0% found this document useful (0 votes)

607 views13 pages

Process Monitor Tutorial Handout

Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, registry, process, thread, and network activity. It combines features from Filemon and Regmon and adds new capabilities like filtering, event properties, reliable process information, thread stacks, logging, and profiling. Process Monitor runs on Windows 2000 and newer, and allows monitoring file system, registry, process, network, and profiling events to troubleshoot systems and hunt malware.

Uploaded by

BigDom

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

607 views13 pages

Process Monitor Tutorial Handout

Uploaded by

BigDom

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

UsingProcessMonitor

ProcessMonitorTutorial Thisinformationwasadaptedfromthehelpfilefortheprogram. ProcessMonitorisanadvancedmonitoringtoolforWindowsthatshowsrealtimefilesystem, Registryandprocess/threadactivity.ItcombinesthefeaturesoftwolegacySysinternals utilities,FilemonandRegmon,andaddsanextensivelistofenhancementsincludingrichand nondestructivefiltering,comprehensiveeventpropertiessuchsessionIDsandusernames, reliableprocessinformation,fullthreadstackswithintegratedsymbolsupportforeach operation,simultaneousloggingtoafile,andmuchmore.Itsuniquelypowerfulfeatureswill makeProcessMonitoracoreutilityinyoursystemtroubleshootingandmalwarehunting toolkit. ProcessMonitorrunsonWindows2000SP4withUpdateRollup1,WindowsXPSP2,Windows Server2003SP1,andWindowsVistaaswellasx64versionsofWindowsXP,WindowsServer 2003andWindowsVista. UsingProcessMonitor

ExecutingProcessMonitorrequireslocalAdministrativegroupmembership.Whenyoulaunch ProcessMonitoritimmediatelystartsmonitoringthreeclassesofoperation:filesystem, Registryandprocess. FileSystem ProcessMonitordisplaysfilesystemactivityforallWindowsfilesystems,includinglocal storageandremotefilesystems.ProcessMonitorautomaticallydetectsthearrivalof newfilesystemdevicesandmonitorsthem.Allfilesystempathsaredisplayedrelative totheusersessioninwhichafilesystemoperationexecutes.Forexample,ifuserAhas

mountedashareasdriveletterZ:,anyaccessestheymaketothatsharewilldisplayin ProcessMonitorasbeingrelativetodriveZ:. Toremovefilesystemoperationsfromthedisplaydeselectthefilesystempushbutton intheProcessMonitortoolbarandtoaddbackfilesystemoperationsdepressthe button. Registry ProcessMonitorlogsallRegistryoperationsanddisplaysRegistrypathsusing conventionalabbreviationsforRegistryrootkeys(e.g.HKEY_LOCAL_MACHINEis representedasHKLM). ToremoveRegistryoperationsfromthedisplaydeselecttheRegistrypushbuttonin theProcessMonitortoolbarandtoaddbackRegistryoperationsdepressthebutton. Process Initsprocess/threadmonitoringsubsystemProcessMonitortracksallprocessand threadcreationandexitoperationsaswellasDLLanddevicedriverloadoperations. ToremoveProcessoperationsfromthedisplaydeselecttheprocesspushbuttoninthe ProcessMonitortoolbarandtoaddbackprocessoperationsdepressthebutton. Network ProcessMonitorusesEventTracingforWindows(ETW)totraceandrecordTCPand UDPactivity.Eachnetworkoperationincludesthesourceanddestinationaddresses,as wellastheamountofdatasentorreceived,butdoesnotincludetheactualdata. ToremoveNetworkoperationsfromthedisplaydeselectthenetworkpushbuttonin theProcessMonitortoolbarandtoaddbacknetworkoperationsdepressthebutton. Profiling ThiseventclasscanbeenabledfromtheOptionsmenu.Whenactive,ProcessMonitor scansalltheactivethreadsinthesystemandgeneratesaprofilingevenforeachone thatrecordsthekernelanduserCPUtimeconsumed,aswellasthenumberofcontext switchesexecuted,bythethreadsinceitspreviousprofilingevent.Note:theSystem processisnotincludedinprofiling.

ThereareanumberofbasicoptionsthatcontrolbasicProcessMonitoroperation: Capture:UsetheCaptureEventsmenuitemintheFilemenu,capturetoolbarbuttonorCtrl+E hotkeytotoggleProcessMonitor'smonitoring.

Autoscroll:SelectAutoscrollentryintheEditmenu,theautoscrolltoolbarbuttonorCtrl+A hotkeytotoggleProcessMonitor'sautoscrollbehavior,whichcausesittoensurethatthemost recentoperationisvisibleinthedisplay. Clear:ToclearthedisplayofallitemschooseClearDisplayfromtheEditmenuorusetheCtrl+X hotkey. ColumnSelection Youcandragcolumnstorearrangetheirorderandcustomizedthecolumnsdisplayedby choosingSelectColumnsfromtheOptionsmenutoopenthecolumnselectiondialog.Columns thatareavailableforselectioninclude: ApplicationDetails

ProcessNameThenameoftheprocessinwhichaneventoccurred. ImagePathThefullpathoftheimagerunninginaprocess. CommandLineThecommandlineusedtolaunchaprocess. CompanyNameThetextofthecompanynameversionstringembeddedinaprocess imagefile.Thistextisoptionallydefinedbytheapplicationdeveloper. DescriptionThetextoftheproductdescriptionstringembeddedinaprocessimagefile. Thistextisoptionallydefinedbytheapplicationdeveloper. VersionTheproductversionnumberembeddedinaprocessimagefile.Thisinformation isoptionallyspecifiedbytheapplicationdeveloper.

