UsingProcessMonitor

ProcessMonitorTutorial Thisinformationwasadaptedfromthehelpfilefortheprogram. ProcessMonitorisanadvancedmonitoringtoolforWindowsthatshowsrealtimefilesystem, Registryandprocess/threadactivity.ItcombinesthefeaturesoftwolegacySysinternals utilities,FilemonandRegmon,andaddsanextensivelistofenhancementsincludingrichand nondestructivefiltering,comprehensiveeventpropertiessuchsessionIDsandusernames, reliableprocessinformation,fullthreadstackswithintegratedsymbolsupportforeach operation,simultaneousloggingtoafile,andmuchmore.Itsuniquelypowerfulfeatureswill makeProcessMonitoracoreutilityinyoursystemtroubleshootingandmalwarehunting toolkit. ProcessMonitorrunsonWindows2000SP4withUpdateRollup1,WindowsXPSP2,Windows Server2003SP1,andWindowsVistaaswellasx64versionsofWindowsXP,WindowsServer 2003andWindowsVista. UsingProcessMonitor

ExecutingProcessMonitorrequireslocalAdministrativegroupmembership.Whenyoulaunch ProcessMonitoritimmediatelystartsmonitoringthreeclassesofoperation:filesystem, Registryandprocess. FileSystem ProcessMonitordisplaysfilesystemactivityforallWindowsfilesystems,includinglocal storageandremotefilesystems.ProcessMonitorautomaticallydetectsthearrivalof newfilesystemdevicesandmonitorsthem.Allfilesystempathsaredisplayedrelative totheusersessioninwhichafilesystemoperationexecutes.Forexample,ifuserAhas

mountedashareasdriveletterZ:,anyaccessestheymaketothatsharewilldisplayin ProcessMonitorasbeingrelativetodriveZ:. Toremovefilesystemoperationsfromthedisplaydeselectthefilesystempushbutton intheProcessMonitortoolbarandtoaddbackfilesystemoperationsdepressthe button. Registry ProcessMonitorlogsallRegistryoperationsanddisplaysRegistrypathsusing conventionalabbreviationsforRegistryrootkeys(e.g.HKEY_LOCAL_MACHINEis representedasHKLM). ToremoveRegistryoperationsfromthedisplaydeselecttheRegistrypushbuttonin theProcessMonitortoolbarandtoaddbackRegistryoperationsdepressthebutton. Process Initsprocess/threadmonitoringsubsystemProcessMonitortracksallprocessand threadcreationandexitoperationsaswellasDLLanddevicedriverloadoperations. ToremoveProcessoperationsfromthedisplaydeselecttheprocesspushbuttoninthe ProcessMonitortoolbarandtoaddbackprocessoperationsdepressthebutton. Network ProcessMonitorusesEventTracingforWindows(ETW)totraceandrecordTCPand UDPactivity.Eachnetworkoperationincludesthesourceanddestinationaddresses,as wellastheamountofdatasentorreceived,butdoesnotincludetheactualdata. ToremoveNetworkoperationsfromthedisplaydeselectthenetworkpushbuttonin theProcessMonitortoolbarandtoaddbacknetworkoperationsdepressthebutton. Profiling ThiseventclasscanbeenabledfromtheOptionsmenu.Whenactive,ProcessMonitor scansalltheactivethreadsinthesystemandgeneratesaprofilingevenforeachone thatrecordsthekernelanduserCPUtimeconsumed,aswellasthenumberofcontext switchesexecuted,bythethreadsinceitspreviousprofilingevent.Note:theSystem processisnotincludedinprofiling.

ThereareanumberofbasicoptionsthatcontrolbasicProcessMonitoroperation: Capture:UsetheCaptureEventsmenuitemintheFilemenu,capturetoolbarbuttonorCtrl+E hotkeytotoggleProcessMonitor'smonitoring.

