Using /run32 Procmon command line argument for 32-bit procmon log analysis
In this post, I like to share a scenario that you may find when trying to open a procmon pml file that was captured on a 32bit operating system and trying to open it from a 64bit client machine.
If you find your self asking someone to gather some process monitor from a 32-bit client machine and once you received it and try to open it on a 64-bit client machine you may experience a little message.
The message may read like this:
| Process Monitor X |
| X The file ‘directory\filename.PML ‘ is not compatible with this version of Process Monitor. |
| OK |
This is because, in order for you to open the 32bit procmon capture you need to be using the same version or use the /run32 switch which will allows you to Run the 32-bit version on a 64-bit client machine.
NOTE: This process was tested using the Process Monitor V 3.01
How to get to the command Line Options…?
From Process Monitor, select the help menu and click on the Command Line options… submenu
Here are the command line arguments:
Creating a shortcut
You can create a shortcut on your desktop for the next time you may have to review a 32-bit procmon log from a x64-bit client machine.
The easiest way is to right click on the Procmon.exe process and select Create Shortcut
Then from the properties of the Procmon.exe – shortcut (right click and select properties) the /Run32 at the end of the target entry.
Now, you can put this Procmon.exe – shortcut wherever you like, to make it easier next time you have to review 32-bit procmon logs from a 64-bit client machine.
Hope you enjoy this little trick to help those that may have encounter this scenario before!