EventDetails

SequenceNumberTheuniquenumberProcessMonitorassignstoanindividualevent. EventClassTheclass(File,Registry,Process)oftheevent. OperationThespecificeventoperation(e.g.Read,RegQueryValue,etc.). Date&TimeBoththedateandthetimeofanoperation. TimeofDayOnlythetimeofanoperation. PathThepathoftheresourcethataneventreferences. DetailAdditionalinformationspecifictoanevent. ResultThestatuscodeofacompletedoperation. RelativeTimeThetimeoftheoperationrelativetoProcessMonitor'sstarttimeorthe lasttimethattheProcessMonitordisplaywascleared. DurationThedurationofanoperationthathascompleted.

ProcessManagement

UserNameThenameoftheuseraccountinwhichtheprocessthatperformedan operationisexecuting.

SessionIDTheWindowssessioninwhichtheprocessthatexecutedanoperationis executing. AuthenticationIDThelogonsessioninwhichtheprocessthatexecutedanoperationis executing. ProcessIDTheProcessID(PID)oftheprocessthatexecutedanoperation. ThreadIDTheThreadID(TID)ofthethreadthatexecutedanoperation. IntegrityLevelTheintegritylevelatwhichtheprocessthatexecutedanoperationis running(WindowsVistaonly). VirtualizedThevirtualizationstatusoftheprocessthatexecutedanoperation(Windows Vistaonly).

EventProperties Youcanaccessthepropertiesforanindividualeventbydoubleclickingontheevent,orby selectingthePropertiesmenuitemfromtheEventmenuorthecontextmenuwhenyouright clickonanevent.TheEventPropertiesdialogconsistsoftheEvent,ProcessandStackpages. Youcanmovetothenextorprecedingdisplayedorhighlightedeventwiththearrowbuttonsat thebottomoftheEventPropertiesdialog.

Event TheEventpagedisplaysinformationspecifictoanevent,includingitssequencenumber,issuing thread,eventclassandoperation,result,timestamp,andifapplicable,resourcepath.Onlyfile systemandRegistryeventsdefineresourcepaths.ThelowerareaoftheEventpagelistsdetails collectedforaneventthataredependentontheeventoperation.Thedetailsarethesameas shownforaneventintheDetailcolumnofthemaindisplay,buteachdetailisshownona separateline. Process Anevent'sProcesspageshowsinformationabouttheprocessthatexecutedanevent.Along withthedataassociatedwithaprocess'image,suchasthepathandversionstrings,the ProcesspageshowsprocessexecutionattributesliketheprocessID,useraccountinwhichthe processisexecuting,andiftheeventwasgeneratedona64bitWindowssystem,whetherthe processis32bitor64bit.ForprocessesexecutingonWindowsVistasystems,ProcessMonitor showstheintegrityleveloftheprocessandwhetherornotit'svirtualized. Thebottomareaoftheprocesspagedisplaysthelistofimagesloaded,andtheaddressesat whichtheyareloaded,intheprocessatthetimetheeventexecuted.Doubleclickonanimage inthelisttoviewmoreinformationabouttheimage,includingitsversioninformation. Stack TheStackpageshowsthethreadstackofthethreadwhentheeventwasrecorded.Thestack canbeusefulfordeterminingthereasonaneventtookplaceandthecomponentresponsible fortheevent.Kernelmodeframesofastackaredesignatedwiththeletter'K'ontheleftofthe frameandusermodestacks(onlyavailableonlyon32bitsystemspriortoVistaSP1/Windows Server2008)withtheletter'U'.IfProcessMonitorisabletolocatesymbolsforimages referencedinthetraceitwillattempttoresolveaddressestothefunctionsinwhichthey reside.Symbolsresolutioncantaketimeifsymbolsmustberetrievedfromthenetwork,for examplefromtheMicrosoftsymbolserver.UsetheSymbolConfigurationdialog,whichyou accessfromtheOptionsmenu,toconfiguresymbols. IfyouspecifyapathtosourcefilesintheSymbolConfigurationdialog,theStackdialog'sSource buttonwillenableforanyframeforwhichlinenumbersymbolsinformationisavailableand thesourcefileispresentinthepathsyouinclude.ClickingontheSourcebuttonopensatext viewerthathighlightsthesourcecodelinereferenced. Toviewmoreinformationaboutanimagelistedinthestacktraceeitherdoubleclickonthe frameorselecttheframeandpressthePropertiesbuttonbelowthestacktracearea. SelecttheStackmenuentryfromtheEventmenutoopentheEventPropertiesdialogdirectly totheStackpage.