Autoscroll:SelectAutoscrollentryintheEditmenu,theautoscrolltoolbarbuttonorCtrl+A hotkeytotoggleProcessMonitor'sautoscrollbehavior,whichcausesittoensurethatthemost recentoperationisvisibleinthedisplay. Clear:ToclearthedisplayofallitemschooseClearDisplayfromtheEditmenuorusetheCtrl+X hotkey. ColumnSelection Youcandragcolumnstorearrangetheirorderandcustomizedthecolumnsdisplayedby choosingSelectColumnsfromtheOptionsmenutoopenthecolumnselectiondialog.Columns thatareavailableforselectioninclude: ApplicationDetails

ProcessNameThenameoftheprocessinwhichaneventoccurred. ImagePathThefullpathoftheimagerunninginaprocess. CommandLineThecommandlineusedtolaunchaprocess. CompanyNameThetextofthecompanynameversionstringembeddedinaprocess imagefile.Thistextisoptionallydefinedbytheapplicationdeveloper. DescriptionThetextoftheproductdescriptionstringembeddedinaprocessimagefile. Thistextisoptionallydefinedbytheapplicationdeveloper. VersionTheproductversionnumberembeddedinaprocessimagefile.Thisinformation isoptionallyspecifiedbytheapplicationdeveloper.

EventDetails

SequenceNumberTheuniquenumberProcessMonitorassignstoanindividualevent. EventClassTheclass(File,Registry,Process)oftheevent. OperationThespecificeventoperation(e.g.Read,RegQueryValue,etc.). Date&TimeBoththedateandthetimeofanoperation. TimeofDayOnlythetimeofanoperation. PathThepathoftheresourcethataneventreferences. DetailAdditionalinformationspecifictoanevent. ResultThestatuscodeofacompletedoperation. RelativeTimeThetimeoftheoperationrelativetoProcessMonitor'sstarttimeorthe lasttimethattheProcessMonitordisplaywascleared. DurationThedurationofanoperationthathascompleted.

ProcessManagement

UserNameThenameoftheuseraccountinwhichtheprocessthatperformedan operationisexecuting.

SessionIDTheWindowssessioninwhichtheprocessthatexecutedanoperationis executing. AuthenticationIDThelogonsessioninwhichtheprocessthatexecutedanoperationis executing. ProcessIDTheProcessID(PID)oftheprocessthatexecutedanoperation. ThreadIDTheThreadID(TID)ofthethreadthatexecutedanoperation. IntegrityLevelTheintegritylevelatwhichtheprocessthatexecutedanoperationis running(WindowsVistaonly). VirtualizedThevirtualizationstatusoftheprocessthatexecutedanoperation(Windows Vistaonly).

EventProperties Youcanaccessthepropertiesforanindividualeventbydoubleclickingontheevent,orby selectingthePropertiesmenuitemfromtheEventmenuorthecontextmenuwhenyouright clickonanevent.TheEventPropertiesdialogconsistsoftheEvent,ProcessandStackpages. Youcanmovetothenextorprecedingdisplayedorhighlightedeventwiththearrowbuttonsat thebottomoftheEventPropertiesdialog.

