Questions tagged [procmon]

Process Monitor is a free advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity.

Process Monitor is a free advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It offers non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. It can be used to troubleshoot problems such as application errors, hangs and sulggish performance. It is also used by some to find malware.

Application site: http://technet.microsoft.com/en-ca/sysinternals/bb896645.aspx

"Case of the Unexplained" webcasts from Mark Russinovich showing how to use Process Monitor and other Sysinternals tools to troubleshoot problems: http://technet.microsoft.com/en-us/sysinternals/bb963887#case

48 questions

votes

0 answers

Hide activity from Procmon

I am trying to develop an evaluation software mechanism that will limit the use of the program, and then require a purchase. But when I gave it to my friend, he told me that whatever I do - write to registry, file or even alternate data stream, can…

windows procmon

asked Feb 12 '23 at 09:27

Chezi

votes

0 answers

procmon -- program doing inappropriate access?

D2R talking to ProcMon and Firefox? I was looking for whether certain settings were being saved to a local file or remotely on the game server. Certain settings local, and others remote, got it. But along the way: What does it mean when it says that…

security file-io procmon

asked Nov 15 '22 at 22:45

Starshine

votes

1 answer

Force Python to use certain set of drivers?

This is a follow-up question to a previous discussion. Basically, I have a python code with ctypes code that is calling a vendor-supplied DLL. The code works fine when I use 32 bit python with the 32 bit DLLs. However, the code does not work when I…

python dll ctypes procmon

asked Jun 16 '22 at 19:17

bpound

votes

0 answers

How to track down access violation "at address 00000000" in third party software using MadExcept of Sysinternals ProcessMonitor?

Access violation "at address 00000000" started appear to my Delphi 2009 installation. I started ProcessMonitor https://learn.microsoft.com/en-us/sysinternals/downloads/procmon and filtered events by bds.exe Process Name and the log is manageable.…

delphi access-violation sysinternals procmon madexcept

asked Mar 25 '22 at 14:00

TomR

2,696
6
34
87

votes

1 answer

Process Monitor and Registry Free COM: why no access to "manifest"?

I try to do COM without touching the registry. I started with a very simple C++ "client", trying to CoCreateInstance with ramdom arbitrary UUID. #include #include int main() { HRESULT hr = CoInitializeEx(nullptr,…

c++ com registry procmon

asked Oct 02 '21 at 12:09

manuell

7,528
5
31
58

votes

0 answers

Procmon produces corrupt output file

I am trying to diagnose an issue causing my computer to crash when using audio for some time. I tried running procmon (Process Monitor v 3.84) using the option of ring buffer to a file (to limit the amount of captured data to 4GB) and I used the…

sysinternals procmon

asked Sep 07 '21 at 19:52

jmbouffard

1,581
1
15
22

votes

2 answers

Sysinternals Process Monitor (ProcMon): Working with Time of Day Filter

I am using Sysinternals Process Monitor to debug some incoming events. Now I am trying to create a filter on 'Time Of Day' in order to filter those incoming events which time is greater than an specific time. For example, If I want to obtain those…

sysinternals procmon process-monitor

asked Oct 02 '20 at 14:07

Willy

9,848
22
141
284

votes

0 answers

What can cause an unexpected takeover of execution by the System process pid 4 on Windows?

We are working on stress testing of an application and noticed a curious case where Windows kernel takes over execution of the stress test. The application under the stress test picks up system-wide IO events, mostly CRUD of files, using minifilter…

windows kernel sandbox stress-testing procmon

asked Jul 13 '20 at 09:59

oleksii

35,458
16
93
163

votes

2 answers

How do you compare two csv files with identical columns but different values?

Here's my problem, I need to compare two procmon scans which I converted into CSV files. Both files have identical column names, but obviously the contents differ. I need to check the "Path" (5th column) from the first file to the one to the…

python csv compare multiple-columns procmon

asked Oct 04 '19 at 08:53

user7672639

votes

1 answer

Is there a more reliable Win32 syscall tracing method than procmon?

I'm building a Haskell command-line application in Windows 10, and am trying to debug an issue around the Windows 260-character file path limitation by tracing system calls and seeing which ones fail. I've used procmon…

windows debugging winapi windows-console procmon

asked Sep 27 '19 at 03:21

arya

votes

0 answers

How Can We Determine Which App.Config File Is Loading in VSTO Outlook Add-In?

We have a very strange problem with our VSTO Add-In. In our Add-In there are label controls that read label text values from an app.config file and display text from the configuration file to the user: …

vsto outlook-addin app-config procmon

asked Apr 05 '19 at 14:03

Tikhon

votes

1 answer

How can regedit delete a key with 'deny everyone' permissions?

First I have to provide some context. I can set procmon to run at some non-default altitude by making two changes in key 'HKLM\SYSTEM\CurrentControlSet\Services\PROCMON24\Instances\Process Monitor 24 Instance': Changing the Altitude value from its…

permissions registry regedit altitude procmon

asked Jan 15 '19 at 00:48

NoBrassRing

votes

1 answer

Difference between duration and relative duration in procmon

In the following image, as we can see there are 2 time which are duration and relative duration. I am not able to find out the basic difference between them. Why is duration of process create is 0.000000? Can i know the how much time it took to…

windows procmon

asked Nov 15 '18 at 08:08

Gaurav Jain

votes

1 answer

Wireshark is unable to detect local process communication over TCP

I'm using procmon to analyze the behavior of a program. I can see that the program is communicating with another program locally over TCP: This "Windows Process Monitor" does not log the actual content sent between the two programs. Therefore,…

windows tcp localhost wireshark procmon

asked Feb 10 '17 at 22:08

Trevor Hickey

36,288
32
162
271

votes

0 answers

How can I make a QT app displaying very large amount of data with low memory usage?

(it's a Sysinternal's-Process-Monitor-like system monitor program based on QT 5.7.0 which could monitor and record most behaviors of process in the system. program view memory usage As you can see it cost 100MB+ memory when there are 30000+ events…

qt procmon

asked Jan 21 '17 at 16:13

hzqst

Prev 1 2

4 Next