FilteringandHighlighting ProcessMonitoroffersseveralwaystoconfigurefiltersorhighlighting. IncludeandExcludeFilters YoucanspecifyeventattributessuchthatProcessMonitorwillonlydisplayorexcludeevents withmatchingattributevalues.Allfiltersarenondestructive,meaningthattheyaffectonly whicheventsProcessMonitordisplays,nottheunderlyingeventdata. WhenaneventisselectedtheIncludeandExcludesubmenusintheEventmenuallowsyouto easilyaddoneoftheevent'sattributestotheconfiguredIncludeorExcludefilters.For example,toonlyshoweventsexecutedbyaparticularprocessnamechoosetheProcessName entryfromtheIncludesubmenu.Youcanalsoselectmultipleeventsandsimultaneously configureanattributefilterforalloftheuniquevaluescontainedintheselectedevents. ProcessMonitorORstogetherallthefiltersthatarerelatedtoaparticularattributetypeand ANDstogetherfiltersofdifferentattributetypes.Forexample,ifyouspecifiedprocessname includefiltersforNotepad.exeandCmd.exeandapathincludefilterforC:\Windows,Process MonitorwouldonlydisplayeventsoriginatingineitherNotepad.exeorCmd.exethatspecify theC:\Windowsdirectory. MorecomplexfilteringoptionsareavailableintheFilterdialog,whichyouopenbyselecting FilterfromtheToolsmenuorbyclickingontheFiltertoolbarbutton.Afilterentryconsistsof anattributefield(e.g.AuthenticationID,ProcessName,etc.),acomparisonoperation,an attributevalue,andafiltertypeofeitherIncludeorExclude.Forconvenience,ProcessMonitor willautomaticallypopulatetheattributevaluedropdownwithvaluesthatarepresentinthe loadedtracedata,butyoucanenterarbitraryvalues. FilterContextMenu IfyourightclickonaniteminthedisplayProcessMonitordisplaysacontextmenuthatlet's youviewtheitem'spropertiesorconfigureafilterbasedontheitem'sattributes.Further, quickfilterentriesareaddedtothemenuforthevalueofthecolumnonwhichyouclick. DestructiveFiltering Bydefault,ProcessMonitorfiltersapplytothedataitdisplays,notwhatitsaves.Thisallows youtochangefilterstoobtaindifferentviewsofdatawithoutaffectingtheexcludeddata. However,youcanconfigureProcessMonitortodeleteanydatathat'sexcludedbyafilteratthe timethedataiscapturedbytogglingdestructivefilteringmode,whichyoudobychoosingDrop FilteredEventsfromtheFiltermenu.

IncludeProcessfromWindow Thetoolbarincludesabuttonshapedlikeatargetthatyoucandragoffanddropontoa windowtocauseProcessMonitortoaddtheprocessIDoftheprocessthatownsthewindow totheIncludefilter. Basicvs.AdvancedMode TheFiltermenu'sEnableAdvancedOutputmenuitemcontrolswhetherProcessMonitoris operatinginBasicorAdvancedMode.WheninBasicmodeProcessMonitorconfiguresbuiltin filterstoexcludesystemrelatedactivityfromthedisplayandusesintuitivenamesforinternal filesystemoperations.Forexample,ProcessMonitorshowstheinternalIRP_MJ_READ operationasReadwheninBasicmode.Basicmodemakesoutputeasiertoreadandomits eventsusuallynotrelevantforapplicationtroubleshooting. SavingandLoadingFilters OnceyouhaveconfiguredafilteryoucansaveitusingtheSaveFiltersmenuitemintheTools menu.ProcessMonitoraddsfiltersyousavetotheLoadFiltermenuforeasyaccessandyou canchangetheorderinwhichthefiltersdisplayinthemenuusingtheOrganizeFiltersdialog thatyouopenwithOrganizeFiltersintheToolsmenu.YoucanusetheOrganizeFilterdialogto renamesavedfiltersaswellastoeasilyexportfilterstoaformatthatyoucanthenreimport usingtheOrganizeFilterdialogonothersystems. Highlighting ProcessMonitorshighlightingfiltersenableyoutospecifyeventattributesthatcauseanevent tobeshownwithahighlightcolor.TheHighlightsubmenuintheEventmenuprovidesquick accessfordefininghighlightfilterentriesandtheHighlightmenuentryintheToolsmenuopens theHighlightFilterdialog,whichoperatessimilarlytotheInclude/ExcludeFilterdialog. TheProcessTree TheProcessTreemenuentryintheToolsmenuopenstheProcessTreedialog,whichdisplays alloftheprocessesreferencedintheloadedtraceinahierarchythatreflectstheirparentchild relationships.Processeswiththesameparentaresortedaccordingtotheirstarttime. Processesthatarealignedalongtheleftsideofthewindowhaveparentprocessesthatdidnot executeanyeventinthetrace. WhenyouselectaprocessinthetreeasubsetofthedataProcessMonitorhasobtainedabout theprocess,suchasitsimagepath,useraccount,andstarttime,showsinthebottomofthe dialog.ToviewmoreinformationaboutaprocessyoucanclickontheGoToEventbutton, whichresultsinProcessMonitorlocatingandselectingthefirstvisibleiteminthetrace

