Detect registry keys using Process Monitor using Sysinternals Tools

Posted on Christian By Christian No Comments on Detect registry keys using Process Monitor using Sysinternals Tools
Process Monitor

Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry, and process/thread activity. For a tour of Sysinternals tools, please see this link. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such as session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Kindly refer to these related guides: How to download and use Windows SysInternals tools locally, how to Install Sysinternals from the Microsoft Store, What is System Monitor and how to install and use it, and how to enable Automatic Logon on Windows 10.

Its unique and powerful features makes Process Monitor a core utility in your system troubleshooting and malware hunting toolkit. This tool can be downloaded from here the folloing link.

Extract the downloaded tool and run the Procmon64.exe as shown below.

Windows registry

Next, after running the executable, agree to the Process Monitor License Agreement.

Registry keys

This will launch the Process Monitor SysInternal Tool as shown below.

System monitoring
Note: This tool is memory intensive

Below are some possibilities that are available with this tool. Here you can choose to include or exclude the program, highlight etc.

Process Monitor

Also, with the “Jump to Object (contl+J)”, you can jump directly to the registry keys associated as shown below

Windows registry

This tool is capable or has the following features

  • Capturing (Screenshots)
  • Auto scrolling
  • Filter
  • Highlight
  •  Show Process tree
  • Include Process from Windows
  • Find
  • Jump to Object
  • Show Registry Activity
  • Show File System Activity
  • Show Network Activity
  • Show Process and Trend Activity
  • Show profiling event.
Emphasizing on the show registry activities, we will have to click on a process name and select it.

Lastly, when you click on the Show Process and Trend Activity, this will apply an even filter as shown below and give the desired output on the Process Monitor window.

Find: With the find function, you can easily find the process (events) in the process monitor.

Without this, having to search in the numerous process will be cumbersome as you can see below.

Filter: With filter, you can also perform filter in order to include on your desired process on the Process Monitor UI.

Click on the filter, and enter your desired parameters. Next, click on Add, select the program to include, and click on Ok.

Since our filter included just one process, other processes were excluded as shown below.

Note: When this filter is set, you will have to manually reset it before you can perform other activities correctly again.

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Rate this post
Windows Server Tags:, , , , ,

Related Posts

More Related Articles

ADUC Appcrash fix Faulting Application Name: mmc.exe: Unable to launch ADUC Windows Server
BitLocker BitLocker Drive Encryption architecture and implementation types on Windows Windows Server
GPO 2 Why GPO is not the best solution for managing Windows updates Windows Server
powershell commands lede 1024x276 1 Enable WinRM on Windows Servers and Windows PCs Scripts
FileZilla Access FTP Server from your browser: How to create a shortcut and access Filezilla from Windows Explorer Windows Server
adfs training Post-Deployment of Active Directory Federation Service (ADFS) Windows Server

Leave a Reply