alternative possibilities. These operators let you filter any choice you choose in a variety of ways. Choose is because you’re searching for a process that’s identical to explorer.exe.

List of Operators

3. Finally, as indicated below, choose a process name. Because you selected Process Name as the category, procmon displays a list of all presently running processes for you to pick from.

Process Name in Filter for Process Monitoring

4. Make sure Include is selected since you only want to view events that fit this criterion. Then, to add the rule to your existing filter, click the Add button. The Include rule is depicted as a green check mark in the image below.

5. Finally, add the RegQueryKey action since you want all of the occurrences when explorer.exe searches a registry key. When you’re finished, both rules should be added.

RegQueryKey

6. Click OK and you’ll then see the main window remove all of the events that do not match the Rules for filtering you just defined.

Events that do not match the Rules for filtering

Removing Event Rules for filtering

You can also just as easily remove and change up Rules for filtering.

1. Click on the Filter icon at the top of the main window to open the Filter for Process Monitoring box.

Filter for Process Monitoring Box

2. Highlight both of the Rules for filtering you created above, click on the Remove button as shown below and click OK. This action will Remove both of the custom rules that have been added. earlier.

Remove both of the custom rules that have been added.

You can also click on the Reset button to automatically remove all of the custom Rules for filtering.

If you apply a filter, then quit and restart Procmon, the filter will be applied again. If you want to be sure that no filter is applied when you start procmon, use the /NoFilter option.

Adding Rules for filtering with Right-Click

You can also add Rules for filtering via a right-click menu if you right-click on a process. As you can see below, you can create any kind of rule directly from this menu; no need to go to the Filter for Process Monitoring box at all!

add Rules for filtering via a right-click menu

To remove Rules for filtering created via the right-click menu, you will still have to go to the Filter for Process Monitoring box to remove them.

Custom Filters: Saving and Managing

If you’re a procmon power user, they’ll probably come a time when you have sets of Rules for filtering for various occasions. Using procmon’s filter-saving and organizing features, you can manage and save as many of these sets as you wish.

Let’s imagine you’ve created a number of custom filters and want to preserve them so you can utilize them later. This filter may be saved by going to Filter, selecting Save Filter, and giving it a name, as seen below.

A filter may be saved.

After you’ve saved the filter, go to Filter and select Organize Filters, where you’ll see all of the filters you’ve stored. You may choose a filter from this menu, click OK, and your stored filter will be applied to the current window.

Filter viewing and loading

By hovering over Load Filter in the Filter dropdown and selecting your stored filter from the list on the right, you can also load a saved filter.

Filter loading

Filter Importing and Exporting

You’re out of luck if you intend to launch procmon on another machine and maintain all of your stored filters. Procmon does not offer a cloud service for filter synchronization. However, you may export and import filters manually.

To export procmon filters, follow these steps:

1. Navigate to the Organize Filters section.
2. Select the filter you’d want to export from the drop-down menu.
3. Select Export from the drop-down menu.
4. Enter a name, choose a path, and click OK. All procmon filters have a PMF extension, as you can see.

To procmon filters import, follow these steps:

1. Navigate to the Organize Filters section.
2. Select Import from the drop-down menu.
3. Click OK when you’ve found the filter you want to import.

Below is a graphic representation of these stages.

procmon filters import

Procmon Configurations Importing and Exporting

As you learned above, you can export and procmon filters import via PMF files. But filters are only one component that makes up a procmon instance. You can customize the columns, change the storage location (more on that later) and more. Wouldn’t it be nice to save all of those settings to? You can!

To save the entire procmon configuration, click on File —> Configuration Export then choose a location where you’d like to save the PMC file (procmon configuration).

Configuration Export

Once saved, you can then close procmon on the same computer (or even a different one), open up procmon and click on File —> Import Configuration where procmon will apply all of the same filters and other settings just as they were exported.

You may also use the /LoadConfig option followed by the location of the file to load stored settings (filters included) from the command line, for example./procmon.exe /LoadConfig C:ProcmonConfigsfile deletion.pmc.

Converting Events to Filters and Highlighting Them

Perhaps you want to make some events stand out more, but you don’t want to eliminate any events from display via a filter. You may utilize highlights in such instance. Highlights are similar to filters in that they enable you to create sets of rules, but instead of concealing events, they alter the backdrop color of the events.

