How to gather a ProcessMonitor log

This article will guide you on how to gather a ProcessMonitor log. This is a tool that is useful mainly for troubleshooting what files are being opened on your computer, and what keys are being looked at in your registry.

1. Download ProcessMonitor from here:

2. Open the file Procmon.exe. You will see this:

3. At the bottom of the screen, you can see it automatically ticking upwards quickly. Press Ctrl+E to stop this logging immediately.

4. When the numbers are no longer ticking up, press Ctrl+X to clear the log. It should now be empty, with "capture disabled" written at the bottom left:

6. Please take note of these important things:
-Don’t leave ProcessMonitor logging for extended periods, or this may cause your computer/server to become non-responding.
-Make sure that all applications irrelevant for the behavior you want to capture are shut down, or there will be irrelevant data collected that both makes analysis more complex, and the file size bigger. You can use Task Manager to both find running applications and close them.
-For the same reason, it is important that you are not gathering data for more than a few seconds.
-If your problem involves an error message or a prompt, it is important that you gather including the point when the error shows up on the screen, and including the action before that lead to this message/prompt. Stop the logging immediately after the first error has come up.
-Generally, having the log gather the problem application starting is preferable, if it still can be kept at a reasonable size.

7. After making sure that you know the above things, in ProcessMonitor, press Ctrl+E to start the logging again.
8. Quickly minimize ProcessMonitor, and quickly perform the action that you intend to analyse.
8. Once you are sure that logging has been performed when you reproduced the issue, go to ProcessMonitor and press Ctrl+E again. You will see at the bottom of the screen that the numbers are not ticking up any more.
9. Press “File”, “Save”, select "All events", and select "Native Process Monitor Format (.PML)" format. Under path, choose a path where you can easily find the file afterwards. Save the file.
10. If you want to share the trace with someone that can analyze it, open the location where you saved the .PML in Windows Explorer, right click on the .PML file, select “Send to”, and choose “Compressed (zipped) folder”. This will create a zipped folder with the file inside, and reduce the size around 90%. Zipping it this way may be needed if you intend to share it by email.

Now that you have gathered a log file, you can also attempt a basic analysis of it. One often performed analysis is to look for 3rd party applications that are unexpectedly loaded into the application that you are analyzing. How to do this is explained in detail in this article.

Another possible ProcessMonitor usage is to monitor the change of a registry key or file, as outlined here.


Forum Article Info

Last updated July 6, 2020 Views 1,269 Applies to: