Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry, and process/thread activity. For a tour of Sysinternals tools, please see this link. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such as session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Kindly refer to these related guides: How to download and use Windows SysInternals tools locally, how to Install Sysinternals from the Microsoft Store, What is System Monitor and how to install and use it, and how to enable Automatic Logon on Windows 10.
Its unique and powerful features makes Process Monitor a core utility in your system troubleshooting and malware hunting toolkit. This tool can be downloaded from here the folloing link.Extract the downloaded tool and run the Procmon64.exe as shown below.
Next, after running the executable, agree to the Process Monitor License Agreement.
This will launch the Process Monitor SysInternal Tool as shown below.
Note: This tool is memory intensiveBelow are some possibilities that are available with this tool. Here you can choose to include or exclude the program, highlight etc.
Also, with the “Jump to Object (contl+J)”, you can jump directly to the registry keys associated as shown below
This tool is capable or has the following features
- Capturing (Screenshots)
- Auto scrolling
- Filter
- Highlight
- Show Process tree
- Include Process from Windows
- Find
- Jump to Object
- Show Registry Activity
- Show File System Activity
- Show Network Activity
- Show Process and Trend Activity
- Show profiling event.
Emphasizing on the show registry activities, we will have to click on a process name and select it.Lastly, when you click on the Show Process and Trend Activity, this will apply an even filter as shown below and give the desired output on the Process Monitor window.
Find: With the find function, you can easily find the process (events) in the process monitor.
Without this, having to search in the numerous process will be cumbersome as you can see below.
Filter: With filter, you can also perform filter in order to include on your desired process on the Process Monitor UI.
Click on the filter, and enter your desired parameters. Next, click on Add, select the program to include, and click on Ok.
Since our filter included just one process, other processes were excluded as shown below.
Note: When this filter is set, you will have to manually reset it before you can perform other activities correctly again.
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.