Detect registry keys using Process Monitor using Sysinternals Tools

Posted on Christian By Christian No Comments on Detect registry keys using Process Monitor using Sysinternals Tools
Process Monitor

Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry, and process/thread activity. For a tour of Sysinternals tools, please see this link. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such as session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Kindly refer to these related guides: How to download and use Windows SysInternals tools locally, how to Install Sysinternals from the Microsoft Store, What is System Monitor and how to install and use it, and how to enable Automatic Logon on Windows 10.

Its unique and powerful features makes Process Monitor a core utility in your system troubleshooting and malware hunting toolkit. This tool can be downloaded from here the folloing link.

Extract the downloaded tool and run the Procmon64.exe as shown below.

Windows registry

Next, after running the executable, agree to the Process Monitor License Agreement.

Registry keys

This will launch the Process Monitor SysInternal Tool as shown below.

System monitoring
Note: This tool is memory intensive

Below are some possibilities that are available with this tool. Here you can choose to include or exclude the program, highlight etc.

Process Monitor

Also, with the “Jump to Object (contl+J)”, you can jump directly to the registry keys associated as shown below

Windows registry

This tool is capable or has the following features

  • Capturing (Screenshots)
  • Auto scrolling
  • Filter
  • Highlight
  •  Show Process tree
  • Include Process from Windows
  • Find
  • Jump to Object
  • Show Registry Activity
  • Show File System Activity
  • Show Network Activity
  • Show Process and Trend Activity
  • Show profiling event.
Emphasizing on the show registry activities, we will have to click on a process name and select it.

Lastly, when you click on the Show Process and Trend Activity, this will apply an even filter as shown below and give the desired output on the Process Monitor window.

Find: With the find function, you can easily find the process (events) in the process monitor.

Without this, having to search in the numerous process will be cumbersome as you can see below.

Filter: With filter, you can also perform filter in order to include on your desired process on the Process Monitor UI.

Click on the filter, and enter your desired parameters. Next, click on Add, select the program to include, and click on Ok.

Since our filter included just one process, other processes were excluded as shown below.

Note: When this filter is set, you will have to manually reset it before you can perform other activities correctly again.

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Rate this post
Windows Server Tags:, , , , ,

Related Posts

More Related Articles

PSD1 Azure 2 How to install PSD Hydration Kit for remote bare-metal deployment or via PXE boot Windows Server
RDP Certificate Issues Connecting to the RDP host: Fix the Certificate could not be verified back to the root certificate Mac
Screenshot 2021 01 22 at 23.27.30 How does Bitlocker Network Unlock work? Windows Server
WindowsUpdatesDISM 1 Determine Apps UWP and remove pre-provisioned Appx in Windows Windows Server
screenshot 2020 02 07 at 20.59.01 How to use the PsInfo utility from SysInternals Windows Server
windows 10 spying 1200x687 1 Error 183: Specified image is being serviced by another DISM operation Windows Server

Leave a Reply