This post will cover some basics of Process Monitor, a program that is part of the Sysinternals Suite, which is a set of tools that was created by Mark Russinovich.
To download just the tool click here or if you want the entire Sysinternals Suite (170 mb) press here.
Writing the draft for this post I felt the need to research the difference between Process Monitor and Process Explorer, which can be generalized as the following:
Process Monitor (Procmon64)
Captures live information about the processes on your system, how processes interact with the file system, registry and network. Much like Wireshark you can open and save capture logs, which you then can filter.
Process Explorer
Displays other aspects of the processes, such as handles, DLL:s, memory usage and resources. It shows how processes are related to each other as parent or child process in a tree view. Process Explorer can also be used as a "task manager on steroids" and replace task manager as the default app.
Using Procmon64
This section will explain how to create a basic capture and how to save it with an applied filter. Process Monitor starts gather information as soon as you start it so should you want to stop it press Ctrl +E. To clear the view in the window press Ctrl + X.
When you are ready to start the program that you are troubleshooting or analyzing, start "capture event", with Ctrl + E.
When you have reach the point where you want to stop, stop the capture.
Next you might want to apply filters, use Ctrl + L to get into the filter view.
As an example I took powershell.exe.
Select filter "program name" and "contains", write the name of the program in the textbox (for my example I just wrote powershell). Take add and apply, and then it filters out the data in the main window for you.
Maybe you want to filter out only registry queries for example, then you can add the additional filter "operation", "contains" and "RegQuery".
To save your log use Ctrl + S, it natively saves it in the .pml format but you can choose .xml and .csv as well.
No comments:
Post a Comment