What Is Process Monitor?

Process Monitor is a free tool from Windows Sysinternals, part of the Microsoft TechNet
website. The tool monitors and displays in real-time all file system activity on a Microsoft
Windows operating system. Process Monitor is useful for troubleshooting issues when we need
to identify the files or registry keys an application is accessing.
How to use Process Monitor
Gathering a normal Process Monitor log
1. Log into Windows using an account with administrative privileges

2. Download Process Monitor from Microsoft TechNet:
o TechNet Article: http://technet.microsoft.com/en-gb/sysinternals/bb896645
o Direct Download: http://download.sysinternals.com/files/ProcessMonitor.zip

3. Extract the contents of the ProcessMonitor.zip archive to your desktop.

4. Run Procmon.exe

5. Process Monitor will begin logging from the moment it starts running. To stop this, click the
"Capture" icon ( ).



6. Clear all the events that Process Monitor recorded by clicking the "Clear" icon ( )



7. When you are ready to recreate the issue or scenario as detailed by Sophos Technical
Support, click the "Capture" icon ( ) to begin logging.

8. Once you have recreated the issue or scenario, click the "Capture" icon ( ) to stop
logging.

9. Click the "Save" icon ( ). The following dialogue will be displayed. Ensure that you have
selected "All events" and that you save the file in the native PML file format.



10. Close Process Monitor.

11. Compress and archive (zip) the PML file.