Perhaps you find a process named ctfmon.exe in the event list that you’d want to highlight. You may make a highlight rule by doing the following:

1. To highlight a characteristic of an event, right-click on it.
2. Select a characteristic of the event to highlight by clicking on Highlight. You’d choose Process Name in this case. The backdrop color will then shift to a light blue tone.
3. Once the highlight rule is created, you can then go to the Process Monitor Highlighting box by clicking on Filter —> Highlight. You’ll see the highlight rule created there.
4. You can add and delete criteria from the Process Monitor Highlighting box, just as you do with a filter.
5. If you’ve generated some highlight rules and want to make them into a filter, go to the Process Monitor Highlighting box and click the Make Filter button.

Below is a graphic representation of these stages.

Converting Events to Filters and Highlighting Them

Exporting and importing events into and out of log files

Events must be saved someplace for procmon to show them in a window. Virtual memory, especially your page file, is where events are saved by default.

Virtual memory is used to store events.

The number of events procmon can store is determined by the size of the page file you’ve configured (and the system commit limit).

Procmon can record up to 199 million events per second.

Creating a Log File for Events

Perhaps you’ll need to store these events for later analysis or load them onto an other computer? In such situation, you’ll want to keep track of occurrences in a log file (PML).

One way to save those handy events is click on File —> Save. This action brings up the Save To File dialog box below where you’re presented with a few options.

Save the following events:

• All occurrences – This choice is precisely what it seems to be. Regardless of whether or not you’ve applied an event filter to a file, it will store all events collected by Procmon.
• Events displayed using current filter – This option does not save all captured events but only those that have passed your currently-active Filters for Events.
• Highlighted events — This option only exports the events you’ve now highlighted to the log.

Format:

• The default format for saving all events is Native Process Monitor Format (PML) (PML).
• CSV (Comma-separated Values) – Create a CSV file with all of the events.
• Save all events in an XML file using the Extensible Markup Language (XML). This format also allows you to record track traces (which we’ll get to later) and resolve stack symbols.

Events

When you click OK, procmon will save all of the presently collected events that satisfy your criteria to the file you choose.

Getting Access to Saved Event Logs

You’ve recorded thousands of events on one computer, saved the session as a PML file, and moved it to another machine for further analysis. So, what’s next? It is necessary for you to open it.

You can open any PML file regardless if you captured it on your local computer or not by simply going to up File —> Open and choosing the PML file.

The /OpenLog flag may be used to open logs from the command line, for example, procmon.exe /OpenLog C:MyLogFile.pml.

Keeping Track of Events Automatically

After capturing events, you learnt how to export them to a log in the previous section. But what if you know you’ll need events in a PML, XML, or CSV file ahead of time? You may have procmon capture events and save them in one of those log file types.

Also, if you’re doing a quick ad-hoc debugging session that won’t take more than an hour, saving events in the page file is OK. However, there are a few disadvantages to this strategy.

1. The events vanish when you shut procmon.
2. As previously stated, the size of your page file might quickly balloon.

When using virtual memory as a storage location, you can discover how much space is left for procmon to use by clicking on File —> Backing Files.

What should I do? Change the location of your storage.

Keeping Track of Events on a Hard Drive

You may direct where procmon saves events from your page file to disk by doing the following:

1. If you’re in the middle of a capture, pause it.

2. Click on File —> Backing Files. You will then see a summary of events stored and size along with an option to change the storage location.

Backing Up Files in Process Monitor

3. To change the storage location to a file, click the ellipses button next to the Use file named: box and choose a file location.

For the optimum performance, choose a separate disk volume than the one where procmon is executing.

By running procmon from the command line and using the /BackingFile flag, you may force it to utilize a file as a storage location. Use the /PagingFile option if you ever want to go back to utilizing the page file.

Log File Conversion

Procmon supports three alternative log file formats: PML, CSV, and XML. Perhaps you’ve saved a log file as PML and need to use a script or another tool to parse the events. In such situation, you may use the command-line to convert the PML log file to XML or CSV.

Let’s assume you have a C:capture.pml PML log file. You want to convert this log file to XML and another to CSV. You may do so by first using the /OpenLog command to open the log file, then using the /Save* switch to save it.

The /SaveAs argument in Procmon enables you to store a log in any of the three formats listed above. Depending on the file extension you specify, the /SaveAs argument will determine the file format.

