Procmon Basics

Author by Mitchell Grande

Process Monitor, or Procmon is one of the tools in the Sysinternals suite and is invaluable in troubleshooting certain types of Windows and application issues.  Procmon is a real-time monitoring tool that logs all filesystem and registry activity.  It has a robust filtering system that makes it easy to drill down into the data needed to resolve a variety of issues.

When to use Procmon

Procmon is a great tool for trying to resolve certain issues.  Specifically, if you are trying to found out what files an application uses or what registry entries are being read or modified, Procmon can help.  That's perfect for tracking down issues such as:
  • Incorrect permissions on a file or registry key
  • Required application files missing
  • Registry keys or values missing or being named incorrectly
In addition, if you ever just need to find what files or registry keys are being used, Procmon can help you find out.  For example, you may have trouble locating a configuration or log file for a certain application.  By watching all of the reads/writes of the app, you can find the file you're looking for.

Getting Started

Like all Sysinternals tools, Procmon can be obtained in a number of ways.  Most easily, you can download it directly at https://download.sysinternals.com/files/ProcessMonitor.zip.  Once it's downloaded and unzipped, you should right click and run it as administrator.  Once it's opened, it will immediately begin collecting and showing current process events.  To stop capturing, press Ctrl+E or the magnifying glass icon on the toolbar.  This button will start and stop data capturing.
 
procmon.png
 
Since Procmon tends to capture a lot of data very quickly, it's important to know how to use it effectively.  Typically, you would follow these steps to do the initial data collection:
  1. Open Procmon
  2. Immediately stop data collection with the magnifying glass button
  3. Clear the data from the screen using the eraser button
  4. If needed, prepare to reproduce the issue (such as getting the application ready, closing unneeded windows, etc.)
  5. Start the data capture using the magnifying glass button
  6. Reproduce the issue
  7. Immediately stop capturing data using the magnifying glass button
By following these steps, the amount of data collected will be as small as possible.  That helps making parsing through the data a little easier.  Once the data is collected, you'll see the following columns in the data table by default:
  • Time of Day - The exact time of the event
  • Process name - The name of the process that triggered the event
  • PID - The PID of the process that triggered the event
  • Operation - The type of operation that was performed
  • Path - The path to the file or registry key that was requested
  • Result - The result of the request
  • Detail - Various details about the operation such as the specific registry data read/written or information on the file operation
In addition, you can add more columns by going to Options > Select Columns.  There are a few particularly helpful ones to choose:
  • Duration - How long the operation took
  • Event Class - What type of operation it was (File System or Registry)
  • Image Path - The full path to the process
  • Command Line - The command line the process was launched with, including parameters

Filtering and Reading Data

With the data collected, the next step is to review the events to find what you're looking for.  Even a short sample can record tens of thousands of events so it's important to filter the data effectively, allowing you to focus on what's important.  Here are some general guidelines for filtering:
  • There is a default set of filters that exclude Procmon itself, as well as some other system-level events.  You can restore the default filter with the Filter > Reset Filter option.  This will clear any custom filters.
  • You can filter right within the result set by right clicking a row/column, and choosing "Include '___'" or " Exclude '___'".  This will include or exclude events that match the given criteria.  For example, right clicking on the process column and choosing "Include 'myprocess.exe'" will hide all events that were generated by other processes.
  • You can specify filters manually in the Filter > Filter… menu.  For example, you could create a filter where Path contains my-file.txt to find all events that included that file name.  There are many more options available as well.
Generally speaking, the filters will be used to narrow down the events to a manageable amount for review.  The process for doing so often follows this pattern:
  1. Determine which process you are tracking, and filter to include that process name or PID
  2. If you know the path you are looking for, add that to the filter as well.  You would do this using the Filters > Filter… menu where you can specify some or all of the path.
  3. If you are looking for only registry or only file system events, add the Event Class column to the table and include the type of event you are looking for
  4. Finally, filter by the result column to include or exclude SUCCESS events.  If you suspect a file or registry is failing to be read, you would exclude events where the result is SUCCESS.  On the other hand, if you are looking for a log or configuration file that the process is using, you would want to include SUCCESS.
  5. Continue narrowing down the results if possible
  6. Manually review the remaining events to find what you are looking for

General Tips

Here are some additional tips to help make the most out of Procmon:
  • You can save the results to either a PML (Procmon Log) or CSV file.  Using a CSV file would let you analyze the data in Excel, while a PML file can be re-opened by Procmon at a later time.
  • Procmon can log events during the boot process with the Options > Enable Boot Logging option
  • The CreateFile operation doesn't specifically mean that a file is being created.  Most often, CreateFile is actually opening existing files.  The Detail column will show whether a file is being opened or created.
  • You can highlight events that match certain criteria using the "Highlight '___'" option in the right click menu.  This allows you to focus on specific items (such as failures) while still being able to view the rest of the events.
  • You can use Ctrl+F or Edit > Find to search for text in the results.  Contrary to filtering, this will find the text in any column and simply jump to the result, rather than hiding the events that don't match.
Author

Mitchell Grande

Systems Engineer

Tags in this Article