Download procmon

Process Monitor is probably one of the most used tools by IT Pros to debug applications and check installations. We mentioned Process Monitor in our MSI Packaging Training free e-book but this time around, we want to explore it further. We will discuss its prerequisites and share how you can get started with it.Let’s dive in!What is Process Monitor?Process Monitor is a Windows system monitoring tool that shows files, accessed registry keys, and active processes. A long list of improvements are also added, including process monitoring, monitoring of files loaded into system memory, improved filters, process activity details, and more.You can use Process Monitor to track system and application activity and troubleshoot some product issues. It is particularly helpful when you need to track which application or process accesses a file or a registry key.In the main Process Monitor window, we see a list of all system operations along with their exact time, process name, ID, and the result of every operation:What are the Prerequisites to Install Process Monitor?The best part of Process Monitor is that you don’t need any fancy prerequisites to be installed on the system, like Visual C++ redistributables or specific .NET Framework versions. All you need to run this tool is a Windows Vista, Windows Server 2008 or higher machine (x86 or x64). And that's it, just download the tool, extract it, and run it on your Windows machine.How to Download Process Monitor?Downloading Process Monitor is quite easy: a simple Google search will bring you to the Microsoft docs. There, you can find the official link from Sysinternals to download Process Monitor.As previously mentioned, you don’t need to install Process Monitor, all you need to do is to extract the ZIP file which you just downloaded.The extracted zip file should contain the following files:Procmon.chm - The help file which contains all of the provided documentationProcmon.exe - The main EXE that will launch the correct procmon instance (x86 or x64)Procmon64.exe - The x64 procmon binaryProcmon64a.exe - The alpha 64 procmon binaryEula.txt - The license agreement you’ll have to accept before running ProcmonOnce you extract all the files and execute the Procmon.exe, Process Monitor should start immediately and you will see all the processes in detail.Always make sure you run Procmon with elevated permissions.How to Define Start Behavior in Process Monitor?Process Monitor does not have many settings to configure start behavior. However, it provides little functionality in this area. For instance, if you want to start Procmon minimized, all you need to do is run this command:Process Monitor does not have many settings to configure its start behavior. However, you have a few commands:If you want to start Procmon minimized, all you need to do is run this

Restart the machine. If not, you should be able to just start procmon.From an elevated command prompt, run the command fltmc instances and verify that the procmon drivers are running at the altitude that you set (ex. 40000).Then reproduce the scenario you want to capture. Your capture will be even larger than normal.Notice now when we review the new procmon, and view Stack we see the name of the driver LeakyFlt.sys.Note: You can leave the setting as it just lowers the threshold of what we see. And more is always better when it comes to legacy kernel drivers. Once you get a procmon with that enabled, you can look at the stack and see it.Note 2: Will the deny permission for Everyone only impacts that instance? Will it not interfere with other applications/permissions on the machine?It only affects that procmon instance; not all procmons. So, if they installed e.g., something that had their own procmon instance it would not impact it. You can take ownership of the key to delete the key when you are done.

My name is Susan and a small group of us have joined together to provide you documentation on how to view a kernel filter driver in procmon on the stack, that is normally obfuscated. A special thanks to my colleague, Becky Burns for documentation collaboration; and a special shout out to Denis Pasos and Ron Stock for both creating a leaky kernel filter driver, and documentation collaboration.If you need to get Procmon's filter to run below us in the filter stack, it has a setting for that. Procmon is typically used to figure out what is happening on the machine, but you do not get to see the activity of things such as virus scanners because they happen at a lower level than the procmon filter. In our case, we have a driver called Leakyflt.sys but in procmon it only shows as FLTMGR.sys but we want to know which driver it is without performing more tracing.From an administrative command prompt, we see the driver LeakyFlt at altitude 372000:In this example below, you will see Procmon’s altitude at 385200 as well as Legacy Filter Drivers such as vdorctl, and dgmaster:From Procmon, in the stack it looks likeChanging the "Altitude" that procmon will run, putting it lower in the filter stack. In doing so, you will be able to see all the activity that you want from most filter drivers. To change the altitude of procmon, you will want to perform the following steps:Install Procmon (assuming you have not already installed it) an Administrative Command prompt, run FLTMC to see the Altitude of the filter drivers:In the screenshot, the lowest filter driver altitude is 37200Open Registry Editor (RegEdit)Navigate to registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PROCMONXX\In Example: PROCMON24 (name may have a different number on your machine)Expand to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PROCMONXX\Instances\Process Monitor XX instance. (i.e., Process Monitor 24 Instance)Change the Altitude Regkey value to lower than your lowest filter driver.For this example: change the Altitude value to 40000 (which will show you virtually everything that is happening on the machine). Alternatively, you could set the altitude to 372000 if you suspected a specific driver. Ex. Default altitude currently set to 385200Right click on Altitude, change value to 40000, click OKYou must also set the security on the "Process Monitor XX Instance" key and add deny rights for everyone for "delete" and "set value". Reason being that procmon will try to change its value back right away. You will have to select "Disable inheritance" to be able to set them at the Process Monitor XX Instance level.Right click on Process Monitor 24 Instance, select Permissions…Click AddIn “Enter the object names to select:” type Everyone, click Check Names, then click OK.Select Everyone, Click Advanced.Select Everyone, click Edit.Click Show advanced permissions.Change Type: to Deny, check Set Value, check Delete, click OK.(if Read Control is checked, uncheck it)With Everyone highlighted, select Disable inheritance, click OKChoose Convert inherited permissions into explicit permissions on this object.Click OK.Click YesClick OKExit Registry EditorIf you have already started procmon before doing these changes, you will need to

Want to clear all the information log that Procmon has acquired since the capture has started, you can click the trash bin button:Working with Procmon logsLet's say that you want a user to do a small capture of events on his machine and then you want to analyze that capture. What are your options?Procmon offers the possibility to save the event list in a wide variety of formats:Native Process Monitor Format (PML)Comma-separated values (CSV)Extensible Markup Language (XML)The PML option is the most comprehensive one and the easiest to use with Procmon. However, if you want to debug certain logs in a developer's manner, you can always use the CSV or XML options.Procmon does not open CSV or XML logs, those logs must be parsed independently.Saving a “log” is quite easy, once you have the capture done, click on File > Save. This will bring up an additional window where you can specify the type of log you want and the path where it will be saved:For better compatibility, we exported the PML log. If you want to open a log with Procmon, just click on File > Open and select your file.ConclusionTo conclude our topic, Process Monitor is one of the most popular and best tools on the market for debugging. While it might be intimidating at first, once you get used to it, you may not want to search for another tool. Did you find this article helpful? Leave a comment below!Written byAlex MarinApplication Packaging and SCCM Deployments specialist, solutions finder, Technical Writer at Advanced Installer.Popular Articles