Here are a few examples:

To convert the capture.pml log to capture.xml, follow these steps:

/OpenLog C:capture.pml /SaveAs C:capture.xml procmon.exe

Convert the capture.pml file to a.csv file:

procmon.exe /SaveAs C:capture.csv /OpenLog C:capture.pml

Remember the choices in the Save to File dialog box for stack trace and stack symbol resolution? You may also use /SaveAs1 and /SaveAs2 to enable these choices.

Traces in Stacks and symbol information may only be saved in XML format.

Convert the capture.pml log to a capture.xml file that includes the stack information:

/OpenLog C:capture.pml /SaveAs1 C:capture.xml procmon.exe

Convert the capture.pml log to capture.xml, including symbolized stack information:

/OpenLog C:capture.pml /SaveAs2 C:capture.xml procmon.exe

You should be aware that adding Traces in Stacks and symbols will significantly lengthen the conversion time, and you will surely see a progress indication like the one shown below.

Indicator of Progress

Taking Notes During Boot-Up

When Windows is up and running, the information you need to explore isn’t always generated. When Windows is just starting up, you may also need to look at what a process is doing.

It’s not uncommon to have to tackle problems like poor boot-up times or spyware that chooses to execute as soon as Windows starts up. Procmon provides a feature called Boot Time Logging that you may use to collect this data.

To enable boot logging, click on Options —> Enable Boot Logging in the menu as shown below.

Activating boot logging

Once you click Enable Boot Logging, you’ll see a dialog box pop up asking for some optional information. This dialog box is where you can capture thread-Creating an event profile.

Enabling thread-Creating an event profile are an advanced use case. When you enable thread profiling, procmon captures thread Traces in Stacks and CPU utilization that you can use to identify the source of CPU-related performance issues.

Optional thread-Creating an event profile for boot time logging

When you click OK, procmon enables boot logging, which tells the filter driver (more on this later) to wait until Windows restarts. When you restart Windows, procmon will start recording process events as if you had manually started it.

C:Windowsprocmon.pmb is a temporary log file that stores all boot-time event data.

Reopen procmon once Windows has been reinstalled. You should see a dialog box similar to the one below. Here, pick the log file to store the data in after clicking Yes to convert the boot-time data to the PML format.

Conversion of boot-time events to PML has been confirmed.

A progress bar will appear as procmon transforms the data, as seen below.

Converting data from boot-up events to PML

After a reboot, don’t forget to start procmon again! Procmon will start recording events in C:Windowsprocmon.pmb as soon as Windows starts up. It will continue to do so until you close procmon and restart it.

Remotely executing Procmon

Although procmon only runs locally on a Windows PC, you may use psexec or PowerShell’s Invoke-Function command to make it run remotely.

Invoke-Command: The Best Way to Run Remote Code, PsExec: The Ultimate Guide

Follow these instructions to use PowerShell’s Invoke-Command command to execute procmon:

1. If you haven’t previously, enable PowerShell Remoting on the remote system.

2. Using the PowerShell shell, copy the procmon folder to the remote machine.

C:procmon MYPCc$ Copy-Item -Path

3. Use PowerShell to start procmon, ensuring that you skip the EULA confirmation and force procmon to store events in a backing file rather than virtual memory, as well as not asking for the filter.

C:procmonprocmon.exe /AcceptEula /BackingFile C:capture.pml /Quiet Invoke-Command -Computer MYPC -ScriptBlock C:procmonprocmon.exe /AcceptEula /BackingFile C:capture.pml /Quiet

4. Procmon has started capturing at this moment. Recreate the problem you’re attempting to solve.

5. Use the /Terminate switch to terminate procmon on the remote machine.

C:procmonprocmon.exe /Terminate Invoke-Command -Computer MYPC -ScriptBlock

6. Wait for procmon to stop off before proceeding. You may check for the procmon process on a regular basis as a shortcut and return control to the PowerShell console once it’s finished.

while (Invoke-Command -Computer MYPC -ScriptBlock Get-Process procmon -ErrorAction Ignore -ErrorAction Ignore -ErrorAction Ignore -ErrorAction Ignore -ErrorAction Ignore -ErrorAction Ignore -ErrorA Start-Sleep -Seconds 5 Write-Host “Waiting for procmon to exit…”

7. Save the log file from the distant computer to your local computer.

$session = New session Copy-Item -Path C:log.pml -Destination C: -FromSession -PSSession -ComputerName MYPC $session Remove-PSSession | $session

You should now have the log file from the distant machine on your local computer!

