Overview
Process Monitor is an advanced monitoring tool for Windows that shows real-time activity of the file system, Registry, and process/thread. It combines the features of two legacy Sysinternals utilities, namely Filemon and Regmon. Furthermore, it adds an extensive list of enhancements, including the rich and non-destructive filtering, comprehensive event properties, such as session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging, and much more. Its uniquely powerful features make Process Monitor a core utility in your system for troubleshooting and malware hunting.
This article provides information on stopping, starting, saving, and sharing a ProcMon capture.
Prerequisites
Get and run ProcMon:
- Download ProcMon.
- Unzip the
ProcessMonitor.zipfile. - Copy the
ProcMon.exefile to the server or workstation that you need to perform troubleshooting on. - Launch ProcMon as Administrator.
- Right-click on the
ProcMon.exefile. - Select Run as administrator.
By Default, ProcMon starts capturing events. - Right-click on the
Process
Stopping a ProcMon Capture
- Click File.
-
Click on Capture Events to deselect it.
- Click Edit.
- Select Clear Display.
Starting a ProcMon Capture
- Go to File.
-
Select Capture Events.
Once ProcMon starts capturing events, you can start reproducing the issue.
Saving and Sharing a ProcMon Capture
Once you are done with reproducing the issue, please stop the capture (step 1-2 in the Stopping a ProcMon Capture section), and follow the steps below to save and share the ProcMon capture:
- Click on File.
-
Select Save.
- Change the file name and path if you prefer to do so.
Do not change the other default settings. - Navigate to the location of the saved file.
- Send the file to us by attaching it to the Zendesk ticket.
Here is a 101 video for Process Monitor:
Source: Process Monitor 101 by Jeremy Moskowitz