Procmon on x64? "/?" will help :-)


Maybe some of you already know this trick, but if you don’t… here it is smile_regular

I’ve been running a Vista x64 as my main machine in office for a few months now, and when I had to analyze a Process Monitor trace received from a customer, but if the log was coming from a x86 machine (that’s still the most common for customer calls we see today) I was not able to open it on my desktop, and always had to rely on my laptop (where I run Windows XP Pro) or on my second desktop (Windows 2003).

Process Monitor invalid argument

I took this for granted for a while, but then this morning I thought to have a look at the command line options (procmon /?) and got a nice surprise:

Process Monitor usage

Tried it, and (of course) I was finally able to open the 32bit trace on my 64bit machine.. smile_nerd

 

Carlo

Quote of the day:
It’s amazing that the amount of news that happens in the world every day always just exactly fits the newspaper. – Jerry Seinfeld

Comments (7)

  1. dmurillo says:

    Of course, it would be nice if Mark (Russinovich) added a more detailed message instead of the error message.

    Or did he?  I haven’t tried this functionality myself, did you try it using the latest version?

    Just my 2 cents.

  2. carloc says:

    Yes, that also happen with the latest version, but the nice thing is that now the help dialog is shown automatically after you close the error message, rather than you to run it at the command line… a more descriptive error message would be usefu, but that’s a step forward anyway  🙂

  3. jigarme says:

    I have a question.. Different from the topic of this post..!! Which tool do you use to take these kind of snapshot and most importantly highlight with those red rounded corners? Can you please share some details! ? 🙂

  4. carloc says:

    Ah… that’s not the first time I’m asked this question you know? 🙂

    So… for the screenshots I use Winsnap (http://www.ntwind.com/software/winsnap.html), shareware but well deserved: it has some nice features like the "Vista like" shadows, watermarks, keyboard shortcuts (wonderful), menu screenshots support etc…

    For the rounded highlights I use Paint.NET (http://www.getpaint.net/index.html), maybe not a very sofisticated image editor but it’s free, more poweful that the standard MSPaint, extensible through plugins etc…

  5. Vinay says:

    Hi Carlo,

    In your process explorer snapshot, procexp64.exe a child process of procexp.exe. You’re are refering to procmon.exe in your post.. which seems to run as procmon.exe (w/o a child process). I guess Mark does some internal switch to 32 bit using some sort of shim in procmon.exe. I dont have a x64 m/c to test this.. but you should be able to see it in procexp (using process highlighting for new/dying processes).

    Cheers !

  6. carloc says:

    Ops… you’re right! :o)

    I made a mistake with the screenshots I guess… I took more than one while testing, I guess I published the wrong one (wrong highlighting)…

    Corrected, thanks! 🙂