How to use Process Monitor(ProcMon) – Part 1

windows process stack

Introduction

This is a Part 1 to my Series How to use Process Monitor
Sometimes when you are troubleshooting an issue on windows, you want to look into things like when the process created, who created the process and what is the stack with which the process is running. To look into these things we use a Sysinternals tool named ProcMon (Process Monitor).

Now in this article, I will only be covering the very basics of the Process Monitor tool, I will be posting few more articles on this topic just so that we can have a clear understanding of the software and its functioning.

 

Location to download:

You can download the tool from https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

Once you have downloaded it you can just open the Exe file

 

 

Once you will open it, you are going will be flooded with a lot of information. Now all this information is nothing but processes and threads that are running on your system. Now you will think that we have a task manager who does the same thing “Show Processes”.

But there is a Big Difference in a way these two tools shows the running processes. One is a tool which is made for a user, however, the other tool is made for experts as there is a lot you can do with this tool which you cannot do with Task Manager.

Once you have the tool in front, you need to look for the row with options like below:

This is very important for you to have a good understanding of some of the options that are placed here.

Capture: If you Capture icon looks like the one below. This means that the ProcMon (Process Monitor) is currently running and is capturing all the information.

If you capture Icon looks like the one below, it means that you have paused the capture.

This is sometimes that you can use it while you want to capture a process for a certain period and don’t want your logs to get clouded with garbage. You can start a Task and just before starting it you can click the capture icon to start the capture and once the task finished you can just stop it.

Clear: If you want to clear the captured information you can just click the button below:

Filter: This is a Filter Icon. This is the most important option that we have in this tool and you will be needing it a lot while working on it. I will be explaining this tool in a moment.

Highlight: This option can be used to highlight certain rows. It’s very important when you are working on tracking a service/thread from this Tool:

Show Process tree: We can use this option to display the hierarchy of the process and how it was initiated along with all the processes that are involved in starting the service.

Find: You can search for anything specific like Process ID or Name. You can also use the good old CTRL+F to open the search window.

Saving your captured File.

Now the ProcMon (Process Monitor) by default runs from the Memory. I.e. It captures the information and saves it in the Page File, which contains the Page table and the Pages which requires to be shuffled in and out of Physical memory.

You can save this file easily by going into File > Save:

 

Now you can either save all the entries that you have captured or you can only capture the filtered content.

It can also get an option of saving this file as CSV which is very very important as you can easily open it in Microsoft Excel and use it for reporting.

Once selected you can just save it to the desired location:

Running this tool under this mode is fine if you are running it for 5 or 10 minutes. However if you are going anyway beyond 10, 15 minutes. This tool might take all you Pagefile memory and cause hang or your Application/System.

So for issues where you need to run this tool for a longer duration, you can follow the below steps and save the logs on a file, which you can save on any storage where we have enough space.

Select File > Backing Files…

 

This should look something like this:

If you will see by default its using the Virtual Memory, which is your Pagefile.

You can change by selecting Use File named:

And give it the location on any storage:

If you noticed this file is going as a .PML Format file.

Now some people might be thinking that what if I want to assign a specific size to this file and I don’t want it to grow beyond that.

Well, we have an option for your right here. After you selected the file as a Backing File, you can go to the option below:

Options > History Depth…

 

Here you can specify the Number of Events you want to capture:

Now don’t be shocked, but you specify the Number of Events in Millions. Yes! Millions

This is how powerful this tool is and how confusing it can be if you don’t know the right ways to capture what you want.

I think this should be it for the First Article on this tool, We will be continuing studying this tool in our next pages as well.

If you want to learn more about some very interesting tools and application: follow the link: https://knowitlikepro.com/category/tools-and-software/


Ashutosh Dixit

I am currently working as a Senior Technical Support Engineer with VMware Premier Services for Telco. Before this, I worked as a Technical Lead with Microsoft Enterprise Platform Support for Production and Premier Support. I am an expert in High-Availability, Deployments, and VMware Core technology along with Tanzu and Horizon.

Leave a Reply