Event TheEventpagedisplaysinformationspecifictoanevent,includingitssequencenumber,issuing thread,eventclassandoperation,result,timestamp,andifapplicable,resourcepath.Onlyfile systemandRegistryeventsdefineresourcepaths.ThelowerareaoftheEventpagelistsdetails collectedforaneventthataredependentontheeventoperation.Thedetailsarethesameas shownforaneventintheDetailcolumnofthemaindisplay,buteachdetailisshownona separateline. Process Anevent'sProcesspageshowsinformationabouttheprocessthatexecutedanevent.Along withthedataassociatedwithaprocess'image,suchasthepathandversionstrings,the ProcesspageshowsprocessexecutionattributesliketheprocessID,useraccountinwhichthe processisexecuting,andiftheeventwasgeneratedona64bitWindowssystem,whetherthe processis32bitor64bit.ForprocessesexecutingonWindowsVistasystems,ProcessMonitor showstheintegrityleveloftheprocessandwhetherornotit'svirtualized. Thebottomareaoftheprocesspagedisplaysthelistofimagesloaded,andtheaddressesat whichtheyareloaded,intheprocessatthetimetheeventexecuted.Doubleclickonanimage inthelisttoviewmoreinformationabouttheimage,includingitsversioninformation. Stack TheStackpageshowsthethreadstackofthethreadwhentheeventwasrecorded.Thestack canbeusefulfordeterminingthereasonaneventtookplaceandthecomponentresponsible fortheevent.Kernelmodeframesofastackaredesignatedwiththeletter'K'ontheleftofthe frameandusermodestacks(onlyavailableonlyon32bitsystemspriortoVistaSP1/Windows Server2008)withtheletter'U'.IfProcessMonitorisabletolocatesymbolsforimages referencedinthetraceitwillattempttoresolveaddressestothefunctionsinwhichthey reside.Symbolsresolutioncantaketimeifsymbolsmustberetrievedfromthenetwork,for examplefromtheMicrosoftsymbolserver.UsetheSymbolConfigurationdialog,whichyou accessfromtheOptionsmenu,toconfiguresymbols. IfyouspecifyapathtosourcefilesintheSymbolConfigurationdialog,theStackdialog'sSource buttonwillenableforanyframeforwhichlinenumbersymbolsinformationisavailableand thesourcefileispresentinthepathsyouinclude.ClickingontheSourcebuttonopensatext viewerthathighlightsthesourcecodelinereferenced. Toviewmoreinformationaboutanimagelistedinthestacktraceeitherdoubleclickonthe frameorselecttheframeandpressthePropertiesbuttonbelowthestacktracearea. SelecttheStackmenuentryfromtheEventmenutoopentheEventPropertiesdialogdirectly totheStackpage.

FilteringandHighlighting ProcessMonitoroffersseveralwaystoconfigurefiltersorhighlighting. IncludeandExcludeFilters YoucanspecifyeventattributessuchthatProcessMonitorwillonlydisplayorexcludeevents withmatchingattributevalues.Allfiltersarenondestructive,meaningthattheyaffectonly whicheventsProcessMonitordisplays,nottheunderlyingeventdata. WhenaneventisselectedtheIncludeandExcludesubmenusintheEventmenuallowsyouto easilyaddoneoftheevent'sattributestotheconfiguredIncludeorExcludefilters.For example,toonlyshoweventsexecutedbyaparticularprocessnamechoosetheProcessName entryfromtheIncludesubmenu.Youcanalsoselectmultipleeventsandsimultaneously configureanattributefilterforalloftheuniquevaluescontainedintheselectedevents. ProcessMonitorORstogetherallthefiltersthatarerelatedtoaparticularattributetypeand ANDstogetherfiltersofdifferentattributetypes.Forexample,ifyouspecifiedprocessname includefiltersforNotepad.exeandCmd.exeandapathincludefilterforC:\Windows,Process MonitorwouldonlydisplayeventsoriginatingineitherNotepad.exeorCmd.exethatspecify theC:\Windowsdirectory. MorecomplexfilteringoptionsareavailableintheFilterdialog,whichyouopenbyselecting FilterfromtheToolsmenuorbyclickingontheFiltertoolbarbutton.Afilterentryconsistsof anattributefield(e.g.AuthenticationID,ProcessName,etc.),acomparisonoperation,an attributevalue,andafiltertypeofeitherIncludeorExclude.Forconvenience,ProcessMonitor willautomaticallypopulatetheattributevaluedropdownwithvaluesthatarepresentinthe loadedtracedata,butyoucanenterarbitraryvalues. FilterContextMenu IfyourightclickonaniteminthedisplayProcessMonitordisplaysacontextmenuthatlet's youviewtheitem'spropertiesorconfigureafilterbasedontheitem'sattributes.Further, quickfilterentriesareaddedtothemenuforthevalueofthecolumnonwhichyouclick. DestructiveFiltering Bydefault,ProcessMonitorfiltersapplytothedataitdisplays,notwhatitsaves.Thisallows youtochangefilterstoobtaindifferentviewsofdatawithoutaffectingtheexcludeddata. However,youcanconfigureProcessMonitortodeleteanydatathat'sexcludedbyafilteratthe timethedataiscapturedbytogglingdestructivefilteringmode,whichyoudobychoosingDrop FilteredEventsfromtheFiltermenu.

