How to capture a Process Monitor trace

Emma Mou 10 Jan 2010 12:29 AM

When working with Microsoft technical support on a service request, you might be asked to capture a Process
MonitorProcMon trace. Process monitor can capture realtime file system, registry and process/thread activity,
including the target object path, the access type, the name of the process that takes the action and its identity,
the operation result, etc. This trace is especially useful to troubleshoot problems like file/registryentry missing or
access denied.
To capture a ProcMon trace you can go
1. Download Process Monitor tool from here, then install it on the machine being traced.
2. Doubleclick to launch the tool Note on Vista or Windows 2008 OS this tool runs with elevated privileges.
, data collection starts automatically and you will see new records adding into the main form.
3. Now you operate on the machine to reproduce the problem to be traced.
4. When all data is collected, press Ctrl+E to stop tracing.
5. Go File>Save, then save the trace into a .pml file.
Tips:
By default procmon data collection is backed up by page files before the data is saved into a file on the
disk. Yet if the collection will go for a long time, or you want to save the page files for other applications,
go to File>Backing File and change the storage to a file on local disk.
Process monitor supports many kinds of filters for both collecting and data analyzing. My suggestion is
when collecting data you use the default filter set , then choose all events when saving dataunless you
know clearly that only a special part of the data is being interested.
Process monitor keeps the filter set used in last time. So before any collection starts, go Filter>Reset
Filter to restore the default filter set.
Reading & analyzing a procmon trace is not covered in this post. You can find a lot in the Additional Resources
part in the procmon download page;

Comments
kynan_12 10 Jan 2010 1:24 AM #

<a href="http://www.squashnorthants.com/index.aspx">squash</a>
<a href="http://www.morningsicknessremedies.co.uk/">morning sickness remedies</a>
Thanks this is a great info :

Sunghost 14 Oct 2011 12:35 AM #

Hello,
i want to collect data over a couple of hours, but procmon crashes after collected nearly 800.000 events.
it doesent matter to use a backing file. any ideas. i use version 2.96 thx

Emma 19 Apr 2012 10:48 PM #

Hi Sunghost, by default process monitor stores the captured data in memory using page files. If the
collection has to take a long time, you'd change that to a file on the harddisk. Go file>backing files...
and it will let you reconfig that.

Michael 6 Aug 2014 3:33 PM #

another option is to setup a filter and excludes events that is not needed.