executedbytheprocess.Notethatfilterscanpreventthisoperationfromsucceedingby excludingfromthedisplayallofthespecifiedprocess'events. TraceSummaryTools ProcessMonitorincludesanumberofdialogsthatallowyoutoperformsimpledataminingon theeventscollectedinatrace. SystemDetails ProcessMonitorcapturessomeinformationaboutthesystemonwhichitcollectsatrace, includingthemachinename,thesystemrootpath,andwhethertheOSis32bitor64bit.You canaccessthisinformation,whichProcessMonitorstoresinlogfiles,fromtheSystemDetails dialogintheToolsmenu. UniqueValues TheUniqueValuesdialog,whichyouopenusingthecorrespondingmenuentryintheTools menu,letsyouseetheuniquevaluesforeachofthedifferentattributevaluesdefinedfor eventsinatrace.Forexample,ifyouwantquicklyseeallthepathsreferencedinthetrace, choosePathintheselectionentry. DoubleclickingonadisplayedvalueorclickingontheFilterbuttonaddsanincludefilterforthe currentlyselectedvalue. CountOccurrences OpentheCountOccurrencesdialogfromtheToolsmenu.Itdisplaystheuniquevaluesseenina tracefortheattributetypeyouspecifyalongwiththenumberoftimesinthetraceanevent containedthevalue. ProcessSummary Thisdialogsummarizestheprocessesseeninthetrace,includingtheirprocessID,imagename, andcommandline. FileSummary TheFileSummarydialoglistseachuniquefilesystempathpresentinthefilteredtrace,the amountoftimespentperformingI/Otothefile,totalnumberofeventsthatreferencedthe path,andthecountofindividualoperationtypes.

RegistrySummary TheRegistrySummarydialoglistseachuniqueRegistrypathpresentinthefilteredtrace,the amountoftimespentperformingI/OtotheRegistrypath,totalnumberofeventsthat referencedthepath,andthecountofindividualoperationtypes. NetworkSummary TheNetworkSummarydialoglistseachuniquedestinationIPaddresspresentinthefiltered traceandthenumberdifferenttypesofevents,includingsendsandreceives,toeachaddress. StackSummary UsetheStackSummarydialogtoseeindividualinstancesofstacktracesforeachprocess, includingthenumberoftimesthestacktraceoccursandthetotaltimespentineventsthat sharethesametrace. Options AnumberofsettingsintheOptionsmenumodifyProcessMonitor'sbehavior. AlwaysonTop SelectingthisoptioncausestheProcessMonitorwindowtoremainontopofotherwindows. Font ThisoptionopensafontselectiondialogwhereyoucanchosethefontProcessMonitoruses foritsdisplay. HighlightColors ChosethisentrytoopenadialogtopickthetextandbackgroundcolorsProcessMonitoruses forentriesthatmatchtheconfiguredhighlightfilters. ConfigureSymbols ProcessMonitorcanusesymbolinformation,ifavailable,toshowfunctionsreferencedon eventstacks.YoucanfindinformationonconfiguringsymbolsontheMicrosoftDebugging ToolsforWindowswebpage.

HistoryDepth ProcessMonitorwatchescommittedmemoryusageandturnsitselfoffwhenvirtualmemory runslow,buttheHistoryDepthdialoglet'syoulimitthenumberofentriesitkeepssothatyou canleaveProcessMonitorrunningforlongperiodsandensurethatitalwayskeepsthemost recentevents. ProfilingEvents Usethismenuentrytoopenthethreadprofilingconfigurationdialog,whereyouenablethread profilingandtherateatwhichthreadprofilingeventsgenerate.Whenthreadprofilingis enabled,ProcessMonitorcapturesthreadstacktracesandCPUutilizationthatyoucanuseto identifythesourceofCPUrelatedperformanceissues. EnableBootLogging UsethisoptiontoconfigureProcessMonitorbootlogging. SavingandLogging FileFormats YoucanusetheSaveentryintheFilemenutosaveProcessMonitordatainnative(PML), commadelimitedvalue(CSV),orXMLformats.ThePMLformatpreservesallofthedata capturedsothatyoucanreloaditbackintoProcessMonitoronthesamesystemoradifferent one.CSVfilesareusefulforimportingintoExcelorotherdataanalysisapplications.Finally,XML emitsXMLformatteddatathatcanbeparsedbytoolsthatmanipulateXML. Logging Bydefault,ProcessMonitorusesvirtualmemorytostorecaptureddata.UsetheBackingFiles dialog,whichyouaccessfromtheFilemenu,toconfigureProcessMonitortostorecaptured datainfilesondisk.EnablingthisoptionhasProcessMonitorlogdatatothediskinitsnative PMLformatasitcapturesit. TheBackingFilesdialogalsodisplaysdiagnosticinformation,includingthenumberofevents captured,processesdefinedandthecapturethread'sloadstatus. BootLogging ProcessMonitorcanlogactivityfromapointveryearlyinthebootprocessduringthe initializationofbootstartdevicedrivers.ConfigureProcessMonitortologthenextbootby selectingEnableBootLoggingfromtheOptionsmenu.ProcessMonitor'sdriverwilllogactivity

atthenextbootintoafileinthe%Windir%directoryandwillcontinueloggingthroughthe shutdownoruntilyourunProcessMonitoragain.Thus,ifyoudon'trunProcessMonitorduring abootsessionyouwillcaptureatraceoftheentireboottoshutdowncycle. WhenyourunProcessMonitoritlookstoseeifapreviousbootloghasbeengenerated,andif so,asksyouwhereyouwanttoplacetheprocessedbootlogoutputfile.ProcessMonitor displaysthetraceafterithasfinishedtranslatingit.ToseeactivityfromtheSystemprocess, whichistheonlyprocessearlyinaboot,selectEnableAdvancedOutputfromtheOptions menu. Ifyouconfigurebootloggingandthesystemcrashesearlyinthebootyoucandeactivateboot loggingbychoosingtheLastKnownGoodoptionfromtheWindowsbootmenu(whichyou accessbypressingF8duringtheboot). Note:networkevents,whicharebasedonETW(EventTracingforWindows),arenotavailable inbootlogs. ImportingandExportingConfiguration OnceyouhaveconfiguredafilteryoucansaveitusingtheSaveFiltersmenuitemintheTools menu.ProcessMonitoraddsfiltersyousavetotheLoadFiltermenuforeasyaccessandyou canchangetheorderinwhichthefiltersdisplayinthemenuusingtheOrganizeFiltersdialog thatyouopenwithOrganizeFiltersintheToolsmenu.YoucanusetheOrganizeFilterdialogto renamesavedfiltersaswellastoeasilyexportfilterstoaformatthatyoucanthenreimport usingtheOrganizeFilterdialogonothersystems. YoucanalsoexportProcessMonitor'sentireconfiguration,includingfilters,columnselection, columnorderandsize,logfilesettings,anddebughelpfilepathconfiguration,toaProcess MonitorConfigurationfile(.PMC)usingtheExportConfigurationmenuentryintheFilemenu. UsetheFilemenu'sImportConfigurationentrytoloadasavedconfigurationfile. CommandLineOptions ProcessMonitorsupportsseveralcommandlineoptions: /Openlog<savedPMLlogfile> DirectsProcessMonitortoopenandloadthespecifiedlogfile. /Backingfile<logfilename> HasProcessMonitorcreateandusethespecifiedfilenameastheloggingfile. /Pagingfile

Saveeventstothepagingfile. /Noconnect WhenthisflagispresentProcessMonitordoesnotautomaticallystartloggingactivity. /Nofilter Clearsthefilteratstartup. /AcceptEula AutomaticallyacceptsthelicenseandbypassestheEULAdialog. /Profiling Enablesthethreadprofilingeventclass. /Minimized StartsProcessMonitorwithitswindowminimizedtothetaskbar. /WaitForIdle WaitforaninstanceofProcessMonitortobecomeready. /Terminate TerminateallinstancesofProcessMonitorandexit. /Quiet Don'tconfirmfiltersettingsonstartup. /Run32 Usesthisswitchtorunthe32bitversionofProcessMonitoron64bitWindowstoopenlogs generatedon32bitsystems /HookRegistry Thisswitch,whichisavailableonlyon32bitVistaandServer2008,hasProcessMonitoruse systemcallhookinginsteadoftheRegistrycallbackmechanismtomonitorRegistryactivity, whichenablesittoseeSoftgridvirtualRegistryoperationsontheseoperatingsystems.This

optionmustbeusedthefirsttimethatProcessMonitorisrunonasystemandshouldonlybe usedtotroubleshootSoftGridapplications. /SaveAs,/SaveAs1,/SaveAs2 Usetheseswitcheswiththe/OpenLogswitchtohaveProcessMonitorexportalogfileinto CSV,XML,orPMLformat.The/SaveAs1optionincludesstackinformationforexporttoXML formatandthe/SaveAs2optionaddssymbolinformation. ScriptingProcessMonitor YoucanuseProcessMonitorcommandlineoptionstodriveitwithabatchfile.Hereishow yourbatchfileshouldlooktocaptureatraceofnotepad.exe'sexecution: setPM=C:\sysint\procmon.exe start%PM%/quiet/minimized/backingfileC:\temp\notepad.pml %PM%/waitforidle notepad.exe %PM%/terminate ThefirstinvocationofProcessMonitorusingstartensuresthattheprocessdetachesfromthe consolewindow,whichallowsittorunconcurrentlywiththelatercommands.Thesecond invocationwith/WaitForIdlecausesthebatchfiletopauseuntilthefirstinstanceisupand runningandactivelycapturingevents.Thefinalinvocationwith/Terminatetellsthefirst instancetostopcapturing,commitanyoutstandingdatatothebackingfileandexitcleanly.

Common questions

Process Monitor uses Event Tracing for Windows (ETW) to monitor TCP and UDP network activity, capturing source/destination addresses and data transfer amounts. While this provides valuable information about network traffic, the main limitation is that it does not capture the actual data content being transmitted. This restricts its utility to analyzing traffic patterns rather than the data itself, potentially limiting its effectiveness in situations where data payloads are crucial for troubleshooting or security analysis .

