What is Process Monitor?

A. One of the first new tools to be released since Microsoft's acquisition of SysInternals is Process Monitor, which combines the previous Regmon and Filemon tools' functionality, while adding improved filtering capabilities. You can download the tool from http://www.microsoft.com/technet/sysinternals/processesandthreads/processmonitor.mspx . However, those people used to Regmon's old filtering interface will need to adapt. For example, the old check boxes to log registry reads and writes has been replaced by a new logic-based interface, as the figure shows.

The equivalent of just checking the "View registry writes" option is now an Operation rule to show whether the operation "is" a RegSetValue. Changing a filter updates the entire process history since the application has been running instead of just from that moment in time onward. Essentially, Process Monitor captures all information all the time, and the filter controls what's displayed to screen. Process Monitor stores information in the pagefile by default, or you can configure a separate storage file via the File, Backing Files toolbar option. Obviously the tool collects a lot of data, which takes up significant space. You can also set this store for events by using the /BackingFile switch.

You can save event logs in a native Process Monitor format or to a comma-separated value (CSV) format file that can include all the event captures, only those events that meet the current filter, or selected events. Events saved in the native Process Monitor format can be read back into the utility at a later time.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish