Microsoft recently released, through its Sysinternals acquisition, a troubleshooting tool called Process Monitor v1.12e. Process Monitor is basically an enhanced combination of two earlier Sysinternals utilities: Filemon and Regmon.
So, if you're an admin, and you're hunting malware, troubleshooting a generic error, trying to see how your files have changed or else you want to monitor the Windows registry and processes and threads -- and you want to do this all in real-time -- Process Monitor is the tool for you.
Most applications do a poor job of reporting issues/errors properly and it is often difficult for anyone who's not a super geek to deduce those issues. It's also getting darn near impossible to clean up a system that's been infected with malware unless you can dive into the bowels of Windows with an advanced troubleshooting tool. Unfortunately, the Windows OS simply does not supply such a tool by default.
However, the Process Monitor troubleshooting tool can help address the above issues and a whole lot more. With this new tool, you can monitor process and threads, DLL and driver loads, registry and file system changes, and capture to logs.
If you've ever used Filemon or Regmon, you know each one has limitations, namely:
Here's how the new Process Monitor addresses these limitations:
Common troubleshooting uses with Process Monitor
You get an error that states a generic message, such as check disk space, unable to open files or run maintenance. Well, which one is it? This type of error message is not very helpful in determining where the issue is and what its resolution might be. Use Process Monitor, target your application, reproduce the issue and watch for the real issue. Often you'll find sharing violations, permission issues or file check problems.
Troubleshoot the root cause of an issue. Process Monitor can show function-call history stacks. You use stacks to find a function, find what function start
To continue reading for free, register below or login
To read more you must become a member of SearchWindowsServer.com
ed it, find what function started the second function, etc., until you get to the first function that started the entire stack. You're now at the root of this function stack. This is handy when the process you are looking into is svchost, which many programs use to run their generic processes.
You have an open application and want to know what it's doing. Open Process Monitor, click on and hold the Include Process From Window toolbar button, then release on the open application window. Process monitor will filter the captured data to show just that one application.
You're unable to find name.dll. You look in the path and the dll exists. Use Process Monitor, reproduce the issue, search for that dll in the captured data and you'll find the actual reason the program thinks it cannot find the dll.
The Registry is hit very often on an idle system (not Vista though, because Microsoft states it is rarely idle). This is a sign that there is a poorly written application. Use Process Monitor to find out which program is performing the hits.
Want to see how often a folder has been accessed? Use Tools>File Summary. This tool will look at every single directory and will show how often it was opened, closed, etc. (Tip: drag the Path column from the far right to the far right side of the window.)
Summing up, you can use Process Monitor to get around an application or even Windows shortcomings and get a problem system back to its pristine running state. There are so many features and options it's impossible to explain them all. Microsoft does a good job of explaining all the features in Process Monitor, and also has a helpful video of Process Monitor author Mark Russinovich explaining the tool.
About the author: Tim Fenner (MCSE, MCSA: Messaging, Network+ and A+) is a senior systems administrator who oversees a Microsoft Windows, Exchange and Office environment, as well as an independent consultant who specializes in the design, implementation and management of Windows networks.
More information on this topic:
