Process Monitor



Photo by Yash Menghani on Unsplash

Process Monitor is a tool on Windows systems that helps you monitor for issues on your system. You can view process, registry, filesystem, and network activity in real-time.

Process Monitor was born when Mark Russinovich and Bryce Cogswell created RegMon “Registry Monitor” and its sister application Filemon “File Monitor”. The two tools combined to form the earliest version of ProcMon “Process Monitor”. Some tools available today that provide similar levels of detail in real-time about the operating system are SpyStudio.exe, Sysmon.exe, Procexp.exe, and perfmon.exe.

Go to the Performance Monitor. Right-click on the graph and select 'Add Counters'. In the 'Available counters' list, open the 'Process' section by clicking on the down arrow next to it. Select '% Processor Time' (and any other counter you want). In the 'Instances of selected object' list, select the process you want to track. Then click on 'Add. Overview Process Monitor is a free tool from Windows Sysinternals, which is part of the Microsoft TechNet website. The tool monitors and displays in real-time all file system activity on a Microsoft Windows operating system. Business Process Monitoring is the proactive and process oriented monitoring of a company’s core business processes. It includes the observation of all technical and application related functions that are required for a smooth and reliable flow of the core business processes.

Sysadmins often use ProcMon to troubleshoot issues that are otherwise hard to detect on the operating system. Security professionals use it to monitor critical processes and spot potentially malicious behavior. Today, we are going to go through the basics of using ProcMon.

Installing Process Monitor

But first, let’s install ProcMon! Go to Microsoft’s website to download Process Monitor.

Process

Extract the downloaded file “ProcessMonitor.zip” to your desktop. You will see a file named “Procmon.exe”. Run Procmon.exe to open up the application.

Using Process Monitor

After opening ProcMon, you will see a window like this.

You can start capturing events by going to “File” and checking “Capture Events”.

You should see events showing up in your window.

Monitor

Saving the capture

Save your capture files by going to “File > Save”. ProcMon gives you the option of saving only filtered events and saving the capture file in multiple different formats.

ProcMon filters

ProcMon filters allow you to filter specific events and exclude the ones that you don’t want to see. To quickly switch between event types you can use the buttons located in the top toolbar.

You can also adjust which events are shown in your window using more detailed filters by going to “Filter > Filter…”.

Process Monitor

You can filter events by process ID, username, time, date, and more. For example, to view the Process with the name “Procmon.exe”, you can set the filter conditions to “Process name is Procmon.exe then Include”. Click on “Add” to add the new filter to your filter list. Uncheck the boxes next to unwanted filters on your list to remove it. Finally, click on “Apply” to apply your list of filters.

You should now only see the events that fit your filter criteria.

Once you have designed a filter you can export it by going to “File > Export Configuration”. This allows you to save the filter settings to use later on. You can also import it when parsing ProcMon logs with other tools like the PowerShell.

Process tree

There is also a useful feature in ProcMon called the Process Tree. You can access it by going to “Tools > Process Tree”.

The Process Tree shows the parent-child relationships of all processes. This will give you insight into processes and their orders of execution. Click on a process to examine its details in the panel below.

Process explorer windows 10 microsoft

Using Process Monitor in the command line

On the other hand, you can also perform Process Monitor actions in the command line if you prefer.

Here are several command-line options of ProcMon that you will need to know.

  • /AcceptEula: Accepts the license to bypasses the dialog.
  • /Quiet: Do not prompt to confirm filter settings.
  • /Backingfile FILE_NAME: Create the file and use as output file.
  • /Runtime SECONDS: Capture for a number of seconds then stop.

For example, you can log events directly into a file located at “C:UsersAdminDesktopProcmonLog.PLM” with this command.

You can also launch ProcMon with an existing filter file, and output the filtered events to a specific file format with by using these parameters.

  • /LoadConfig PATH_TO_FILE: Use the specified filter and settings file.
  • /SaveAs FILE_NAME: Export the log file into CSV, XML, or PML format.

This command will use the preconfigured filter file located at “C:UsersAdminDesktopFilter.pmc” and convert the filtered events to XML format so that they can be analyzed by other tools.

Using ProcMon filters before saving the log file is important, because ProcMon captures hundreds of thousands events in a very short amount of time. Loading an unfiltered XML log file into PowerShell would be extremely resource intensive taking a long time.

Parsing log files using PowerShell

After saving the desired events into a log file, you can parse log files using PowerShell and sort through the events.

First, read the saved XML file and assign it to a variable.

Then, retrieve the filtered events from the XML object.

Very often there are still too many events to go through manually. You can apply a regex pattern to filter out the exact details required from the remaining events,.

Conclusion

Process Monitor allows you to monitor system processes in real-time. You can use ProcMon on its own or you can combine it with other tools to create an automatic monitoring system!

Process monitored

Process Monitor, by SysInternals under Microsoft, shows real-time file system, Registry and process/thread activity. To do this it registers itself with the Event Tracing for Windows to receive activity reports from both the file system and the windows registry.

It can be found here: Windows Sysinternals Process Monitor.

