2295: Collecting Process Monitor Log

Also read in:

use Google Translate

Last update: 24-05-2023

What is Process Monitor

Process Monitor is an advanced monitoring tool that shows real-time file system, registry, and process activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds a number of other enhancements.

Runs on:

  • Client: Windows 8.1 and higher.
  • Server: Windows Server 2012 and higher.
For older OS versions, download processmonitor_v3.33.zip

Process Monitor can be used to track system and software activity to troubleshoot some of the product issues, especially when it is necessary to track what particular application or process accesses a file or a registry key.

The main Process Monitor window lists all system operations along with their exact time, process name, ID and the result for every single operation:

To access advanced information on any single operation right-click on the operation line and choose Properties:

When analyzing a Process Monitor log, it is recommended to filter out entries. For example, you can right-click on Successes under Results, and exclude it. You can also filter out Processes and generally any field you like.

You can choose to store Process Monitor data in a file on disk instead of virtual memory (e.g if running Process Monitor consumes too much RAM or slows down the computer):

1. Go to File -> Backing files:

2. Specify the file where you want event data to be stored

How to collect a Process Monitor log in Windows

Whenever it is necessary to get information on the exact process/application that changes or creates a file/registry key or accesses a path on the local drive, please do the following:

  1. Download Process Monitor from Windows Sysinternals page, extract and run it:


    For older OS versions, download processmonitor_v3.33.

  2. Useful options:
    • You might want to capture specific events only and exclude other events from the resulting file. When you apply a filter don’t forget to enable the option that will delete excluded events from the resulted log file:  Filter -> Drop Filtered Events. Otherwise events that were excluded with the filter will be still saved in the log file.
    • By default, Process Monitor stores all events in virtual memory. To store data on disk, navigate to File -> Backing files to choose to store captured data on the drive or in virtual memory. Select Use file named and specify the destination folder and file name.
    • You might want to limit the number of events captured. The History depth parameter allows you to limit the number of entries kept so that you can leave Process Monitor running for long periods and ensure that it always keeps the most recent events (by rewriting the log file once the limit is reached). The minimum value is 1 million events; the maximum (and default) is 199 million. Navigate to Options -> History depth and set the limit.
  3. Reproduce the issue without closing the utility;
  4. Click File ->Save in the main Process Monitor window:

  5. Note the path where the log file is saved, so that you will be able to find it:

  6. Select All events and save the log file in the PML format:

  7. Please make sure to copy the logfile.PML into a ZIP file, as it becomes significantly smaller:

How to run Process Monitor on schedule

You can create a scheduled task to start and to stop Process Monitor using Windows Task Scheduler.

To start Process Monitor on schedule:

  1. Download Process Monitor from Windows Sysinternals page and extract it.
  2. Go to Control Panel -> Administrative Tools and open Task Scheduler.
  3. Click Task Scheduler Library.
  4. Under Actions, click Create Basic Task.
  5. Provide a name for the task (for example, Start Process Monitor) and click Next.
  6. In When do you want the task to start, click One time (or select a frequency depending on the nature of your issue).
  7. Enter the time when you want the task to be run and click Next.
  8. In What action do you want the task to perform, select Start a program and click Next.
  9. Browse for the Process Monitor executable (procmon.exe). Add these arguments:
    /accepteula /NoFilter /Runtime 300 /quiet /BackingFile <log path> (where Runtime is in seconds, before Process Monitor gets terminated)
    where <log path> is the pat to the resulting log file (for example C:\log.pml)
    Make sure you have enough disk space where you are saving the log file.
  10. Click Next.
  11. Check the Open the Properties dialog for this task when I click finish check box and click on Finish.
  12. The properties dialog is shown. Click Change User or Group, select SYSTEM, and click OK.

How to collect Process Monitor log from WinPE bootable media

 Download Process Monitor from Windows Sysinternals page and unzip the archive. It contains several .exe files, you will need procmon64.exe (as procmon.exe does not work with WinPE media).

  1. Put procmon64.exe in some shared folder in the same subnet as WinPE media;
  2. Start WinPE media;
  3. Switch to Command Prompt (cmd) window in WinPE environment;
  4. Mount the share where procmon64.exe is located as drive W: with the following command:

    net use W: \\server\share <password> /user:<domain\user>

    where \\server\share is the name of the server and shared folder, password is the password needed to access the shared resource and domain/user specifies the user name with which to log on.

  5. Change to mapped drive W: with this command:

    W:

  6. Run procmon64.exe and click on Agree

  7. Reproduce the issue which must be captured with Process Monitor;

  8. Click File -> Save -> All events and save the log in .pml format. The file logfile.pml will be saved in the shared folder next to procmon64.exe;

  9. Close Process Monitor.

More information

The latest version of the Process Monitor utility is always available at Microsoft TechNet Sysinternals Download Page.

Process Monitor can be run on Client: Windows 8.1 and higher, Server: Windows Server 2008 and higher.

You can open PML files only with the Process Monitor itself.

/EnableBootLogging

Procmon configures drivers to run as a boot start driver next to the system startup, before all other drivers.

Activity will be logged in %windir%\Procmon.PMB driver until shutdown or running Procmon again. If you will not run Procmon during boot session, you'll capture a trace of the entire boot-to-shutdown cycle.

To enable logging for subsequent boots, you must explicitly enable it again each time.

You can automate the converting of the unsaved boot log by /ConvertBootLog pml-file

Keeping procmon running affter logoff.
PsExec -s -d Procmon.exe
-d option allows PsExec to exit without waiting for the target process to exit

 

Analysis tools

  • Process activity summary - CPU utilization, File I/O operations, registry operations, network operations, memory
  • File summary - for each unique file system path, the dialog box displays how much total time was spent performing I/O to the file, the number of opens, closes, reads, writes, Get ACL, Set ACL and other operations, the total number of operations performed and number of bytes read from and written to the file. Noneexpandable one indicates operations performed on the directory itself, expandable displays the sums of all operations performed on its files and subdirectories. 
  • Registry summary
  • Stack Summary
  • Network summary
  • Cross Reference Summary - lists all paths displayed by the current filter that have been accessed by more than 1 proces.
  • Count Occurences - shows count by selected colums. (for ex. Process name - count). If filter applied works depending on the filter properties.

 

 

Tags: