How to capture a Process Monitor trace
When working with Microsoft technical support on a service request, you might be asked to capture a Process Monitor(ProcMon) trace. Process monitor can capture real-time file system, registry and process/thread activity, including the target object path, the access type, the name of the process that takes the action and its identity, the operation result, etc. This trace is especially useful to troubleshoot problems like file/registry-entry missing or access denied.
To capture a ProcMon trace you can go
- Download Process Monitor tool from here, then install it on the machine being traced.
- Double-click to launch the tool (Note on Vista or Windows 2008 OS this tool runs with elevated privileges. ), data collection starts automatically and you will see new records adding into the main form.
- Now you operate on the machine to reproduce the problem to be traced.
- When all data is collected, press Ctrl+E to stop tracing.
- Go File->Save, then save the trace into a .pml file.
Tips:
- By default procmon data collection is backed up by page files before the data is saved into a file on the disk. Yet if the collection will go for a long time, or you want to save the page files for other applications, go to “File”->”Backing File” and change the storage to a file on local disk.
- Process monitor supports many kinds of filters for both collecting and data analyzing. My suggestion is when collecting data you use the default filter set , then choose “all events” when saving data—unless you know clearly that only a special part of the data is being interested.
- Process monitor keeps the filter set used in last time. So before any collection starts, go “Filter”->”Reset Filter” to restore the default filter set.
Reading & analyzing a procmon trace is not covered in this post. You can find a lot in the “Additional Resources” part in the procmon download page;