Running Process Monitor

Posted By admin  On 02.05.21



The Process Monitor (also known as procmon) is part of Microsoft’s Sysinternals Suite and a well-known tool for troubleshooting a Windows system. In this blog post, I present how to reduce the altitude of the procmon in the filter driver stack. The ABC Of Filter Driver Altitude. Process Monitor (ProcMon) is a tool for monitoring real-time system activities on the level of the file system, the registry, and network operations. This blog describes how to use ProcMon to collect these system activities and save them to a local file. The data collected by this tool can be very useful for troubleshooting purposes. A Linux/Debian Process Monitor Program. It gets the running programs (except root's) then add them to Mysql database with using peewee orm.

  1. Process Monitor Tool Download
  2. How To Use Process Monitor
  3. Process Monitor Log

When troubleshooting an issue for a client of mine, I was in need for some further debugging information. To look into what processes are doing in the background, I turn to Sysinternals’ Process Monitor – one of the tools I recommend to master as an IT consultant. What was troublesome however, is that the issue I was looking into only occurred at night and I didn’t feel much for staying up late to fire off Process Monitor. To complicate matters, the systems themselves were in the production environment, and since Process Monitor does have a (hefty) impact on system performance (and the logs it creates grows very large very quick) I couldn’t just start it before leaving for home, leaving it running until I came back to work the next morning.

So it would be cool if it was possible to run Process Monitor as a scheduled task, run it for a few minutes (when the issue occurs) and retrieve the log the next morning to analyze it.

So, what options do we have when running Process Monitor?

Looks like we have enough arguments to choose from to get this to work. So, let’s put the scheduled task together.

Create the scheduled task to run Process Monitor

  1. First, download Process Monitor if you haven’t already done that, and save it on the machine you want to monitor.
  2. On the machine, go to the Administrative Tools and open the Task Scheduler console.
  3. In the left pane, click on Task Scheduler Library
  4. On the right pane, click on Create Basic Task…
  5. Enter the name of the task (e.g. Start Process Monitor) and click on Next
  6. Choose the frequency. Since I only want to run it once, I chose “One Time”. Click on Next
  7. Enter the time when you want the task to be run (before the issue occurs of course) and click on Next
  8. For the action choose “Start a program” and click on Next
  9. Browse for the Process Monitor executable (procmon.exe), and add /accepteula /quiet and /BackingFile <log path> (e.g. C:templog.pml) as arguments. Make sure you have enough diskspace where you’re saving the log file.
  10. Check “Open the Properties dialog…” and click on Finish
  11. The properties dialog is shown. On the bottom, click on “Change User or Group”, select SYSTEM and click OK. Click on OK again to close the properties window.

Great! We’ve set up the scheduled task! However, if we do nothing else Process Monitor will run on forever, and we don’t want that to happen… Unfortunately, there’s no argument to run PM for a certain amount of time. You could, using the options of the scheduled task, kill the task after a certain amount of time. However, when you just kill the process and don’t shut it down properly, the log will get corrupted, so we can’t use that. Fortunately, we can run Process Monitor with the /terminate option, which will terminate all running instances of PM (running in the executing user’s context). So, we’ll set up a second scheduled task to terminate PM after a set amount of time.

How to use process monitorRunning Process MonitorRunning Process Monitor

Create the second scheduled task to stop Process Monitor

Process Monitor Tool Download

  1. Open the Task Scheduler console again.
  2. Create a new Basic Task
  3. Enter an appropriate name (e.g. End Process Monitor)
  4. Choose the frequency.
  5. Enter time time to end Process Monitor. The should be after the issue occurs (and inherently later the time when starting PM).
  6. For the action, choose “Start a program” again.
  7. Select the executable again, but enter /terminate as the argument.
  8. Check “Open the Properties dialog…” again and click on Finish
  9. In the properties window, change the user to SYSTEM again in the security options.

How To Use Process Monitor

And there you have it! The next morning (after grabbing a cup of coffee) you’ll be able to open up the log file and analyze the issue.

Process Monitor Log

Hope this was helpful!