Process Monitor tracks all process and thread creation and exit operations, as well as DLL and device driver loads. It records detailed attributes including process ID, thread ID, user and session IDs, and tracks whether the process is running in 32-bit or 64-bit mode on 64-bit systems. For Windows Vista systems, it also tracks the integrity and virtualization status of processes. The tool's ability to provide detailed process/thread information aids in understanding and diagnosing system behaviors and malfunctions .

Process Monitor's profiling feature scans active threads and records their kernel and user CPU time along with context switches since the previous profiling event. This allows analysts to identify CPU-related performance issues by indicating which threads and processes consume the most CPU resources. Profiling data enables a detailed examination of how system resources are used over time, aiding in the optimization of application performance and system resource management .

Process Monitor is an advanced monitoring utility for Windows, providing real-time file system, Registry, and process/thread activity monitoring. It combines features from earlier utilities such as Filemon and Regmon with enhancements like rich filtering and comprehensive event properties. It offers reliable process information, full thread stacks, and network monitoring through Event Tracing for Windows (ETW). Additionally, it supports simultaneous logging and profiling of CPU usage, which are essential for troubleshooting system issues and detecting malware activities .

The basic mode of Process Monitor simplifies its output by using intuitive names for file system operations and excluding system-related activity, making it user-friendly for application troubleshooting. This mode omits less relevant events, reducing noise for users focused on specific application behavior. Advanced mode, however, provides more comprehensive data, displaying all system activities, which is crucial for in-depth technical analysis and diagnosing complex operational issues. The choice between these modes impacts data interpretation by determining the breadth and granularity of available information .

The native PML format in Process Monitor preserves all captured data with full detail, allowing for comprehensive analysis and reloading on any system with Process Monitor installed, which is ideal for in-depth investigation and collaborative troubleshooting. In contrast, CSV is beneficial for importing data into spreadsheet applications like Excel for data manipulation and analysis, albeit with potential data loss in terms of detail. XML offers structured data suitable for integration with systems supporting XML data, aiding in automation and data mining tasks. Each format serves different analytical purposes, balancing granularity against ease of sharing and cross-application compatibility .

Process Monitor facilitates stack analysis by showing the thread stack details for each recorded event. It distinguishes between kernel-mode and user-mode frames, resolving function addresses if symbol information is available. Stack analysis is significant as it aids in identifying the cause of an event and the responsible components. It is particularly useful for debugging and performance diagnostics, helping to pinpoint bottlenecks and faults in program execution .

Symbol resolution in Process Monitor enhances stack trace analysis by converting raw addresses into human-readable function names, offering detailed insights into execution flow. It assists users in understanding which functions are involved in specific events or errors. Users can configure symbol resolution through Process Monitor's symbol configuration option, which involves setting the path to debugging tools that can resolve symbols, thereby increasing the precision of event analysis .

Enabling boot logging in Process Monitor allows it to capture activity from early in the boot process, including initialization of boot-start drivers, and continues through to shutdown. This comprehensive logging is vital for diagnosing system startup issues because it enables the capture of events that might lead to early boot failures or delays. The complete boot-to-shutdown logs provide insights into system behavior that might not be visible from typical operational logs. However, network events, based on Event Tracing for Windows, are not captured in boot logs, which may limit network-related diagnostics .

Process Monitor allows non-destructive filtering, meaning that while filters change the data view, the excluded data is not removed from the log. This feature enables users to apply various filters to decide which data to display for targeted troubleshooting without losing any information. Filters can be saved and organized for reuse, facilitating efficient analysis of recurring issues. Advanced filtering includes highlighting specific events, configuring destructive filters, and using quick-filters for contextual filtering. These filtering capabilities help analysts focus on relevant data, simplifying the identification and understanding of operational anomalies .

