______________________________________________________________________
procmon.exe Instructions
________________________________________
Acquire
https://download.sysinternals.com/files/SysinternalsSuite.zip
• Expand the archive to a temporary folder.
________________________________________
Configure
• Start procmon.exe.
· If a UAC prompt is displayed click: 'Yes'
· If the EULA dialog is displayed click: 'OK'
· If the Filter dialog is displayed click: 'Reset | OK'
· If data starts automatically capturing:
· Select: 'Filter | Capture Events'
· Select: 'Edit | Clear Display'
• Select: 'Filter | Enable Advanced Output'
• Select: 'Filter | Drop Filtered Events'
• Select: 'Filter | Filter':
· In the dialog box 'Process Monitor Filter':
· In the section 'Display entries matching these conditions':
· Click: 'Reset'
· Ensure all filters are removed except: 'Event Class' 'is' 'Profiling' 'Exclude'
· In the first droplist, select: 'Process Name'
· In the second droplist, select: 'is'
· In the third droplist/dialog box, enter: 'procmon.exe'
· In the fourth droplist, select: 'Exclude'
· Click: 'Add'
· In the third droplist/dialog box, enter: 'procmon64.exe'
· Click: 'Add'
· Optional:
· In the third droplist/dialog box, enter any additional process that may generate unnecessary 'noise' in the data.
· e.g. log-tailing tools such as 'baretail.exe' or 'notepad++.exe' to be used during reproduction
· Click: 'Add'
· Click: 'OK'
________________________________________
Procedures
Choose the appropriate data generation scenario.
____________________
Short Duration Run, Log Growth Without Bound
· Start procmon.exe.
· Start event collection: 'Filter | Capture Events'
· Reproduce the issue completely.
· Stop event collection:
· Select: 'Filter | Capture Events'
· Save the procmon.exe trace:
· Select: 'File | Save':
· Select: 'Events to Save: | All Events'
· Select: 'Format: | Native Process Monitor Format (PML)'
· In 'Path', type:
· Click: 'OK'
· Exit procmon.exe:
· Select: 'File | Exit'
____________________
Long Duration Run, Circular Log Purging Older Events
· Start procmon.exe.
· Set the circular log event count.
· Select: 'Options | History Depth'
· In the 'Number of events (millions)', type:
· Start event collection: 'Filter | Capture Events'
· Reproduce the issue completely.
· Stop event collection:
· Select: 'Filter | Capture Events'
· Save the procmon.exe trace:
· Select: 'File | Save':
· Select: 'Events to Save: | All Events'
· Select: 'Format: | Native Process Monitor Format (PML)'
· In 'Path', type:
· Click: 'OK'
· Exit procmon.exe:
· Select: 'File | Exit'
____________________
Short Duration Run from Boot, Log Growth Without Bound
· Start procmon.exe.
· Set boot log:
· Select: 'Options | Enable Boot Logging'
· Check: 'Generate thread profiling events'
· Select: 'Every second'
· Click: 'OK'
· Reboot.
· Reproduce the issue completely.
· Start procmon.exe.
· Save the procmon.exe trace:
· The dialog box 'Process Monitor' will be displayed: A log of boot-time activity was created...
· Click: 'Yes'
· The dialog box 'Save As' will be displayed.
· Navigate to the appropriate folder.
· In 'File name', type:
· In 'Save as type', select: 'Procmon Log (*.PML)'
· Click: 'Save'
· Exit procmon.exe:
· Select: 'File | Exit'
________________________________________
Credits
Any external referenced material in this document is hyperlinked. Authors responsible for referenced work should be sought through the reference(s) listed.
I am Christopher Etter, a Professional Services consultant.
Because you are using this, I welcome you as my customer. These documents are free for you to use. I work diligently to serve you with material such as this. I would appreciate it if PSPRO (professionalservices.pro), my name, and this 'Credits' section remain attached to this work so that I accrue name recognition via your success and peer recommendation. Thank you very much, and I hope this document helps you solve your current information technology issue!