Microsoft recently released, through its Sysinternals acquisition, a troubleshooting tool called Process Monitor...
v1.12e. Process Monitor is basically an enhanced combination of two earlier Sysinternals utilities: Filemon and Regmon.
So, if you're an admin, and you're hunting malware, troubleshooting a generic error, trying to see how your files have changed or else you want to monitor the Windows registry and processes and threads -- and you want to do this all in real-time -- Process Monitor is the tool for you.
Most applications do a poor job of reporting issues/errors properly and it is often difficult for anyone who's not a super geek to deduce those issues. It's also getting darn near impossible to clean up a system that's been infected with malware unless you can dive into the bowels of Windows with an advanced troubleshooting tool. Unfortunately, the Windows OS simply does not supply such a tool by default.
Side note on Process Monitor
--To get the most out of debugging, you should download Debugging Tools for Windows from Microsoft (free) and then point Process Monitor to use them.
--Filemon and Regmon will not be supported past Vista.
--This program loads a special driver, so you'll need to have the "load driver" user right to run Process Monitor (in other words, just run it as an Administrator). The driver is removed after the program is stopped.
--The registry monitoring aspects are roughly the same as with Regmon.
--File system monitoring uses a special driver to filter out all file system changes, which is a change from Filemon. Process Monitor captures everything except read/write buffers (file system monitoring) and large buffers of registry binaries (Registry monitoring).
However, the Process Monitor troubleshooting tool can help address the above issues and a whole lot more. With this new tool, you can monitor process and threads, DLL and driver loads, registry and file system changes, and capture to logs.
If you've ever used Filemon or Regmon, you know each one has limitations, namely:
- The separation of the two programs made it hard to correspond events.
- The filtering methods were crude to non-existent.
- There was a lack of detailed event information.
- They provided no insight into processes, especially short-lived processes as they might not even be seen (though you can get around that stumbling block by using Process Explorer).
- Poor scalability in that it cannot handle the amount of threads happening on most heavily used systems.
- You can also use Process monitor to capture data during a boot, logon or logoff.
Here's how the new Process Monitor addresses these limitations:
- The programs have been joined together and the data they capture can be viewed in one program window.
- Quick Filters are straightforward and reflect the most widely used filtering needs of admins. Advanced filters will let you get only the data you want to see. There are three buttons on the toolbar that quickly filter the results in the program to show you just Process/Threads, Registry and finally File System captured data. These filters are non-destructive so you can turn them on and off without losing any captured data.
- Detailed event info collection with many column options to choose from to view the data and logging of all data.
- It monitors process/threads and their creation/exits.
- It's scalable. It can monitor 10 million events and more than 5GB of data.
- Most shortcuts from Filemon and Regmon are the same.
- It offers Basic and Advanced modes. Basic mode excludes Process Monitor activity, Paging File, System Process and NTFS metadata files.
- Process Tree is a great tool to show where a process resides and how it relates to other processes. It lets you quickly drill down to the process in your data capture and begin your troubleshooting.
Common troubleshooting uses with Process Monitor
You get an error that states a generic message, such as check disk space, unable to open files or run maintenance. Well, which one is it? This type of error message is not very helpful in determining where the issue is and what its resolution might be. Use Process Monitor, target your application, reproduce the issue and watch for the real issue. Often you'll find sharing violations, permission issues or file check problems.
Troubleshoot the root cause of an issue. Process Monitor can show function-call history stacks. You use stacks to find a function, find what function started it, find what function started the second function, etc., until you get to the first function that started the entire stack. You're now at the root of this function stack. This is handy when the process you are looking into is svchost, which many programs use to run their generic processes.
You have an open application and want to know what it's doing. Open Process Monitor, click on and hold the Include Process From Window toolbar button, then release on the open application window. Process monitor will filter the captured data to show just that one application.
You're unable to find name.dll. You look in the path and the dll exists. Use Process Monitor, reproduce the issue, search for that dll in the captured data and you'll find the actual reason the program thinks it cannot find the dll.
The Registry is hit very often on an idle system (not Vista though, because Microsoft states it is rarely idle). This is a sign that there is a poorly written application. Use Process Monitor to find out which program is performing the hits.
Want to see how often a folder has been accessed? Use Tools>File Summary. This tool will look at every single directory and will show how often it was opened, closed, etc. (Tip: drag the Path column from the far right to the far right side of the window.)
Summing up, you can use Process Monitor to get around an application or even Windows shortcomings and get a problem system back to its pristine running state. There are so many features and options it's impossible to explain them all. Microsoft does a good job of explaining all the features in Process Monitor, and also has a helpful video of Process Monitor author Mark Russinovich explaining the tool.
More information on this topic:
About the author:
Tim Fenner (MCSE, MCSA: Messaging, Network+ and A+) is a senior systems administrator who oversees a Microsoft Windows, Exchange and Office environment, as well as an independent consultant who specializes in the design, implementation and management of Windows networks.