Hardware and software setup

home Windows
Windows

How to make friends with Procmon

(ProcMon) by Sysinternals.

Recently I was teaching a young Padawan how to use this wonderful and in some cases indispensable tool. And while I was talking, the idea came to me to write such an introductory instruction for those who are just starting their thorny path as an administrator.

In general, in my opinion, everything related to ProcMon is best described in a book from the developers, which is called “ Sysinternals utilities. Administrator's Handbook”.

I will not climb into the wilds, and will try to present with a minimum of theory, and a maximum of practice using a specific example.

Start ProcMon

Logs file system, registry, network,processes, threads, and real-time image loading.

Well, how? Clear? ????

If you just start ProcMon, the working window of the program is instantly filled with various events, even if you do nothing. It is very difficult to understand these events and find interesting ones even for an experienced master. Yes, and it is not necessary, but first things first.

Most often, ProcMon is launched for a specific purpose, for example, to determine what this or that program is doing, which process writes files to a certain directory or registry branch, where disk space goes, etc. Therefore, if you just start ProcMon, you will have to stop collecting events ( ctrl+e), clear already collected events ( Ctrl+X), configure filters ( Ctrl+L) and start monitoring again. In order not to make so many unnecessary movements, a command line parameter is provided /noconnect:

procmon /noconnect

Starting with this option starts Procmon but does not start monitoring, instead the filters window immediately opens.

In general, to simplify the launch, I do (and advise everyone to do so) as everything is described in the same book:

My collaborator Aaron usually creates a C:\Program Files\Sysinternals folder and extracts the contents of the Sysinternals Suite into it. There utilities cannot be changed without administrator rights. It then adds this directory to the Path system environment variable, which makes it easy to run utilities from anywhere, including through the menu. start | Run (Start | Run).

Filters in ProcMon

As mentioned above, the filter window opens at startup with the parameter /noconnect. If you accidentally closed it, or you need to correct already configured filters, you can open the filter window by pressing the key combination Ctrl+L, or through the menu filter | Filter....

So we got to the practice ????

I already have how to monitor the registry, so today we will learn how to monitor the file system. For example, we will track what changes the standard notepad makes.

So, we have the filter window open.

Filters in ProcMon

Just in case, press the button to reset the filters to the default state - reset(by default, ProcMon is set to a bunch of filters, it is not recommended to remove them) and add a filter

Process Name is notepad.exe include.

We press the button Add. As the name implies, only events associated with the notepad.exe process will be captured, i.e. the events that notepad generates.

Important point: the process name must be specified in full - with the extension, otherwise ProcMon will not capture anything. Alternatively, you can use a filter

Process Name begins with notepad include

In this case, events related to processes starting on notepad will be captured, it can be either a standard notepad orNotepad++, or some other notepad. In the same way, we add a filter for writing files:

Operation is WriteFile include

Click Add and OK(in general, you can just click OK, in which case ProcMon will say that there is no such filter yet, and ask if we want to add it. The fact is that pressing the button closes OK filter window, if this is not the only filter, then it is better to press the button Add, this will add a filter, and leave the filter window open for subsequent filters).

Since we are only interested in file activity, in the main ProcMon window we disable the registry, network and process monitoring icons - we leave only the file system monitoring (highlighted in the screenshot below).

Another important point.

By default, ProcMon logs all system activity, even those events that do not fall under the filters, which in some cases can lead to slowdowns. If you are sure that the filters are configured correctly (in this example, we are sure), and you do not need the events hidden by them, you can discard them using the option filter | Drop Filtered Events(Delete Filtered Events) in the menu filter. This parameter affects only the registration of current events, previously recorded events are not deleted from the log.

After the filters are configured, we start collecting events (the button with the image of a magnifying glass, or ctrl+e). We launch notepad, write some text and save the file. Let's see what happened:

File activity in ProcMon

As you can see from the screenshot, ProcMon recorded the event of writing a file by the notepad.exe process along the path C:\temp\test.txt.

Let's do another experiment.

Stop capturing events ( ctrl+e), close notepad and clear the collected events ( Ctrl+X). Call the filter window ( Ctrl+L), reset the filters (using the button reset) and add the following filter:

Path begins with c:\temp\

By this we indicate that we are interested in any activity along the way c:\temp. And since the value is not specified exactly (not is, a begins with), then events will be captured not only from this directory, but also from all its subdirectories.

Make sure that only file system monitoring is enabled (when filters are reset, everything is reset to the default state)

Filters in ProcMon

Let's start monitoring. Let's open the explorer and follow our path. Let's take a look at ProcMon.

This is how opening a directory in ProcMon looks like

There will be a bunch of events that we don’t understand, but we don’t need them, just look at how many events happen when you just go into the directory.

You can open the file and see how messed up ProcMon is. That's why I never recommend running ProcMon just to see what's going on in the system.

In order to see the file read events themselves, stop collecting events, clear the results window, add a filter

Operation is ReadFile

and open the file again.

It should look something like this (as you can see from the screenshot, I opened the file with two different processes):

Liked the article? Share with friends!
Twitter
print
Was this article helpful?
Yes
Not
Thanks for your feedback!
Something went wrong and your vote was not counted.
Thank you. Your message has been sent
Did you find an error in the text?
Select it, click Ctrl+Enter and we'll fix it!
Related Tips
Working with Remote Assistance in Windows 7
Working with Remote Assistance in Windows 7
Cooler pinout: connecting 3 pin and 4 pin fan
Cooler pinout: connecting 3 pin and 4 pin fan
What is a hard drive and why is it in a computer?
What is a hard drive and why is it in a computer?
How to make friends with Procmon
How to make friends with Procmon
How to set up booting from a USB flash drive, CD / DVD drive in computers with BIOS and UEFI
How to set up booting from a USB flash drive, CD / DVD drive in computers with BIOS and UEFI
See what is
See what "E-mail" is in other dictionaries: