Detect registry keys using Process Monitor using Sysinternals Tools

Posted on Christian By Christian No Comments on Detect registry keys using Process Monitor using Sysinternals Tools
Process Monitor

Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry, and process/thread activity. For a tour of Sysinternals tools, please see this link. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such as session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Kindly refer to these related guides: How to download and use Windows SysInternals tools locally, how to Install Sysinternals from the Microsoft Store, What is System Monitor and how to install and use it, and how to enable Automatic Logon on Windows 10.

Its unique and powerful features makes Process Monitor a core utility in your system troubleshooting and malware hunting toolkit. This tool can be downloaded from here the folloing link.

Extract the downloaded tool and run the Procmon64.exe as shown below.

Windows registry

Next, after running the executable, agree to the Process Monitor License Agreement.

Registry keys

This will launch the Process Monitor SysInternal Tool as shown below.

System monitoring
Note: This tool is memory intensive

Below are some possibilities that are available with this tool. Here you can choose to include or exclude the program, highlight etc.

Process Monitor

Also, with the “Jump to Object (contl+J)”, you can jump directly to the registry keys associated as shown below

Windows registry

This tool is capable or has the following features

  • Capturing (Screenshots)
  • Auto scrolling
  • Filter
  • Highlight
  •  Show Process tree
  • Include Process from Windows
  • Find
  • Jump to Object
  • Show Registry Activity
  • Show File System Activity
  • Show Network Activity
  • Show Process and Trend Activity
  • Show profiling event.
Emphasizing on the show registry activities, we will have to click on a process name and select it.

Lastly, when you click on the Show Process and Trend Activity, this will apply an even filter as shown below and give the desired output on the Process Monitor window.

Find: With the find function, you can easily find the process (events) in the process monitor.

Without this, having to search in the numerous process will be cumbersome as you can see below.

Filter: With filter, you can also perform filter in order to include on your desired process on the Process Monitor UI.

Click on the filter, and enter your desired parameters. Next, click on Add, select the program to include, and click on Ok.

Since our filter included just one process, other processes were excluded as shown below.

Note: When this filter is set, you will have to manually reset it before you can perform other activities correctly again.

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Rate this post
Windows Server Tags:, , , , ,

Related Posts

More Related Articles

RDS Architecture The following servers in this deployment are not part of the deployment Pool: Create an RDS Session Host and Collection Windows Server
VHDX resizing and veeam back Hyper V Disk allocation: Why Veeam reports full size after Shrinking Windows Server
sdf What is GPO and how can it be launched in Windows Windows Server
Hyper V Virtual Switch How to Create Hyper-V Virtual Switch Network | Monitoring
Prevent Windows from Saving RDP Connection Prevent Windows from Saving RDP Connection History Windows
RDS Collection 1 How to add and remove RDS Collection Windows

Leave a Reply