If you’d want to handle this capture with a real PowerShell script, you can find it below.

[CmdletBinding()] param( [Parameter()] [string]$ComputerName, [Parameter()] [string]$LogFilePath = ‘C:capture.pml’ ) $procmonFolderPath = ‘C:procmon’ try { $session = New-PSSession -ComputerName $ComputerName Copy-Item -Path $procmonFolderPath -Destination $procmonFolderPath -ToSession $session $scriptBlock = { & “$using:procmonFolderPathprocmon.exe” /AcceptEula /BackingFile $using:LogFilePath /Quiet & “$using:procmonFolderPathprocmon.exe” /Terminate while (Get-Process procmon -ErrorAction Ignore) { Write-Host “Waiting on procmon to exit…” Start-Sleep -Seconds 5 } } Copy-Item -Path $LogFilePath -Destination C: -FromSesson $session } catch { throw $_ } finally { $session | Remove-PSSession }

Creating Long-Term Procmon Captures

A busy Windows system may generate a large number of events procmon collects, which can quickly overload your computer. There are a few precautions you should take if you want to run procmon for a long period of time.

Filtered Events Should Be Removed

When procmon is running a capture, it captures all events. You can create and apply Filters for Events but these filters just hide the events on the screen; they don’t prevent procmon from capturing them.

If you intend to perform longer-running procmon captures, it’s always a good idea to choose Filtered Events Should Be Removed from the Filter menu as shown below.

Filtered Events Should Be Removed

Once you select the Filtered Events Should Be Removed item, procmon immediately begins dropping all filtered events. Procmon doesn’t show them on the screen nor does it save them to virtual memory or a log file. Dropping unwanted events entirely helps conserve resources.

Advanced Subjects

Are you still fiending for more information on procmon and how to use it? Let’s jump into some Advanced Subjects! These topics are those that you probably won’t need to know about too often. These topics are around more under-the-hood types of procmon features but, this information can be helpful when troubleshooting procmon.

Drivers for Filters

Procmon registers and utilizes a filter driver using the Windows Filter Manager to record events (FltDrv). When you start a capture, the PROCMON24 filter driver is installed. Other programs may interfere with this filter driver at times.

After you start procmon, open up an elevated Command prompt or PowerShell console and run fltmc filters. The fltmc utility lists, loads and unloads Drivers for Filters. When you run this, you’ll see the PROCMON24 filter loaded as shown below.

PROCMON24’s default Altitude is 385200, although other filters have a lower value. The height at which a filter driver may “see” events is represented by the filter driver altitude. Procmon, for example, will be unable to observe events occurring at the wcifs, luafv, or Wof levels. Later, I’ll go through how to change this.

24th Procmon

Even if procmon isn’t operating, the PROCMON24 filter driver is loaded.

Sometimes procmon may have problems Filter loading driver. To troubleshoot, open procmon with the /NoConnection switch to prevent procmon from connecting to the filter driver.

The PROCMON24 Filter Driver is being unloaded.

The PROCMON24 filter driver may clash with other hardware devices in certain circumstances, and you’ll need to uninstall it. However, this issue may not be as straightforward as it seems.

You can unload Drivers for Filters using the fltmc unload command followed by the name of the filter driver.

However, if you attempt the command above, you’ll quickly discover that it doesn’t function. You can’t uninstall this filter driver since the creator, presumably, didn’t provide this feature.

The Filter Won’t Unload

Unfortunately, the only method to unload the PROCMON24 filter driver is to reset the computer.

Traces in Stacks

Simple operations such as reading a registry key, opening a file, or dialing a network address aren’t always sufficient. You should look at the history of the Windows API function calls that a process is making. The stack trace of a process must be examined.

When a process is operating, a stack trace shows the history of numerous functions called during various function calls.

Double-click any event in the list of events in procmon and choose the Stack tab, as shown below. The Stack tab displays the function calls made by each individual process at the moment the event happened.

Stack Tab

The topic of Traces in Stacks could go on for a long time. If you’d like to learn more about understanding a process’s call stack, check out the article Getting better Traces in Stacks in Process Monitor

Procmon’s Altitude Can Be Changed (Capturing Lower-Level Events)

Procmon captures events using a filter driver, as previously mentioned. Despite the fact that it seems like procmon catches every Windows event (there are a lot of them in the procmon window! ), it does not. Procmon only records events that its filter driver is aware of, as well as the altitude at which its filter driver is operating.

