The Process Monitor (ProcMon) tool is used to track the various processes activity in the Windows operating system. This utility allows you to show how processes access files on disk, registry keys, remote resources, etc. in real-time. The ProcMon combines the capabilities of two legacy Sysinternals utilities at once — FileMon and RegMon.
With Process Monitor, you can:
- Track the startup and shutdown events of processes and threads, including information about the exit code;
- Collect data on the parameters of input and output operations;
- Set filters to display only the necessary information. For example, about the actions of a specific process, access to a specific file or a registry key;
- Log all operations during system boot (starting processes, services). This is useful for diagnosing slow Windows boot.
ProcMon is not a built-in system utility, so you must download it manually from the Microsoft website. Process Monitor does not require installation. Extract the archive and run the procmon.exe (procmon64.exe) executable file as an administrator.
When you start Process Monitor for the first time, a license agreement (EULA) appears on the screen that requires user confirmation.
When ProcMon starts, it installs a special system driver PROCMON20.SYS. It intercepts system function calls for the following operations: access to the file system, registry, process activity, network connections.
Using Process Monitor to Track File and Registry Changes
In this article, we will show how to track accesses and changes to files and registry on your local computer using Process Monitor.
Let’s say, you need to track access to the registry key HKEY_CURRENT_USER\Software\test and file c:\ps\procmon_example.txt.
When Process Monitor starts, it begins capturing all events according to the default filters.
Stop capturing events by unchecking the option File > Capture Events (Ctrl+E) and clear the current ProcMon log (Edit > Clear Display).
Now you need to configure the Process Monitor filters (Filter > Filter). The filters allow you to specify various criteria for events to be added or excluded from the monitoring.
The default filter already excludes events of a standard Windows system activity and the procmon.exe process itself. In most cases, you don’t need to remove these filters. We’ll add some additional filters.
Create a filter for monitoring access to the registry key: Path > contains > \SOFTWARE\test > Include. Click Add to add a new filter to the list.
Now add a file access event filter: Path > is > c:\ps\procmon_example.txt > Include.
Make sure the following options are enabled in the ProcMon toolbar: Show Registry Activity, Show File System Activity. The Show Network Activity and Show Process, and Threads Activity options can be disabled.
Start event monitoring File > Capture Event.
As an example, let’s create a reg parameter key in the specified registry key using the command prompt:
reg add hkcu\software\test /v Path /t REG_EXPAND_SZ /d ^%systemroot^%
Then, let’s write some data into the procmon_example.txt file using the command line:
echo %date%>>c:\ps\procmon_example.txt
And using PowerShell:
Get-Process|out-file C:\ps\procmon_example.txt
Switch to the ProcMon window. As you can see, it contains events for creating a registry key by the reg.exe process (Operation > RegCreateKey). It also contains events of creation (Create File) and writing to a file (WriteFile) by the processes cmd.exe and powershell.exe.
The list of events contains the system process msmpeng.exe (Antimalware Service Executable). This is the core process of the antimalware detection engine in Windows Defender. To exclude the events of this process from the ProcMon log, right-click on the process name msmpeng.exe and select Exclude “….”.
This process will be added to the ProcMon filter with the Exclude value. It means that the ProcMon log won’t display any activity from this process.
In this way, exclude any other trusted processes that are accessing your file or registry key. Now, if any process running on Windows tries to read or write to a tracking file or registry key, you will see this event in Process Monitor.
Hints. Running Process Monitor can negatively affect the performance of your computer. Regardless of the filters configured, it stores all events in RAM (even if they are not displayed in the window). If ProcMon has been running for a long time, it may take up all the available RAM. You can configure ProcMon to store events not in virtual memory but in a file on disk. To do this, select the File > Backing Files > Use File named, and specify the file name. If you want ProcMon to save only the events that match your filters and drop all the others, enable the option Filter > Drop Filtered Events.
For example, you want to monitor only write events to a file. Click in the ProcMon window on the line with the WriteFile operation type, and add this event to the Include filter.
Thus, any object or event in ProcMon can be added to the filters, so that the minimum set of events that you need to analyze access to a file or registry are displayed in front of you.
1 comment
Thanks for this tutorial Cyril! What if my goal is to log all events of a certain type whenever the computer is running, so the log file will act as a complete history of changes?
Will creating a filter like this persist across reboots? If not, is there a way to create the filter programmatically, so I can set it as a startup task?
P.S. You mentioned a performance impact to RAM if Procmon runs with a filter for a long time, so my plan was to drop filtered events to a daily log file. Is this still a bad idea? Will my plan just produce massive text files that will fill up my storage?
Thanks!