Process Monitor (procmon) is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such as session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.
Microsoft Windows operating systems
Prepare “Process Monitor” for logging
1. Login using an account with administrative privilege (for example “Administrator”)
2. Create a folder in system drive (default C:\ ) named “monitor”
3. Download the software using the following link: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
4. Extract the archive to the folder C:\monitor created in step 2.
5. Double Click on the file “Procmon.exe”
6. Click on the “Capture” icon to stop the capture process.
7. The Capture icon will now have a red X over it, meaning that the program is no longer capturing events.
8. Now go into the “File” menu ( first from left in the program window)
9. Select “Backing Files” (Shortcut CTRL-B) scrolling down on the menu and click with the left mouse button, or if you use a keyboard scroll down with arrows and press enter
10. This will open the “Process Monitor Backing Files” window.
11. Now click on the radial button near “Use file named:” to enable the named field
12. Insert in the name field the desired destination folder (here we will use the folder "C:\monitor" that we initially extracted the ProcessMonitor.zip to) and target file name e.g. “C:\monitor\tempfile.pml”
13. Now click on the OK button to confirm
14. This will bring up the confirmation dialog box shown below:
15. Select the “OK” button to continue.
16. As soon as “OK” is selected you will be returned to the main window.
17. Close the program.
18. Double Click on the file “Procmon.exe”.
19. Click on the “Capture” icon to stop the capture process.
20. The Capture icon will now have a red X over it, meaning that the program is no longer capturing events.
21. Now go into the “File” menu ( first from left in the program window)
22. Select “Backing Files” (Shortcut CTRL-B) scrolling down on the menu and click with left mouse button, or if you use a keyboard scroll down with arrows and press enter
23. Now appears a new windows with title “Process Monitor Backing Files”
24. Verify that ProcMon is using the previously configured named file.
25. Select the “Cancel” button to close the window.
26. Now the program is ready for analysis.
1. Login using an account with administrative privilege (Administrator is recommended)
2. Navigate to the folder that ProcessMonitor.zip was extracted to (e.g. C:\monitor)
3. Double Click on the file “Procmon.exe”
4. Click on the “Capture” icon to stop the capture process.
5. The Capture icon will now have a red X over it, meaning that the program is no longer capturing events.
6. Now go into the “Options” menu and select “Enable Boot Logging”
7. The following dialog box will open.
8. “Process monitor” is configured to log activity during the next boot. Select the “OK” button to close the program.
9. Reboot the system
10. Login with the previously chosen account (e.g. Administrator)
11. Allow the system to fully load windows and any associated startup programs. ( Generally, this will take from 5-15 minutes)
12. Navigate to the folder that contains Procmon.exe (e.g. C:\monitor)
13. Double Click on the file “Procmon.exe”
14. This will open the following dialog box.
15. Click “Yes” to save the collected data.
16. This will open the Save As dialog box.
17. Insert in the “File name” field the desired name for the output (e.g. bootlog001.pml) and select the "Save" button.
18. As soon as you select the "Save" button a progress bar appears reporting boot-time event conversion.
19. Following the boot-time event data conversion, the process will apply the Event Filter.
20. Following the Event Filter application, ProcMon will return to the default console. Note that the capture icon shows as disabled.
21. The previously defined folder will now contain the following file “C:\monitor\bootlog001.pml”
By default, Procmon will not collect certain Auto-Protect events. For instructions on how to do so, please see Document ID TECH98079, "How to Configure Sysinternals' Process Monitor to Record Symantec's Auto-Protect Events" (link - )