Stack Overflow
Stack Overflow

Questions tagged [procmon]

Process Monitor is a free advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity.

Process Monitor is a free advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It offers non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. It can be used to troubleshoot problems such as application errors, hangs and sulggish performance. It is also used by some to find malware.

Application site: http://technet.microsoft.com/en-ca/sysinternals/bb896645.aspx

"Case of the Unexplained" webcasts from Mark Russinovich showing how to use Process Monitor and other Sysinternals tools to troubleshoot problems: http://technet.microsoft.com/en-us/sysinternals/bb963887#case

48 questions
2
votes
1 answer

How does Procmon work on 64-bit Vista+?

I understand older Procmon and its predecessors (filemon, regmon etc) used virtual drivers to hook the kernel. However, Patchguard prevents SSDT hooking etc on 64-bit Vista+. It is my understanding that Procmon now uses a minifilter driver for File…
user2292322
  • 51
  • 2
1
vote
2 answers

Catch C runtime function calls with Sysinternals.ProcMon

Is there a way to get _stat() C runtime functions caught in ProcMon
Chesnokov Yuriy
  • 1,760
  • 5
  • 21
  • 35
1
vote
0 answers

What causes a large exe to load slowly (65,536 bytes at time according to Procmon)?

We are running Docker on a VMware host running Windows 10. Based on the first comment, I wonder if the issue isn't specifically the read portion, but maybe there is something happening at the end of the load that is preventing this exe from being…
AmoebaMan17
  • 722
  • 1
  • 8
  • 22
1
vote
0 answers

the file .PML was not closed cleanly during capture and is corrupt

I'm using procmon to save logs while running some tests on VM. I'm using python and pytest but I think is irrelevant here. For every test I'm running to start procmon with: psexec.exe -accepteula -s -d -i 1 procmon.exe /AcceptEula /Quiet…
OBerger96
  • 11
  • 2
1
vote
0 answers

Single Thread Program Creating Two Threads

I was analyzing (with Procmon) a very simple program in two different VPS that Im renting. The program is a minimal C++ program: int main() { return 0; } I compiled the previous code with g++ (tdm64-1) 5.1.0 in both machines. I just compiled…
lcastillov
  • 2,163
  • 1
  • 11
  • 17
1
vote
0 answers

Procmon - Why do I see multiple CreateFile & CloseFile calls by a partiuclar process on its own executable

Please see below image. I just want to know, why chrome.exe is calling CreateFile & CloseFile functions on its own executable multiple time. What is the reason behind this? Thanks!
anilmwr
  • 477
  • 9
  • 16
1
vote
0 answers

Procmon is crashing when saving the boot logs

I have been trying to analyse a registry activity during booting. So thought of using procmon for boot logging. I enabled the boot logging, restarted the system. Now when i started the procmon it asked me to dump the boot log collected . When i…
saurav
  • 5,388
  • 10
  • 56
  • 101
1
vote
1 answer

Procmon command line does not save filtered output

I am using procmon command line. procmon.exe /Quiet /Minimized /Openlog C:\Python27\code2\logs.pml /LoadConfig C:\Python27\code2\pmc.pmc /SaveAs C:\Python27\code2\output.csv After running the above command, the procmon UI shows filtered events but…
tryingToLearn
  • 10,691
  • 12
  • 80
  • 114
1
vote
1 answer

How does the Sulley fuzzing framework procmon work on a virtual machine?

From my understanding, the process_monitor stores crashbin information locally. If this is running on a virtual machine and a test case causes the process and target machine to become unresponsive, vmcontrol would then revert to an earlier snapshot.…
Stephen McKeon
  • 31
  • 4
1
vote
0 answers

.NET application hangs before loading its image

The issue appears sometimes on several machines in our domain: The user starts my .NET 4.0 application, but nothing happens. Machines run Windows XP, .NET version is 4.0.30319.1008 As I can see in Task Manager the process is started, but it uses…
Boogier
  • 609
  • 6
  • 24
1
vote
1 answer

Prefetching information in windows XP fails and abort the launching of my application

I compile my application on a windows XP SP3 machine. When it compiles, I try to lauch it, and windows replies me back with : Unable to start program 'xx'. This application has failed to start because the application configuration is…
yves Baumes
  • 8,836
  • 7
  • 45
  • 74
1
vote
1 answer

Can i read the htop output in my java code?

I require to read information about various processes that are running in my server and values of certain parameters. Im trying to use Apache server on Ubuntu 11.10. using htop in terminal i get to see the processes and variable values. i tried…
Bala
  • 390
  • 3
  • 8
  • 25
0
votes
0 answers

How can I write PowerShell code to filter Process Monitor logs directly to a CSV file without stopping the monitoring process?

I want to automate this Powershell script so that it automatically run when user open param( [Parameter(Position=0)] [string]$Filter, [int]$Duration, [switch]$KeepAll, [string]$procmon ) function…
curiosity
  • 1
  • 1
0
votes
0 answers

What is Process CreateTime in the xml procmon saved?

Process data in the xml file Procmon saved has "CreateTime". For a process starting from 2023/4/17 14:36:01, its CreateTime in the xml file is 133261869619355124. Regardless of whether this CreateTime is regarded as a nanosecond, millisecond or…
typeryougishiki
  • 5
  • 2
0
votes
0 answers

Why do Xperf and ProcMon show different number of events

Currently I'm profiling two Windows applications in order to understand why one is slower than another. First, I ran them with ProcMon tracing enabled and found that each application triggers "FlushBuffersFile" File System event with the same number…
Rom098
  • 2,445
  • 4
  • 35
  • 52
1
2
3 4