Process Monitor

Process Monitor (ProcMon) is a sophisticated system monitoring tool for Windows, developed by Microsoft. It offers real-time insights into system activities, with a particular focus on file system operations, registry modifications, process activities, and network interactions. ProcMon is included in the Sysinternals Suite, a set of advanced system utilities created by Mark Russinovich and Bryce Cogswell.

ProcMon Main Window:

Upon launching Process Monitor, the main interface displays a comprehensive view of system activities. It includes columns for process names, process IDs (PIDs), file paths, and detailed information about each event. This setup provides a clear picture of running processes, their unique identifiers, the files they access, and the actions they perform.

How to Capture the events in procMon?

• Process Monitor automatically starts capturing events as soon as it launches, displaying real-time data in the main window. 

• To stop capturing events, click the magnifying glass icon in the toolbar or select File > Capture Events from the menu to toggle capturing on and off. 

• Once you've captured the desired events, go to File > Save to open the Save dialog. Choose your preferred file format (e.g., PML, CSV, XML) and specify a location to save the log file.

Process Tree:

In Process Monitor, the Process Tree offers a hierarchical view of running processes and their parent-child relationships. This feature helps users trace the origin of specific activities by showing which processes spawned others. The Process Tree also allows users to identify suspicious or unwanted processes by examining their lineage.

Process Tree Lists:

Boot Logging:

Enables capturing events from the beginning of the boot process, which is useful for diagnosing issues that arise during system startup.

Command Line Arguments:

/OpenLog <PML file>		    Open a previously saved event file.
/BackingFile <PML file>		Save events in the specified backing file.
/PagingFile			        Save events in the virtual memory.
/NoConnect			        Don't automatically begin collecting events at start up.
/NoFilter			        Clear the filter at start up.
/AcceptEula			        Accept the EULA automatically (don't show a dialog).
/LoadConfig <file>		    Load a previously saved configuration file.
/Profiling			        Enable the thread profiling feature.
/Minimized			        Start the application minimized.
/WaitForldle			    Wait for an instance of ProcMon to become ready.
/Terminate			        Terminate all instances of ProcMon and exit.
/Quiet				        Don't confirm filter settings during start up.
/Run32				        Run the 32-bit version to load 32-bit log files (x64 only).
/Runtime			        Run for the specified number of seconds and terminate.
/HookRegistry			    Hook Registry for Softgrid troubleshooting (x86 Vista only).
/SaveAs <path>			    Export to an XML, CSV or PML file.
/SaveAs1 <path>			    Export including stack traces (XML only).
/SaveAs2 <path>			    Export including stack traces with symbols (XIML only).
/SaveApplyFilter		    Apply current filter before exporting.
/EnableBootlogging		    Configures logging of next boot.
/ConvertBootLog <PML file>	Automatically processes a boot log after reboot.
/RingBuffer			        Enable flight recorder mode.
/RingBufferSize <size>		Ring buffer size in MB.
/RingBufferLen <len>		Ring buffer length in minutes.
/Altitude <altitude>		Driver numeric altitude

Happy Learning !!