If you need to record antiviral activity, low-level storage, or other lower-level hardware events, for example, the PROCMON24 filter driver’s altitude must be set lower than the others.

To do so, follow these steps:

1. Make sure procmon is turned off.

2. Find the lowest altitude of the currently-loaded Drivers for Filters with the fltmc command.

3. Under the HKLMSystemCurrentControlSetServicesPROCMON24InstancesProcess Monitor 24 Instance registry key, change the Altitude registry value to 100 less than the lowest altitude value (to see all events).

The registry key location may differ depending on the version of procmon you have installed. Procmon 2.4 is used in this tutorial.

To easily alter the value, launch an elevated PowerShell session and execute the code snippet below.

Set-ItemProperty -Path ‘HKLM:SystemCurrentControlSetServicesPROCMON24InstancesProcess Monitor 24 Instance’ -Name ‘Altitude’ -Value 40400 Set-ItemProperty -Path ‘HKLM:SystemCurrentControlSetServicesPROCMON24InstancesProcess Monitor 24 Instance’

The lower the altitude you pick, the more occurrences you’ll have to deal with. Set the altitude no lower than what you need.

4. On the Process Monitor 24 Instance key, deny Delete and Set Value privileges to Everyone. When procmon starts up again, it will try to reset the Altitude value to its default value. You may use the regedit program to alter these rights, or you can use the PowerShell code below.

$regKeyPath = ‘HKLM:SystemCurrentControlSetServicesPROCMON24InstancesProcess Monitor 24 Instance’ $regKeyPath = ‘HKLM:SystemCurrentControlSetServicesPROCMON24InstancesProcess Monitor 24 Instance’ Get-Acl $acl $idRef = System.Security.Principal.NTAccount $regKeyPath $regRights = @([System.Security.AccessControl.RegistryRights]::Delete, $regRights = @([System.Security.AccessControl.RegistryRights]::Delete, $regRights = [System.Security.AccessControl.RegistryRights]::SetValue) $inhFlags = [System.Security.AccessControl.InheritanceFlags]::None; $inhFlags = [System.Security.AccessControl.InheritanceFlags]::None; $inhFlag $prFlags = [System.Security.AccessControl.PropagationFlags]::None; $prFlags = [System.Security.AccessControl.PropagationFlags]::None; $prFlag $acType = [System.Security.AccessControl.AccessControlType]::Deny; $acType = [System.Security.AccessControl.AccessControlType]::Deny; $acType = $idRef, $regRights, $inhFlags, $prFlags, $acType) = New-Object System.Security.AccessControl.RegistryAccessRule ($idRef, $regRights, $inhFlags, $prFlags, $acType) = New-Object System.Security.AccessControl.RegistryAccessRule ($idRef, $regRight $acl.SetAccessRule($rule) Set-Acl -Path $acl $regKeyPath

5. Reboot Windows to unload the PROCMON24 filter driver.

6. Run procmon for the first time.

7. Run fltmc filters from a PowerShell console or a command prompt. The procmon filter driver should now be visible at the increased height.

Command prompt or PowerShell console

You are now able to capture anything you need. Just be ready for the event rain if you decrease procmon’s Altitude to the lowest it can go!

Examples from the Real World

You should now have a fair idea of what procmon can perform and how it may aid in the investigation of Windows events. Let’s put that information to use and look at a few frequent scenarios where you could require it.

What’s Deleting a File and How to Find Out

If you have a file on your Windows PC that keeps disappearing for no apparent reason and you want to find it, procmon can assist (and it’s quite simple).

Perhaps you’ve tried to set an event file named Delete or Remove file in Procmon, only to discover that no such action exists. Instead, you must filter for both events with an Operation of: to identify file removal events.

• SetDispositionInformationFile
• SetDispositionInformationEx

If your system is deleting a lot of files, you’ll want to use the Path filter to restrict the file deletion events to the file name or path.

SetDispositionInformationEx Include is the operation. SetDispositionInformationFileInclude is an operation. C:MyFolder Include is the first character in the path.

Troubleshooting File Locked Issues

We’ve all experienced it: you want to move or delete a file, but it’s locked by another process. You’ll never know whether that random error you encounter has anything to do with a locked file in the first place if you’re attempting to remove a program, for example.