Process Explorer Tutorial Handout
No ratings yet
Process Explorer Tutorial Handout
10 pages
Linux Essentials Certification Instructor Approved: Users
No ratings yet
Linux Essentials Certification Instructor Approved: Users
3 pages
Configuring Devices and Device Drivers: This Lab Contains The Following Exercises and Activities
No ratings yet
Configuring Devices and Device Drivers: This Lab Contains The Following Exercises and Activities
11 pages
Windows Incident Response Guide
No ratings yet
Windows Incident Response Guide
23 pages
Understanding Icacls Command Usage
No ratings yet
Understanding Icacls Command Usage
4 pages
CyberAces Module1-Windows 1 InstallingWindows
No ratings yet
CyberAces Module1-Windows 1 InstallingWindows
40 pages
Windows Server 82023
No ratings yet
Windows Server 82023
171 pages
Acl and Ace, Dacl, Sacl
No ratings yet
Acl and Ace, Dacl, Sacl
1 page
30 Basic Powershell Commands To Start With Windows Server - @TheTunnelix
No ratings yet
30 Basic Powershell Commands To Start With Windows Server - @TheTunnelix
5 pages
Mastering PowerCLI - Sample Chapter
No ratings yet
Mastering PowerCLI - Sample Chapter
50 pages
Day 1 6active Directory
No ratings yet
Day 1 6active Directory
33 pages
Quick Start - WireGuard
No ratings yet
Quick Start - WireGuard
5 pages
Windows Server 2012 Guide & Features
No ratings yet
Windows Server 2012 Guide & Features
215 pages
Study of Windows 2000 Operating System
50% (2)
Study of Windows 2000 Operating System
15 pages
Learning Powercli: Chapter No. 1 "Introduction To Powercli"
No ratings yet
Learning Powercli: Chapter No. 1 "Introduction To Powercli"
34 pages
Active Directory Group Policy
No ratings yet
Active Directory Group Policy
4 pages
Vsphere Esxi Vcenter Server 703 Setup WSFC
No ratings yet
Vsphere Esxi Vcenter Server 703 Setup WSFC
41 pages
Virtualization Group Presentation
No ratings yet
Virtualization Group Presentation
10 pages
Active Directory Interview Questions
No ratings yet
Active Directory Interview Questions
30 pages
Windows Registry Basics Tutorial
No ratings yet
Windows Registry Basics Tutorial
13 pages
Windows and Windows Server Compatibility Cookbook
No ratings yet
Windows and Windows Server Compatibility Cookbook
145 pages
Overview of Windows 10 1703 Deployment Options
100% (1)
Overview of Windows 10 1703 Deployment Options
1,126 pages
Linux Basics: Commands & Distributions
No ratings yet
Linux Basics: Commands & Distributions
20 pages
Understanding Server Types & Functions
No ratings yet
Understanding Server Types & Functions
8 pages
Windows 10 Support & Troubleshooting
100% (1)
Windows 10 Support & Troubleshooting
9 pages
Windows Server Interview Questions and Answers PDF - Google Search
No ratings yet
Windows Server Interview Questions and Answers PDF - Google Search
2 pages
Operating System and Development Stages of The Windows Operating System
No ratings yet
Operating System and Development Stages of The Windows Operating System
3 pages
Group Policy
No ratings yet
Group Policy
3 pages
Linux Process
No ratings yet
Linux Process
28 pages
Seminar On: Honeypots: Vidyabharti Trust College of Bca, Umrakh
No ratings yet
Seminar On: Honeypots: Vidyabharti Trust College of Bca, Umrakh
22 pages
Windows Logging Guide Win7/2008+
100% (1)
Windows Logging Guide Win7/2008+
6 pages
Understanding Active Directory Basics
100% (1)
Understanding Active Directory Basics
18 pages
VMware Management With PowerCLI 5.0
No ratings yet
VMware Management With PowerCLI 5.0
1 page
CyberAces Module1-Linux 3 CoreCommands
No ratings yet
CyberAces Module1-Linux 3 CoreCommands
19 pages
Frequently Asked Questions: Windows 10: Update
No ratings yet
Frequently Asked Questions: Windows 10: Update
18 pages
What Is RAID? Benefits of RAID Concepts of RAID RAID
100% (2)
What Is RAID? Benefits of RAID Concepts of RAID RAID
27 pages
Using The FTD CLI
No ratings yet
Using The FTD CLI
6 pages
Essential Windows Run Commands Guide
No ratings yet
Essential Windows Run Commands Guide
20 pages
RHCSA 7 Study Guide Overview
No ratings yet
RHCSA 7 Study Guide Overview
22 pages
VMware Vsphere With Operations Management Launch Playbook PDF
No ratings yet
VMware Vsphere With Operations Management Launch Playbook PDF
11 pages
Windows Server 2003 Active Directory and Security Questions
No ratings yet
Windows Server 2003 Active Directory and Security Questions
15 pages
Windows Server 2008 Active Directory Components
No ratings yet
Windows Server 2008 Active Directory Components
1 page
OpenStack Cloud & Big Data Training
No ratings yet
OpenStack Cloud & Big Data Training
111 pages
Cyberattack Analysis on National Defense
No ratings yet
Cyberattack Analysis on National Defense
5 pages
RAID and Back-Up 20-21
No ratings yet
RAID and Back-Up 20-21
6 pages
Windows Performance and Problem Troubleshooting Flow PDF
No ratings yet
Windows Performance and Problem Troubleshooting Flow PDF
2 pages
Troubleshooting Bsod
No ratings yet
Troubleshooting Bsod
28 pages
Active Directory Essentials
No ratings yet
Active Directory Essentials
6 pages
Azure VM Lab
No ratings yet
Azure VM Lab
8 pages
MCSE & System Administrator Interview Questions - Windows Server 2008 - R2 Active Directory
No ratings yet
MCSE & System Administrator Interview Questions - Windows Server 2008 - R2 Active Directory
4 pages
Windows Process Monitor Guide
No ratings yet
Windows Process Monitor Guide
3 pages
Experiment 8
No ratings yet
Experiment 8
4 pages
Process Monitor Tool
No ratings yet
Process Monitor Tool
4 pages
Capturing ProcMon Traces Guide
No ratings yet
Capturing ProcMon Traces Guide
1 page
Filemon Regmon
No ratings yet
Filemon Regmon
61 pages
Resource Monitoring Tools Overview
No ratings yet
Resource Monitoring Tools Overview
11 pages
Process and Thread Activity
No ratings yet
Process and Thread Activity
2 pages
Module 3 Dynamic Analysis
No ratings yet
Module 3 Dynamic Analysis
14 pages
Process Explorer Essentials - Antun Peicevic
No ratings yet
Process Explorer Essentials - Antun Peicevic
70 pages
Os Lab1
No ratings yet
Os Lab1
4 pages
Introduction to Macroeconomics Concepts
No ratings yet
Introduction to Macroeconomics Concepts
3 pages
Aspiring Filmmaker's Journey
No ratings yet
Aspiring Filmmaker's Journey
5 pages
Traditional Beliefs and Practices of The Garo, Khasi, and Jaintia Tribes of Meghalaya
No ratings yet
Traditional Beliefs and Practices of The Garo, Khasi, and Jaintia Tribes of Meghalaya
3 pages
Classification of Colour Illusions
No ratings yet
Classification of Colour Illusions
7 pages
2181 - Haiti's Drums and Trees
100% (1)
2181 - Haiti's Drums and Trees
36 pages
Yesterday at 4:41 PM: Tactical Periodization
No ratings yet
Yesterday at 4:41 PM: Tactical Periodization
2 pages
Cte Sept 2020 Textos
No ratings yet
Cte Sept 2020 Textos
5 pages
College Prep Algebra I Course Syllabus
No ratings yet
College Prep Algebra I Course Syllabus
4 pages
Yuliawati 2021
No ratings yet
Yuliawati 2021
6 pages
English For Academic and Professional Purposes Long Test 1
No ratings yet
English For Academic and Professional Purposes Long Test 1
2 pages
WFP 0000101250
No ratings yet
WFP 0000101250
28 pages
Unit 1 - Contributing Disciplines
No ratings yet
Unit 1 - Contributing Disciplines
2 pages
IKEA Supply Chain Management Insights
No ratings yet
IKEA Supply Chain Management Insights
7 pages
Unit 3: Wild Life: Vocabulary
No ratings yet
Unit 3: Wild Life: Vocabulary
4 pages
58-Slope Stability in Cutting
100% (1)
58-Slope Stability in Cutting
10 pages
Habeas Corpus Case Audit & Judge Ethics
No ratings yet
Habeas Corpus Case Audit & Judge Ethics
4 pages
Curriculum Content
No ratings yet
Curriculum Content
4 pages
Head and Shoulders Shampoo Overview Philippines
No ratings yet
Head and Shoulders Shampoo Overview Philippines
4 pages
Compass - The FMAA Bachelor of Commerce 2014 Guide
No ratings yet
Compass - The FMAA Bachelor of Commerce 2014 Guide
51 pages
You Cant Do It Alone - Maria Quiban Whitesell
No ratings yet
You Cant Do It Alone - Maria Quiban Whitesell
162 pages
40k Special Characters
No ratings yet
40k Special Characters
4 pages
"Shy Boy": (Chorus)
No ratings yet
"Shy Boy": (Chorus)
2 pages
Book Review The Home and The World
No ratings yet
Book Review The Home and The World
3 pages
The Official Guide To The TOEFL iBT Test, Seventh Edition
No ratings yet
The Official Guide To The TOEFL iBT Test, Seventh Edition
6 pages
Constitution and By-Laws of The Recaredo Castillo Elementary School 2 Teachers and Employees Association (Rces2Tea)
No ratings yet
Constitution and By-Laws of The Recaredo Castillo Elementary School 2 Teachers and Employees Association (Rces2Tea)
5 pages
Infinitive of Purpose Worksheet
No ratings yet
Infinitive of Purpose Worksheet
2 pages
Cultural Etiquette and Idioms Guide
No ratings yet
Cultural Etiquette and Idioms Guide
6 pages
Soal Bahasa Inggris Kelas 10 SMK
No ratings yet
Soal Bahasa Inggris Kelas 10 SMK
6 pages
Thornton v. Thornton
100% (1)
Thornton v. Thornton
2 pages
Art in Honduras and Most Notable Artists
No ratings yet
Art in Honduras and Most Notable Artists
9 pages