IncludeProcessfromWindow Thetoolbarincludesabuttonshapedlikeatargetthatyoucandragoffanddropontoa windowtocauseProcessMonitortoaddtheprocessIDoftheprocessthatownsthewindow totheIncludefilter. Basicvs.AdvancedMode TheFiltermenu'sEnableAdvancedOutputmenuitemcontrolswhetherProcessMonitoris operatinginBasicorAdvancedMode.WheninBasicmodeProcessMonitorconfiguresbuiltin filterstoexcludesystemrelatedactivityfromthedisplayandusesintuitivenamesforinternal filesystemoperations.Forexample,ProcessMonitorshowstheinternalIRP_MJ_READ operationasReadwheninBasicmode.Basicmodemakesoutputeasiertoreadandomits eventsusuallynotrelevantforapplicationtroubleshooting. SavingandLoadingFilters OnceyouhaveconfiguredafilteryoucansaveitusingtheSaveFiltersmenuitemintheTools menu.ProcessMonitoraddsfiltersyousavetotheLoadFiltermenuforeasyaccessandyou canchangetheorderinwhichthefiltersdisplayinthemenuusingtheOrganizeFiltersdialog thatyouopenwithOrganizeFiltersintheToolsmenu.YoucanusetheOrganizeFilterdialogto renamesavedfiltersaswellastoeasilyexportfilterstoaformatthatyoucanthenreimport usingtheOrganizeFilterdialogonothersystems. Highlighting ProcessMonitorshighlightingfiltersenableyoutospecifyeventattributesthatcauseanevent tobeshownwithahighlightcolor.TheHighlightsubmenuintheEventmenuprovidesquick accessfordefininghighlightfilterentriesandtheHighlightmenuentryintheToolsmenuopens theHighlightFilterdialog,whichoperatessimilarlytotheInclude/ExcludeFilterdialog. TheProcessTree TheProcessTreemenuentryintheToolsmenuopenstheProcessTreedialog,whichdisplays alloftheprocessesreferencedintheloadedtraceinahierarchythatreflectstheirparentchild relationships.Processeswiththesameparentaresortedaccordingtotheirstarttime. Processesthatarealignedalongtheleftsideofthewindowhaveparentprocessesthatdidnot executeanyeventinthetrace. WhenyouselectaprocessinthetreeasubsetofthedataProcessMonitorhasobtainedabout theprocess,suchasitsimagepath,useraccount,andstarttime,showsinthebottomofthe dialog.ToviewmoreinformationaboutaprocessyoucanclickontheGoToEventbutton, whichresultsinProcessMonitorlocatingandselectingthefirstvisibleiteminthetrace

executedbytheprocess.Notethatfilterscanpreventthisoperationfromsucceedingby excludingfromthedisplayallofthespecifiedprocess'events. TraceSummaryTools ProcessMonitorincludesanumberofdialogsthatallowyoutoperformsimpledataminingon theeventscollectedinatrace. SystemDetails ProcessMonitorcapturessomeinformationaboutthesystemonwhichitcollectsatrace, includingthemachinename,thesystemrootpath,andwhethertheOSis32bitor64bit.You canaccessthisinformation,whichProcessMonitorstoresinlogfiles,fromtheSystemDetails dialogintheToolsmenu. UniqueValues TheUniqueValuesdialog,whichyouopenusingthecorrespondingmenuentryintheTools menu,letsyouseetheuniquevaluesforeachofthedifferentattributevaluesdefinedfor eventsinatrace.Forexample,ifyouwantquicklyseeallthepathsreferencedinthetrace, choosePathintheselectionentry. DoubleclickingonadisplayedvalueorclickingontheFilterbuttonaddsanincludefilterforthe currentlyselectedvalue. CountOccurrences OpentheCountOccurrencesdialogfromtheToolsmenu.Itdisplaystheuniquevaluesseenina tracefortheattributetypeyouspecifyalongwiththenumberoftimesinthetraceanevent containedthevalue. ProcessSummary Thisdialogsummarizestheprocessesseeninthetrace,includingtheirprocessID,imagename, andcommandline. FileSummary TheFileSummarydialoglistseachuniquefilesystempathpresentinthefilteredtrace,the amountoftimespentperformingI/Otothefile,totalnumberofeventsthatreferencedthe path,andthecountofindividualoperationtypes.

