Procmon windows

Process Monitor is probably one of the most used tools by IT Pros to debug applications and check installations. We mentioned Process Monitor in our MSI Packaging Training free e-book but this time around, we want to explore it further. We will discuss its prerequisites and share how you can get started with it.Let’s dive in!What is Process Monitor?Process Monitor is a Windows system monitoring tool that shows files, accessed registry keys, and active processes. A long list of improvements are also added, including process monitoring, monitoring of files loaded into system memory, improved filters, process activity details, and more.You can use Process Monitor to track system and application activity and troubleshoot some product issues. It is particularly helpful when you need to track which application or process accesses a file or a registry key.In the main Process Monitor window, we see a list of all system operations along with their exact time, process name, ID, and the result of every operation:What are the Prerequisites to Install Process Monitor?The best part of Process Monitor is that you don’t need any fancy prerequisites to be installed on the system, like Visual C++ redistributables or specific .NET Framework versions. All you need to run this tool is a Windows Vista, Windows Server 2008 or higher machine (x86 or x64). And that's it, just download the tool, extract it, and run it on your Windows machine.How to Download Process Monitor?Downloading Process Monitor is quite easy: a simple Google search will bring you to the Microsoft docs. There, you can find the official link from Sysinternals to download Process Monitor.As previously mentioned, you don’t need to install Process Monitor, all you need to do is to extract the ZIP file which you just downloaded.The extracted zip file should contain the following files:Procmon.chm - The help file which contains all of the provided documentationProcmon.exe - The main EXE that will launch the correct procmon instance (x86 or x64)Procmon64.exe - The x64 procmon binaryProcmon64a.exe - The alpha 64 procmon binaryEula.txt - The license agreement you’ll have to accept before running ProcmonOnce you extract all the files and execute the Procmon.exe, Process Monitor should start immediately and you will see all the processes in detail.Always make sure you run Procmon with elevated permissions.How to Define Start Behavior in Process Monitor?Process Monitor does not have many settings to configure start behavior. However, it provides little functionality in this area. For instance, if you want to start Procmon minimized, all you need to do is run this command:Process Monitor does not have many settings to configure its start behavior. However, you have a few commands:If you want to start Procmon minimized, all you need to do is run this

Command:If you don’t want to see the EULA on the first run, you could use the following command:As previously mentioned, the Procmon.exe automatically detects if your machine is running on X86 or X64. So, if you are using an X64 machine, Procmon.exe will launch the correct X64 instance.There might be cases where you want to open up the X86 on X64 (for example reading a log which is made with an X86 procmon) and in that case you could use the following command line:If you don’t want Procmon to automatically start capturing the system events, you could use the following command:Procmon at a first glanceIf this is the first time you are using Procmon, it can be overwhelming to see all the information that will appear on your screen.Launching Procmon without any custom start behavior means that you will see a heavily populated list of processes that are captured on your main screen. Since there is a lot of information presented by Procmon, let's review what each process means. Every single event logged by Procmon is represented in a list made of seven columns:Time of day - The exact time when the particular event happened (down to the millisecond)Process name - The name of the processPID - The process identifierOperation - The type of event defined by a class (check below)Path - The path to the object that interacted with the event (eg: registry, file, etc)Result - Various outcomes indicating the result of the event: SUCCESS, NAME NOT FOUND, etcDetail - The full details of the operation performedUnder the Operation column, there are various icons representing different classes of Windows events, such as:RegistryFilesystemNetworkProcessesProfiling eventsYou can adjust the Procmon columns to show just the amount of information you need, so if you right-click a column name and choose “Select columns”, the following window will appear:In my experience, the default setup provides all the necessary information for debugging your application or processes on the system - other options are rarely used in the IT Pro industry.Using Event Properties in ProcmonIf you want to get more information about a specific operation from the list, all you need to do is double-click on one event and the following window will appear:The “Event Properties” window gives you access to all the details available for a specific operation and includes three main tabs:1. The “Event” tab - where you will see the general event information:Thread ClassOperationNeeded Access, etc..2. The “Process” tab gives you additional information like: Image VersionPathCommand lineSession IDUserModules, etc. 3. The “Stack” tab shows all the steps that were followed for that particular operation to reach that stage, giving you full details to find out where the operation breaks.How filtering operations work in ProcmonAs

You might guess, seeing all the operations makes it quite difficult to debug your particular operation, so Procmon offers a ton of filtering options.Filter Option in Procmon from the Main windowThe first and easiest filter is to present it in the main window. This allows you to show/hide different classes: Registry, FileOperations, Network, Process & Thread Activity, Profiling.For example, in the next screenshot, you can see that I hid all the operations except the Registry ones:But what if I want to see only Explorer.exe operations on the Registry? It’s quite easy, and there are two ways of doing it. The first option is to right-click an event that has the Explorer.exe Process Name and click “Highlight”. If you want to remove other processes, you can right-click each one and select “Exclude”:Filter options in Procmon from the Filter windowThe second option is to navigate to Filter > Filter and a new window will appear:In this window, we can configure to display the entities as follows:All we have to do is:Select Process Name – Explorer.exe, Go to Include and click on the “Add” button. Then, click OK. This will ensure that only the Explorer.exe will appear in the capture, and with the registry operations filter, you will now see only what Explorer.exe operations are happening in the registry. Cool right?Filtering operations is one of the most important and powerful aspects of Procmon. By filtering operations, you can easily detect your issues on your system/application. You can filter anything from Architecture, Authentication ID, Category, Command Line, Company, Completion time, Date & Time to Version.Another example where filtering is important is when we want to find out if a particular EXE contains an MSI that is extracted and executed during the installation. We already covered this scenario in the MSI Packaging ebook - Helpful tools chapter, but let’s go quickly through the steps:Under the drop down menu, hover the Filter > Filter, go to Display entries matching this condition and select Operation is Process Create.This will track any newly created process on the system, meaning that if you launch an EXE installer and it installs an MSI, it will first need to create the MSI operation which will handle the Windows Installer execution. Pretty neat, huh?What are the capture options in Procmon?One important tip when working with Procmon is to never leave the capture running for long, otherwise you will run out of memory. To enable or disable the capture, all you need to do is click the button highlighted below:The recommendation would be to stop the capture before you start analyzing your event. This will not only ensure a smaller log and faster filtering times, but it's also good for memory management.If you