Sysinternals' Process Monitor tool tells admins all about Windows activities

Process Monitor, the first tool from Sysinternals since Microsoft's acquisition of the company, eclipses the functionality of tools like Filemon and Regmon by providing a detailed look into the way things transpire inside Windows. And it's still free.

Good news. Mark Russinovich continues to churn out free Windows utilities. His newest, Process Monitor, provides

a detailed picture of the way things transpire inside Windows.

When Microsoft in July acquired the Sysinternals Web site of system utilities to help administrators manage, troubleshoot and diagnose their Windows systems and applications, many people worried that the Sysinternals collection of freeware tools would no longer be free.

Happily, this has turned out not to be the case. One condition of the acquisition was that the utilities created by Russinovich would remain free for all to use. In fact, the first of these free post-acquisition utilities has appeared: Process Monitor 1.01.

Process Monitor actually eclipses the functionality of some other tools that Russinovich has written, including Filemon and Regmon.

There's lots of new features rolled into Process Monitor. It watches a Windows system for many kinds of activity, such as threads being created and terminated, image loads and unloads, and other low-level operations. It provides a highly detailed window into the way things transpire inside the operating system, and can be used for anything from casual inspection to hunting down malware.

The program can capture all the activity it observes in a log that can run to many gigabytes, so you can create highly detailed system activity logs without worrying about blowing out the limits of what the program can capture.

If you just want to narrow down the capture to a specific process or keyword, a filtering function will let you do just that. Double-click on a captured event and you'll get a detailed dump of every conceivable property associated with it, broken down across three tabs: Event, Process (as in the process associated with the given event) and Stack (which dumps out the thread stack for the thread where the event was recorded).

When you're finished capturing data, you can make sense of the results using the Trace Summary Tools. For instance, click on "Unique Values" and you can derive a quick report of all unique values that match a given selection from a drop-down menu. To see a list of all the processes that were active during the trace, you could select Process Name, then use the results to filter the trace all the more precisely. This way you can drill down through the mountain of data returned by even a very short capture operation to get exactly the details you need.

Like many other Sysinternals tools, Process Monitor requires no installation: Just unpack the program into a directory and run it. (However, the first time you run it you'll be asked to agree to a short EULA).

About the author: Serdar Yegulalp is editor of the  Windows Power Users Newsletter, which is devoted to hints, tips, tricks, news and goodies for Windows NT, Windows 2000 and Windows XP users and administrators. He has more than 10 years of Windows experience under his belt, and contributes regularly to SearchWinComputing.com and SearchSQLServer.com.

More information on this topic:

 

This was first published in November 2006

Dig deeper on Microsoft Group Policy Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close