Process Monitor is a troubleshooting and data collection tool used by many systems administrators as well as Microsoft’s support organization. The goal of this post is to help you gain hands-on experience using this valuable troubleshooting tool and subsequently to facilitate progress towards resolving virtualization issues with your apps should they be encountered.
Most of the content in this document consists of three troubleshooting examples that represent three common types of issues that you may encounter. The first example provides Process Monitor basics, including the critically important filtering capabilities of the tool. The two subsequent examples further utilize the techniques described in the first example. Please note that example two and three do not repeat detailed instructions that are presented in example one. In other words, don't skip example one.
Much of the information presented here comes from various sources available via Microsoft’s public sites; it is just packaged and presented in a different way. Resource links are provided at the end of this document.
Process Monitor is an advanced monitoring tool for Windows that shows real-time File System, Registry and Process/Thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon. Its uniquely powerful features make Process Monitor a core utility for system troubleshooting.
The Sysinternals web site was created in 1996 by Mark Russinovich and Bryce Cogswell to host their advanced system utilities and technical information. Microsoft acquired Sysinternals in July, 2006.
OS Requirements: Windows 2000 SP4 with Update Rollup 1, Windows XP SP2, Windows Server 2003 SP1 or Windows Vista
- Configurable boot time logging of all operations
- Non-destructive filters allow you to set filters without losing data
- Can log data to a file instead of in process virtual memory
- Configurable and moveable columns for any event property
- Advanced logging architecture scales to tens of millions of captured events, gigabytes of log data
- Monitoring of process and thread startup and exit, including exit status codes
- Monitoring of image (DLL and kernel-mode device driver) loads
- More data captured for operation input and output parameters
- Capture of thread stacks make it possible to identify the root cause of an operation
- Reliable capture of process details, including image path, command line, user and session ID
- Filters can be set for any data field, including fields not configured as columns
- Process tree tool shows relationship of all processes referenced in a trace
- Native log format preserves all data for loading in a different Process Monitor instance
- Process tooltip for easy viewing of process image information
- Detail tooltip allows convenient access to formatted data that doesn't fit in the column
- Cancellable search
You do not install Process Monitor. You simply download the zip file, extract the zip file contents (EULA.txt, procmon.chm, procmon.exe) to a folder of your choice, and double click on Procmon.exe to launch the tool. When Process Monitor launches you may need to grant permission to run the tool depends on the User Account Control setting running on the computer. Process Monitor can be downloaded at http://www.microsoft.com/technet/sysinternals/processesandthreads/processmonitor.mspx.
As soon as Process Monitor appears it will start capturing File, Registry, and Process/Thread information. To stop or start data capturing activity, click on the “Capture” button, shown below:
Microsoft, Process, Monitor, Guide, Tool, Manual, Process Monitor, Sequencing, Hands-on, Example