Sysinternals' Process Monitor tool tells admins all about Windows activities

When Microsoft in July acquired the Sysinternals Web site of system utilities to help administrators manage, troubleshoot and diagnose their Windows systems and applications, many people worried that the Sysinternals collection of freeware tools would no longer be free.

Happily, this has turned out not to be the case. One condition of the acquisition was that the utilities created by Russinovich would remain free for all to use. In fact, the first of these free post-acquisition utilities has appeared: Process Monitor 1.01.

Process Monitor actually eclipses the functionality of some other tools that Russinovich has written, including Filemon and Regmon.

There's lots of new features rolled into Process Monitor. It watches a Windows system for many kinds of activity, such as threads being created and terminated, image loads and unloads, and other low-level operations. It provides a highly detailed window into the way things transpire inside the operating system, and can be used for anything from casual inspection to hunting down malware.

The program can capture all the activity it observes in a log that can run to many gigabytes, so you can create highly detailed system activity logs without worrying about blowing out the limits of what the program can capture.

If you just want to narrow down the capture to a specific process

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows Systems and Network Administration Common causes of Windows server security vulnerabilities Cutting the cost of Windows identity and access management Using NTFS on a non-Windows OS with NTFS-3G Group Policy Object modeling simplifies network security Implementing simple Network Access Protection for Windows Server 2008 Immediate steps for Windows disaster recovery Tips for Windows domain controller optimization Quick hits: Troubleshooting service account failure, batch job execution Case Study: Troubleshooting Windows service dependency failures Troubleshooting common Windows service failures

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

or keyword, a filtering function will let you do just that. Double-click on a captured event and you'll get a detailed dump of every conceivable property associated with it, broken down across three tabs: Event, Process (as in the process associated with the given event) and Stack (which dumps out the thread stack for the thread where the event was recorded).

When you're finished capturing data, you can make sense of the results using the Trace Summary Tools. For instance, click on "Unique Values" and you can derive a quick report of all unique values that match a given selection from a drop-down menu. To see a list of all the processes that were active during the trace, you could select Process Name, then use the results to filter the trace all the more precisely. This way you can drill down through the mountain of data returned by even a very short capture operation to get exactly the details you need.

Like many other Sysinternals tools, Process Monitor requires no installation: Just unpack the program into a directory and run it. (However, the first time you run it you'll be asked to agree to a short EULA).

About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter, which is devoted to hints, tips, tricks, news and goodies for Windows NT, Windows 2000 and Windows XP users and administrators. He has more than 10 years of Windows experience under his belt, and contributes regularly to SearchWinComputing.com and SearchSQLServer.com.

More information on this topic:

Rate this Tip To rate tips, you must be a member of SearchWindowsServer.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.