Super User
Super User

Questions tagged [procmon]

Process Monitor is a free advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity.

Process Monitor is a free advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It offers non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. It can be used to troubleshoot problems such as application errors, hangs and sulggish performance. It is also used by some to find malware.

Application site: http://technet.microsoft.com/en-ca/sysinternals/bb896645.aspx

"Case of the Unexplained" webcasts from Mark Russinovich showing how to use Process Monitor and other Sysinternals tools to troubleshoot problems: http://technet.microsoft.com/en-us/sysinternals/bb963887#case

49 questions
30
votes
4 answers

What does the path '\REGISTRY\A\...' in Sysinternals Procmon log mean?

I use Sysinternals Procmon utility to monitor the registry access by some programs. Most log entries have the Path property starting from HKCU\… or HKLM\…, that corresponds to the registry hives HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE that can be…
Vladimir Reshetnikov
  • 717
14
votes
1 answer

Detect what process is changing a file on Windows

Is there a way to detect what process is changing a file on Windows 7? I know procmon is a great tool but couldn't figure it out how to do it or even if it's possible. The problem is that I have a file that is changed by some application and I want…
RaduM
  • 253
11
votes
2 answers

What is C:\$Directory?

When I run Process Monitor, I see ReadFile requests sent to C:\$Directory. What exactly does this mean? Update: I also see $MapAttributeValue, which looks unfamiliar as well.
user541686
  • 23,629
10
votes
2 answers

How to use ProcMon on Windows XP - Get an error about InitializeSRWLock

When running procmon on Windows XP Pro SP3 I get this error: Procmon.exe - Entry Point Not Found The procedure entry point InitializeSRWLock could not be located in the dynamic link library KERNEL32.dll. Is there a version for XP specifically?
David d C e Freitas
  • 5,000
7
votes
4 answers

(solved) Mysterious and frequent activity on secondary disk, event when offline in Disk Management

Update (solved) The sound was coming from my speakers, that's all there is to it. While I go to cringe in a small hole for a few weeks I'd like to thank (and beg forgiveness from) everybody who took time thinking about this. Technically Twisty's…
Overlord_Dave
  • 121
7
votes
1 answer

Can I use Sysinternals Process Monitor to monitor a specific registry value?

Something somewhere is modifying a value in a registry key, and I want to track it down. I thought I might set up ProcMon to watch that value, but as far as I can tell, it only filters to keys. There is far too much noise for me at that level.
Jay Bazuzi
  • 4,210
5
votes
2 answers

Loads of "NAME NOT FOUND" results in Windows Process Monitor (procmon)

A few days ago, something happened to my laptop (running Windows 10); it took long minutes for common applications (Browser, VLC, etc.) to load. As much as I investigated, I couldn't find the cause. After several reboots, checks and scans, the…
Dominic Comtois
  • 191
4
votes
1 answer

ProcMon - catching incoming file accesses from the network

I'm currently using procmon to chase down a problem I'm having involving network files. Another PC on the local network writes small "command" files to the target machine, which then consumes them - i.e. they are read, actioned and deleted. There…
rossmcm
  • 1,656
4
votes
0 answers

what does QueryDirectory operation in procmon means

On tracking a process with procmon. I see several operation types. I am unable to find any detailed explanation for them. There is one called QueryDirectory what does it mean.
paras baluja
  • 41
4
votes
1 answer

Procmon command line does not save filtered output

I am using procmon command line. procmon.exe /Quiet /Minimized /Openlog C:\Python27\code2\logs.pml /LoadConfig C:\Python27\code2\pmc.pmc /SaveAs C:\Python27\code2\output.csv After running the above command, the procmon UI shows filtered events but…
tryingToLearn
  • 247
3
votes
1 answer

Windows Explorer making thousands of registry reads per second, slows computer to a halt

This is a Windows 7 64-bit install. Towards the end of the day, all of the sudden, their computer will grind to a halt. It stops responding for a few seconds while performing any action. I ran ProcMon while the problem was occurring, but I'm not…
Oran D. Lord
  • 348
3
votes
2 answers

Is there a version of Process Monitor that runs on Windows 2000?

I have a problem I'm trying to track down on a Windows 2000 machine. I downloaded SysInternals Process Monitor (ProcMon.exe) but it seems to need Windows XP SP2 or higher. I've seen traffic that suggested it once worked with Windows 2000 SP4. Any…
rossmcm
  • 1,656
3
votes
3 answers

Why is process monitor taking up 2+ gb of physical memory?

I am trying to hunt down a rogue process that is locking a file in a specific directory which is preventing a log being appended to. This locking happens about one to three times a week, so needless to say I want ProcMon to run for a long time…
ddechant
  • 33
2
votes
2 answers

Could you use Process Monitor to move a program to a different computer?

Let's suppose you had two computers, both with the same instruction set and Windows version. Is it possible (okay, anything might be possible, but is it feasible) to use procmon to monitor every file and registry key that the application…
user465551
2
votes
2 answers

What a process can get from touching another application's dll?

Here is a screenshot of Process Monitor, which shows a process AliIM.exe is doing something with a dll of TeamViewer Since TeamViewer is a Remote Control app, I have some security concern, will it get my TeamViewer credentials by those actions? The…
Edward
  • 203
1
2 3 4