How to capture a Process Monitor trace

When working with Microsoft technical support on a service request, you might be asked to capture a Process Monitor(ProcMon)  trace. Process monitor can capture real-time file system, registry and process/thread activity, including the target object path, the access type, the name of the process that takes the action and its identity, the operation result, etc. This trace is especially useful to troubleshoot problems like file/registry-entry missing or access denied.

To capture a ProcMon trace you can go

  1. Download Process Monitor tool from here, then install it on the machine being traced.
  2. Double-click to launch the tool (Note on Vista or Windows 2008 OS this tool runs with elevated privileges. ), data collection starts automatically and you will see new records adding into the main form.
  3. Now you operate on the  machine to reproduce the problem to be traced.
  4. When all data is collected, press Ctrl+E to stop tracing.
  5. Go File->Save, then save the trace into a .pml file.

Tips:

  • By default procmon data collection is backed up by page files before the data is saved into a file on the disk. Yet if the collection will go for a long time, or you want to save the page files for other applications, go to “File”->”Backing File” and change the storage to a file on local disk.
  • Process monitor supports many kinds of filters for both collecting and data analyzing. My suggestion is when collecting data you use the default filter set , then choose “all events” when saving data—unless you know clearly that only a special part of the data is being interested.
  • Process monitor keeps the filter set used in last time. So before any collection starts, go “Filter”->”Reset Filter” to restore the default filter set.

Reading & analyzing a procmon trace is not covered in this post. You can find a lot in the “Additional Resources” part in the procmon download page;

Comments

  • Anonymous
    January 09, 2010
    The comment has been removed

  • Anonymous
    October 13, 2011
    Hello, i want to collect data over a couple of hours, but procmon crashes after collected nearly 800.000 events. it doesent matter to use a backing file. any ideas. i use version 2.96 - thx

  • Anonymous
    April 19, 2012
    Hi Sunghost, by default process monitor stores the captured data in memory using page files. If the collection has to take a long time, you'd change that to a file on the harddisk. Go file->backing files... and it will let you reconfig that.

  • Anonymous
    August 06, 2014
    another option is to setup a filter and excludes events that is not needed.