Process Monitor
Process Monitor (ProcMon) is a Windows utility that captures real-time Windows events, and helps organizations to perform Log Analysis.
Share this blog
Signup for our newsletter
Stay ahead with our latest tech updates.
Process Monitor (ProcMon) is a sophisticated system monitoring tool for Windows, developed by Microsoft. It offers real-time insights into system activities, with a particular focus on file system operations, registry modifications, process activities, and network interactions. ProcMon is included in the Sysinternals Suite, a set of advanced system utilities created by Mark Russinovich and Bryce Cogswell.
ProcMon Main Window:
Upon launching Process Monitor, the main interface displays a comprehensive view of system activities. It includes columns for process names, process IDs (PIDs), file paths, and detailed information about each event. This setup provides a clear picture of running processes, their unique identifiers, the files they access, and the actions they perform.
How to Capture the events in procMon?
Process Monitor automatically starts capturing events as soon as it launches, displaying real-time data in the main window.
To stop capturing events, click the magnifying glass icon in the toolbar or select File > Capture Events from the menu to toggle capturing on and off.
Once you’ve captured the desired events, go to File > Save to open the Save dialog. Choose your preferred file format (e.g., PML, CSV, XML) and specify a location to save the log file.
Process Tree:
In Process Monitor, the Process Tree offers a hierarchical view of running processes and their parent-child relationships. This feature helps users trace the origin of specific activities by showing which processes spawned others. The Process Tree also allows users to identify suspicious or unwanted processes by examining their lineage.
Process Tree Lists:
Boot Logging:
Enables capturing events from the beginning of the boot process, which is useful for diagnosing issues that arise during system startup.
Command Line Arguments:
/OpenLog <PML file> Open a previously saved event file.
/BackingFile <PML file> Save events in the specified backing file.
/PagingFile Save events in the virtual memory.
/NoConnect Don't automatically begin collecting events at start up.
/NoFilter Clear the filter at start up.
/AcceptEula Accept the EULA automatically (don't show a dialog).
/LoadConfig <file> Load a previously saved configuration file.
/Profiling Enable the thread profiling feature.
/Minimized Start the application minimized.
/WaitForldle Wait for an instance of ProcMon to become ready.
/Terminate Terminate all instances of ProcMon and exit.
/Quiet Don't confirm filter settings during start up.
/Run32 Run the 32-bit version to load 32-bit log files (x64 only).
/Runtime Run for the specified number of seconds and terminate.
/HookRegistry Hook Registry for Softgrid troubleshooting (x86 Vista only).
/SaveAs <path> Export to an XML, CSV or PML file.
/SaveAs1 <path> Export including stack traces (XML only).
/SaveAs2 <path> Export including stack traces with symbols (XIML only).
/SaveApplyFilter Apply current filter before exporting.
/EnableBootlogging Configures logging of next boot.
/ConvertBootLog <PML file> Automatically processes a boot log after reboot.
/RingBuffer Enable flight recorder mode.
/RingBufferSize <size> Ring buffer size in MB.
/RingBufferLen <len> Ring buffer length in minutes.
/Altitude <altitude> Driver numeric altitude.
Happy Learning !!