![]() If you want ProcMon to save only the events that match your filters and drop all the others, enable the option Filter > Drop Filtered Events.įor example, you want to monitor only write events to a file. To do this, select the File > Backing Files > Use File named, and specify the file name. ![]() You can configure ProcMon to store events not in virtual memory but in a file on disk. If ProcMon has been running for a long time, it may take up all the available RAM. Regardless of the filters configured, it stores all events in RAM (even if they are not displayed in the window). Running Process Monitor can negatively affect the performance of your computer. Now, if any process running on Windows tries to read or write to a tracking file or registry key, you will see this event in Process Monitor. In this way, exclude any other trusted processes that are accessing your file or registry key. It means that the ProcMon log won’t display any activity from this process. This process will be added to the ProcMon filter with the Exclude value. To exclude the events of this process from the ProcMon log, right-click on the process name msmpeng.exe and select Exclude “….”. This is the core process of the antimalware detection engine in Windows Defender. The list of events contains the system process msmpeng.exe (Antimalware Service Executable). It also contains events of creation (Create File) and writing to a file (WriteFile) by the processes cmd.exe and powershell.exe. As you can see, it contains events for creating a registry key by the reg.exe process (Operation > RegCreateKey). Then, let’s write some data into the procmon_example.txt file using the command line: echo ?te%>c:\ps\procmon_example.txtĪnd using PowerShell: Get-Process|out-file C:\ps\procmon_example.txt Start event monitoring File > Capture Event.Īs an example, let’s create a reg parameter key in the specified registry key using the command prompt: reg add hkcu\software\test /v Path /t REG_EXPAND_SZ /d ^%systemroot^% The Show Network Activity and Show Process, and Threads Activity options can be disabled. Make sure the following options are enabled in the ProcMon toolbar: Show Registry Activity, Show File System Activity. Now add a file access event filter: Path > is > c:\ps\procmon_example.txt > Include. Click Add to add a new filter to the list. We’ll add some additional filters.Ĭreate a filter for monitoring access to the registry key: Path > contains > \SOFTWARE\test > Include. In most cases, you don’t need to remove these filters. The default filter already excludes events of a standard Windows system activity and the procmon.exe process itself. The filters allow you to specify various criteria for events to be added or excluded from the monitoring. Now you need to configure the Process Monitor filters (Filter > Filter). Stop capturing events by unchecking the option File > Capture Events (Ctrl E) and clear the current ProcMon log (Edit > Clear Display). ![]() When Process Monitor starts, it begins capturing all events according to the default filters. Let’s say, you need to track access to the registry key HKEY_CURRENT_USER\Software\test and file c:\ps\procmon_example.txt. In this article, we will show how to track accesses and changes to files and registry on your local computer using Process Monitor. Using Process Monitor to Track File and Registry Changes It intercepts system function calls for the following operations: access to the file system, registry, process activity, network connections. When ProcMon starts, it installs a special system driver PROCMON20.SYS. When you start Process Monitor for the first time, a license agreement (EULA) appears on the screen that requires user confirmation. Extract the archive and run the procmon.exe ( procmon64.exe) executable file as an administrator. Process Monitor does not require installation. ProcMon is not a built-in system utility, so you must download it manually from the Microsoft website. This is useful for diagnosing slow Windows boot.
0 Comments
Leave a Reply. |