Display Overview

Some basics of what to expect to see, here is a resized window, giving all of the default information I want to go over:

Capture (Ctrl+E): Enables/Disables capturing activity.
Autoscroll (Ctrl+E): Enables/Disables scrolling of display as activity is shown. I find it best to disable Autoscroll until enough filters are in place, ymmv.
Clear (Ctrl+X): Clears/flushes captured activity.
Filter (Ctrl+L): Shortcut to the filter screen.
Highlight (Ctrl+H): Enable highlighting of particular captured activity.
Include Process From Window: You see a program you want to watch to see what it does, these cross-hairs will help you zero in on just it.

Registry Activity: I use this secondarily and have sparse experience with it, I tend to disable it on startup. Results include SUCCESS, NAME NOT FOUND, BUFFER OVERFLOW, REPARSE, NO MORE ENTRIES, ACCESS DENIED, and BUFFER TOO SMALL.

File System Activity: My bread and butter of this tool. Almost always will be using this. The seemingly more useful results include SUCCESS, ACCESS DENIED, NAME COLLISION, PATH NOT FOUND, END OF FILE, and BUFFER OVERFLOW, while the plethora of other results are NO MORE FILES, NAME NOT FOUND, FILE LOCKED WITH WRITERS, FILE LOCKED WITH ONLY READERS, NOT REPARSE POINT, PRIVILEGE NOT HELD, IS DIRECTORY, INVALID PARAMETER, NO SUCH FILE, RANGE NOT LOCKED, SHARING VIOLATION, OPLOCK NOT GRANTED, INVALID DEVICE REQUEST, and FAST IO DISALLOWED. This may not be the full list, but what I could generate.

Network Activity: This would be my 3rd most used, and last as I don’t use the next two. I like this to see if a connection was made out/in and to/from what host.

Process and Thread Activity

Profiling Events

*A note on Fast IO
“Fast IO indicators in a trace have to do with how the windows file cache works. Process Monitor provides a default filter that removes most of the Fast IO events, by doing an exclude on events that have an Operation starting with the string “FASTIO_”. This leaves “FAST IO DISALLOWED” events captured and displayed. You often see a “FAST IO DISALLOWED” entry on a file followed by the normal path attempt to open the file which succeeds. Adding a filter to exclude Operations start with “FAST IO” eliminates these red herrings.

Starting up Process Monitor

When starting up the application, the output is overwhelming. Expect it, much like running Wireshark and showing all traffic on an interface, you are going to see more than you really need.

Filters
The default filter:

This strips out actions by the Process Monitor application itself. I use this as a base, and once the program starts showing results, exclude the imports I am not looking for. I rarely use the registry watch, and I typically stick to just the file monitor.

So for the default that loaded on the last version I downloaded, I would start the application, to stop the capture, disable , , and . I am then left with just enabled. Now start the capture again, .

For the slew of what is left, we have two options.

Include only the process by name or PID as a filter.

Pros: It is much cleaner and more direct if you know exactly what to look for. If I am trying to watch a single IIS Application pool, I can find its PID in the task manager, and add an Include for the matching PID.

Cons: This can exclude an item you had not anticipated, leaving a surprise to find out later.

Exclude Noise by Process name

Pros: Easier to start with when learning. Can reveal conflicting applications.

Cons: Time cost, this can be a 30+ list in some cases. Excluding that number of applications can take numerous runs of Process Monitor, starting and stopping captures to catch as much noise as one can.

Exclude Noise by Process name

I start excluding process’s by name for items I know I am not looking for.

Process Monitor Windows 10

Process Names’s I have been known to exclude:
In General:
System
Explorer.EXE
services.exe
scrnsave.scr
svchost.exe
mmc.exe
rundll32.exe

Desktop Environments:
trillian.exe
lync.exe
chrome.exe
firefox.exe
plugin-container.exe
FlashPlayerPlugin_11_5_502_135.exe
Nexus.exe
NOTEPAD.EXE
pn.exe
OUTLOOK.EXE
vmware-usbarbitrator.exe
FlashPlayerUpdateService.exe
GoogleUpdate.exe
putty.exe

Process Explorer

Server Environments:
SSSvc.exe

Include only the process by name or PID as a filter.

TBD, As I run into further examples, I will flesh this out better.

Process Monitor Microsoft

Tips Tricks Notes

Process Monitor Tool Windows

  • Don’t record/track when you don’t need to be. The application can lock up and/or run up resources. To be as clear as I can, I had to restart my machine after leaving it running overnight. I was gathering examples by running the software, and failed to follow my own directions. Windows literally told me to restart my applications.
  • When troubleshooting when layers/applications, I find it helpful to keep the browser on the local server as being listed in my output so that I can use it as a marker for when I am testing. It helps to narrow down what’s going on in the underlying moments when a request goes awry.
  • Even with good filters, there still is a lot of stuff to wade through in a trace. For example, when the application loads a dll, there may be several attempts to open the file (CreateFile) under different folders, until the file is found (keep in mind that you don’t necessarily want to go throwing a looked for file in the first place the application looks for. Saw this be very bad in a ColdFusion example).