Good news. Mark Russinovich continues to churn out free Windows utilities. His newest, Process Monitor, provides a detailed picture of the way things transpire inside Windows.
When Microsoft in July acquired the Sysinternals Web site of system utilities to help administrators manage, troubleshoot and diagnose their Windows systems and applications, many people worried that the Sysinternals collection of
Happily, this has turned out not to be the case. One condition of the acquisition was that the utilities created by Russinovich would remain free for all to use. In fact, the first of these free post-acquisition utilities has appeared: Process Monitor 1.01.
There's lots of new features rolled into Process Monitor. It watches a Windows system for many kinds of activity, such as threads being created and terminated, image loads and unloads, and other low-level operations. It provides a highly detailed window into the way things transpire inside the operating system, and can be used for anything from casual inspection to hunting down malware.
The program can capture all the activity it observes in a log that can run to many gigabytes, so you can create highly detailed system activity logs without worrying about blowing out the limits of what the program can capture.
If you just want to narrow down the capture to a specific process or keyword, a filtering function will let you do just that. Double-click on a captured event and you'll get a detailed dump of every conceivable property associated with it, broken down across three tabs: Event, Process (as in the process associated with the given event) and Stack (which dumps out the thread stack for the thread where the event was recorded).
When you're finished capturing data, you can make sense of the results using the Trace Summary Tools. For instance, click on "Unique Values" and you can derive a quick report of all unique values that match a given selection from a drop-down menu. To see a list of all the processes that were active during the trace, you could select Process Name, then use the results to filter the trace all the more precisely. This way you can drill down through the mountain of data returned by even a very short capture operation to get exactly the details you need.
Like many other Sysinternals tools, Process Monitor requires no installation: Just unpack the program into a directory and run it. (However, the first time you run it you'll be asked to agree to a short EULA).
About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter, which is devoted to hints, tips, tricks, news and goodies for Windows NT, Windows 2000 and Windows XP users and administrators. He has more than 10 years of Windows experience under his belt, and contributes regularly to SearchWinComputing.com and SearchSQLServer.com.
More information on this topic:
- Tip: Process
Explorer 10.0: Vista-ready, with a Runas command
- Topics: Admin
- RSS: Sign up for our RSS feed to receive expert advice every day.
This was first published in November 2006