Start a conversation
  1. Pivotal Support
  2. Pivotal - Solutions
  3. Articles

Capturing System Events by Using Process Monitor (ProcMon)

Overview

Process Monitor is an advanced monitoring tool for Windows that shows real-time activity of the file system, Registry, and process/thread. It combines the features of two legacy Sysinternals utilities, namely Filemon and Regmon. Furthermore, it adds an extensive list of enhancements, including the rich and non-destructive filtering, comprehensive event properties, such as session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging, and much more. Its uniquely powerful features make Process Monitor a core utility in your system for troubleshooting and malware hunting.

This article provides information on stopping, starting, saving, and sharing a ProcMon capture.

 

 

Prerequisites

Get and run ProcMon:

  1. Download ProcMon.
  2. Unzip the ProcessMonitor.zip file.
  3. Copy the ProcMon.exe file to the server or workstation that you need to perform troubleshooting on.
  4. Launch ProcMon as Administrator.
    1. Right-click on the ProcMon.exe file.
    2. Select Run as administrator.
    By Default, ProcMon starts capturing events.

 

 

Process

 

Stopping a ProcMon Capture

  1. Click File.
  2. Click on Capture Events to deselect it. 
     
    mceclip0.png
     
  3. Click Edit.
  4. Select Clear Display.
     
    mceclip1.png

 

Starting a ProcMon Capture

  1. Go to File.
  2. Select Capture Events.
     
    mceclip2.png

    Once ProcMon starts capturing events, you can start reproducing the issue.

 

Saving and Sharing a ProcMon Capture

Once you are done with reproducing the issue, please stop the capture (step 1-2 in the Stopping a ProcMon Capture section), and follow the steps below to save and share the ProcMon capture:

  1. Click on File.
  2. Select Save.
     
    mceclip5.png
     
  3. Change the file name and path if you prefer to do so.

    mceclip4.png
    Do not change the other default settings.
  4. Navigate to the location of the saved file.

    mceclip6.png
     
  5. Send the file to us by attaching it to the Zendesk ticket.

 

Here is a 101 video for Process Monitor:
 
  Your browser does not support the video tag. Please download the video by clicking on the link: https://central-supportdesk.zendesk.com/hc/article_attachments/360009232940/Process_Monitor_101.mp4

SourceProcess Monitor 101 by Jeremy Moskowitz

 

Back to top

 

Process_Monitor_101.mp4

  1. 8255 KB
  2. View
  3. Download
Choose files or drag and drop files
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted

Comments