RegistrySummary TheRegistrySummarydialoglistseachuniqueRegistrypathpresentinthefilteredtrace,the amountoftimespentperformingI/OtotheRegistrypath,totalnumberofeventsthat referencedthepath,andthecountofindividualoperationtypes. NetworkSummary TheNetworkSummarydialoglistseachuniquedestinationIPaddresspresentinthefiltered traceandthenumberdifferenttypesofevents,includingsendsandreceives,toeachaddress. StackSummary UsetheStackSummarydialogtoseeindividualinstancesofstacktracesforeachprocess, includingthenumberoftimesthestacktraceoccursandthetotaltimespentineventsthat sharethesametrace. Options AnumberofsettingsintheOptionsmenumodifyProcessMonitor'sbehavior. AlwaysonTop SelectingthisoptioncausestheProcessMonitorwindowtoremainontopofotherwindows. Font ThisoptionopensafontselectiondialogwhereyoucanchosethefontProcessMonitoruses foritsdisplay. HighlightColors ChosethisentrytoopenadialogtopickthetextandbackgroundcolorsProcessMonitoruses forentriesthatmatchtheconfiguredhighlightfilters. ConfigureSymbols ProcessMonitorcanusesymbolinformation,ifavailable,toshowfunctionsreferencedon eventstacks.YoucanfindinformationonconfiguringsymbolsontheMicrosoftDebugging ToolsforWindowswebpage.

HistoryDepth ProcessMonitorwatchescommittedmemoryusageandturnsitselfoffwhenvirtualmemory runslow,buttheHistoryDepthdialoglet'syoulimitthenumberofentriesitkeepssothatyou canleaveProcessMonitorrunningforlongperiodsandensurethatitalwayskeepsthemost recentevents. ProfilingEvents Usethismenuentrytoopenthethreadprofilingconfigurationdialog,whereyouenablethread profilingandtherateatwhichthreadprofilingeventsgenerate.Whenthreadprofilingis enabled,ProcessMonitorcapturesthreadstacktracesandCPUutilizationthatyoucanuseto identifythesourceofCPUrelatedperformanceissues. EnableBootLogging UsethisoptiontoconfigureProcessMonitorbootlogging. SavingandLogging FileFormats YoucanusetheSaveentryintheFilemenutosaveProcessMonitordatainnative(PML), commadelimitedvalue(CSV),orXMLformats.ThePMLformatpreservesallofthedata capturedsothatyoucanreloaditbackintoProcessMonitoronthesamesystemoradifferent one.CSVfilesareusefulforimportingintoExcelorotherdataanalysisapplications.Finally,XML emitsXMLformatteddatathatcanbeparsedbytoolsthatmanipulateXML. Logging Bydefault,ProcessMonitorusesvirtualmemorytostorecaptureddata.UsetheBackingFiles dialog,whichyouaccessfromtheFilemenu,toconfigureProcessMonitortostorecaptured datainfilesondisk.EnablingthisoptionhasProcessMonitorlogdatatothediskinitsnative PMLformatasitcapturesit. TheBackingFilesdialogalsodisplaysdiagnosticinformation,includingthenumberofevents captured,processesdefinedandthecapturethread'sloadstatus. BootLogging ProcessMonitorcanlogactivityfromapointveryearlyinthebootprocessduringthe initializationofbootstartdevicedrivers.ConfigureProcessMonitortologthenextbootby selectingEnableBootLoggingfromtheOptionsmenu.ProcessMonitor'sdriverwilllogactivity

