Ask Learn
Preview
Ask Learn is an AI assistant that can answer questions, clarify concepts, and define terms using trusted Microsoft documentation.
Please sign in to use Ask Learn.
Sign inNote
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
When working with Microsoft technical support on a service request, you might be asked to capture a Process Monitor(ProcMon) trace. Process monitor can capture real-time file system, registry and process/thread activity, including the target object path, the access type, the name of the process that takes the action and its identity, the operation result, etc. This trace is especially useful to troubleshoot problems like file/registry-entry missing or access denied.
To capture a ProcMon trace you can go
- Download Process Monitor tool from here, then install it on the machine being traced.
- Double-click to launch the tool (Note on Vista or Windows 2008 OS this tool runs with elevated privileges. ), data collection starts automatically and you will see new records adding into the main form.
- Now you operate on the machine to reproduce the problem to be traced.
- When all data is collected, press Ctrl+E to stop tracing.
- Go File->Save, then save the trace into a .pml file.
Tips:
- By default procmon data collection is backed up by page files before the data is saved into a file on the disk. Yet if the collection will go for a long time, or you want to save the page files for other applications, go to “File”->”Backing File” and change the storage to a file on local disk.
- Process monitor supports many kinds of filters for both collecting and data analyzing. My suggestion is when collecting data you use the default filter set , then choose “all events” when saving data—unless you know clearly that only a special part of the data is being interested.
- Process monitor keeps the filter set used in last time. So before any collection starts, go “Filter”->”Reset Filter” to restore the default filter set.
Reading & analyzing a procmon trace is not covered in this post. You can find a lot in the “Additional Resources” part in the procmon download page;
Anonymous
January 09, 2010
The comment has been removedAnonymous
October 13, 2011
Hello, i want to collect data over a couple of hours, but procmon crashes after collected nearly 800.000 events. it doesent matter to use a backing file. any ideas. i use version 2.96 - thxAnonymous
April 19, 2012
Hi Sunghost, by default process monitor stores the captured data in memory using page files. If the collection has to take a long time, you'd change that to a file on the harddisk. Go file->backing files... and it will let you reconfig that.Anonymous
August 06, 2014
another option is to setup a filter and excludes events that is not needed.