Use the filter set below to see when Windows tries to delete or edit a locked file.

CreateFileInclude is the operation. SHARING VIOLATION is the end result.

Troubleshooting Admin Rights-Required Applications

Are you dealing with an application that should function based on the documentation but doesn’t? We’ve all been in that situation. Some processes that a program starts may need higher rights, but it won’t tell you where or how to get them. You may use procmon to assist you.

Filtering on the Result of an event is one technique to find processes that are being rejected because they need higher permissions.

When an event is rejected owing to a lack of elevated privileges, the message ACCESS DENIED is usually shown. Knowing this, you can simply create a filter that displays all occurrences with an ACCESS DENIED result, as seen below.

ACCESS is the end result. INCLUDE DENIED

You may also use the Path property to add other filters, such as registry or folder path.

Identifying the Process of Obtaining an IP Address

Maybe you’ve some odd network behavior with Wireshark and need to figure out what process is initiating that communication. Fire up procon and add the following set of Rules for filtering.

These Rules for filtering limit events to only locally-initiated network traffic with a destination of a single IP address.

Operation is TCP Send Include Operation is UDP Send Include Path contains -> Include Event Class is Network Include

Slow Boot Up Troubleshooting

Windows might be sluggish to start up at times. Many different Windows components, installed apps, and other factors might contribute to the slowness. You can trace down and repair the issue using procmon’s boot logging feature.

1. Activate the boot-logging feature. In the Capture Boot-Time Events section above, you may learn how to achieve this.

2. On the Enable Boot Logging dialog box, be sure to check the Generate thread Creating an event profile checkbox. The Every second radio button should be good enough.

Enabling thread Creating an event profile on boot

3. Open procmon after a reboot, right-click on any column, and choose Select Columns.

4. Select Duration from the Column for Process Monitoring Selection box. You’ll be able to see how long each event took to complete after you’ve done this.

Column for Process Monitoring

5. Now you may set a Duration filter rule to a number of seconds you think is appropriate. Only events that took longer than five seconds will be shown using the filter rule below.

Duration filter rule

6. Finally, another useful way to investigate these slow events is by using procmon’s Process Graph. The Process Graph show relationships between parent and child Processes and contains the start and end time on each process. To find it, click on Tools —> Process Graph.

Process Graph

7. Once in the Process Graph, now take a look at the Life Time column that shows in a graphical format the length of time each process took. You can also notice time spans by comparing the Start Time and End Time columns in this view.

Column for a Lifetime

App-V Application Troubleshooting

Microsoft’s App-V service is used by many enterprises to virtualize and distribute apps to end users. If you use App-V, you should be aware of a useful (but undocumented) procmon option called /externalcapture.

Using .procmon.exe /ExternalCapture tends to capture more registry activity around App-V applications. Try out this switch if you can’t find what you’re looking for when App-V Application Troubleshooting!

The /HookRegistry option is meant to do the same thing as /ExternalCapture, however it doesn’t seem to function on 64-bit PCs anymore.

Wrap Up

So there you have it: a comprehensive introduction to all things procmon! Even if you’ve learned a lot about procmon, there’s always more to learn about this useful tool.

Please reach out to me on Twitter if you have any suggestions for updates or improvements to this Ultimate Guide!

Procmon is a command-line tool that allows users to monitor the Windows processes. It can also detect and resolve issues with drivers, services, and applications. The “unable to load process monitor device driver” error message is an issue that has been present for a while.

Frequently Asked Questions

How do you use ProcMon effectively?

A: PROCMON is a process monitor and debugger for Windows OS. It allows you to view the current state of your system (processes, threads) in real-time by using resource tracking.

How do I start and stop ProcMon?

A: To start ProcMon, click on the little green ProcMon icon in your taskbar. This will bring up a window that allows you to type in commands and see output. To stop ProcMon, right-click on the process name or 256×256 icon of the program running inside it and select Stop/Exit Procexp

How do you use ProcMon filters?

A: ProcMon filters are a feature in Windows that allow you to filter certain processes or functions within the operating system.
To use it, first open up Process Monitor by typing process monitor into the search bar and clicking on the top result. Once this window opens, click on File -> New Filter…

Related Tags

• process monitor
• how to run procmon
• how to use procmon to troubleshoot
• run procmon in background
• sysinternals procmon