atthenextbootintoafileinthe%Windir%directoryandwillcontinueloggingthroughthe shutdownoruntilyourunProcessMonitoragain.Thus,ifyoudon'trunProcessMonitorduring abootsessionyouwillcaptureatraceoftheentireboottoshutdowncycle. WhenyourunProcessMonitoritlookstoseeifapreviousbootloghasbeengenerated,andif so,asksyouwhereyouwanttoplacetheprocessedbootlogoutputfile.ProcessMonitor displaysthetraceafterithasfinishedtranslatingit.ToseeactivityfromtheSystemprocess, whichistheonlyprocessearlyinaboot,selectEnableAdvancedOutputfromtheOptions menu. Ifyouconfigurebootloggingandthesystemcrashesearlyinthebootyoucandeactivateboot loggingbychoosingtheLastKnownGoodoptionfromtheWindowsbootmenu(whichyou accessbypressingF8duringtheboot). Note:networkevents,whicharebasedonETW(EventTracingforWindows),arenotavailable inbootlogs. ImportingandExportingConfiguration OnceyouhaveconfiguredafilteryoucansaveitusingtheSaveFiltersmenuitemintheTools menu.ProcessMonitoraddsfiltersyousavetotheLoadFiltermenuforeasyaccessandyou canchangetheorderinwhichthefiltersdisplayinthemenuusingtheOrganizeFiltersdialog thatyouopenwithOrganizeFiltersintheToolsmenu.YoucanusetheOrganizeFilterdialogto renamesavedfiltersaswellastoeasilyexportfilterstoaformatthatyoucanthenreimport usingtheOrganizeFilterdialogonothersystems. YoucanalsoexportProcessMonitor'sentireconfiguration,includingfilters,columnselection, columnorderandsize,logfilesettings,anddebughelpfilepathconfiguration,toaProcess MonitorConfigurationfile(.PMC)usingtheExportConfigurationmenuentryintheFilemenu. UsetheFilemenu'sImportConfigurationentrytoloadasavedconfigurationfile. CommandLineOptions ProcessMonitorsupportsseveralcommandlineoptions: /Openlog<savedPMLlogfile> DirectsProcessMonitortoopenandloadthespecifiedlogfile. /Backingfile<logfilename> HasProcessMonitorcreateandusethespecifiedfilenameastheloggingfile. /Pagingfile

Saveeventstothepagingfile. /Noconnect WhenthisflagispresentProcessMonitordoesnotautomaticallystartloggingactivity. /Nofilter Clearsthefilteratstartup. /AcceptEula AutomaticallyacceptsthelicenseandbypassestheEULAdialog. /Profiling Enablesthethreadprofilingeventclass. /Minimized StartsProcessMonitorwithitswindowminimizedtothetaskbar. /WaitForIdle WaitforaninstanceofProcessMonitortobecomeready. /Terminate TerminateallinstancesofProcessMonitorandexit. /Quiet Don'tconfirmfiltersettingsonstartup. /Run32 Usesthisswitchtorunthe32bitversionofProcessMonitoron64bitWindowstoopenlogs generatedon32bitsystems /HookRegistry Thisswitch,whichisavailableonlyon32bitVistaandServer2008,hasProcessMonitoruse systemcallhookinginsteadoftheRegistrycallbackmechanismtomonitorRegistryactivity, whichenablesittoseeSoftgridvirtualRegistryoperationsontheseoperatingsystems.This

optionmustbeusedthefirsttimethatProcessMonitorisrunonasystemandshouldonlybe usedtotroubleshootSoftGridapplications. /SaveAs,/SaveAs1,/SaveAs2 Usetheseswitcheswiththe/OpenLogswitchtohaveProcessMonitorexportalogfileinto CSV,XML,orPMLformat.The/SaveAs1optionincludesstackinformationforexporttoXML formatandthe/SaveAs2optionaddssymbolinformation. ScriptingProcessMonitor YoucanuseProcessMonitorcommandlineoptionstodriveitwithabatchfile.Hereishow yourbatchfileshouldlooktocaptureatraceofnotepad.exe'sexecution: setPM=C:\sysint\procmon.exe start%PM%/quiet/minimized/backingfileC:\temp\notepad.pml %PM%/waitforidle notepad.exe %PM%/terminate ThefirstinvocationofProcessMonitorusingstartensuresthattheprocessdetachesfromthe consolewindow,whichallowsittorunconcurrentlywiththelatercommands.Thesecond invocationwith/WaitForIdlecausesthebatchfiletopauseuntilthefirstinstanceisupand runningandactivelycapturingevents.Thefinalinvocationwith/Terminatetellsthefirst instancetostopcapturing,commitanyoutstandingdatatothebackingfileandexitcleanly.