Process Monitor Tutorial Handout

Uploaded by

Process Monitor Tutorial Handout

Uploaded by

UsingProcessMonitor

ThereareanumberofbasicoptionsthatcontrolbasicProcessMonitoroperation: Capture:UsetheCaptureEventsmenuitemintheFilemenu,capturetoolbarbuttonorCtrl+E hotkeytotoggleProcessMonitor'smonitoring.

Common questions

How does Process Monitor utilize event tracing for network monitoring and what limitations does this approach have?

How does Process Monitor handle process/thread creation and monitoring, and what are the specific attributes it tracks?

Describe how Process Monitor can be used to profile CPU utilization and the insights this feature provides.

What are the core capabilities of Process Monitor that make it a critical tool for troubleshooting and malware detection?

Analyze the differences between basic and advanced modes in Process Monitor and their impact on data interpretation.

Evaluate the advantages and disadvantages of using Process Monitor's native PML format compared to CSV and XML formats for data logging and analysis.

In what ways does Process Monitor facilitate stack analysis and what is the significance of this feature?

What role does symbol resolution play in Process Monitor's stack trace analysis, and how can users configure it?

Discuss the implications of enabling boot logging in Process Monitor and its potential advantages for diagnosing system startup issues.

Explain how Process Monitor uses filtering and how it supports troubleshooting and analysis.

You might also like