How to Run a Boot Trace Using Process Monitor

Process Monitor is an excellent diagnostic tool from Microsoft Sysinternals. It can run a trace during the current Windows session or trace the boot process. Let’s see how to enable boot tracing using Process Monitor.

Enable Boot Logging using Process Monitor

1. Download Process Monitor and run it.
2. Read and accept the license agreement.
3. If the “Filtering Options” dialog appears, dismiss the dialog by pressing Cancel.
4. From the Options menu, click “Enable Boot Logging” to enable it.
   
5. Enable “Generate threat profiling events”, choose “Every second”, and click OK.
   
6. Close Process Monitor by clicking File, and clicking Exit.
   
7. Save your work and close all programs that are currently running.
8. Right-click Start, click “Shut down or sign out”, and click “Restart”.
   
9. Process Monitor will trace the next boot and write the events to a log file. After entering Windows, reopen Process Monitor.
   Note: If you need to reproduce and record a problem after logging in, do so before opening Process Monitor.
10. Click “Yes” when you see the following message:
    “A log of boot-time activity was created by a previous instance of Process Monitor. Do you wish to save the collected data now?”

    

11. Save the PML boot log in a folder. The default file name is Bootlog.PML.

    Note: If the trace size is enormous, Process Monitor saves the trace information into multiple logs, such as Bootlog-1.PML, Bootlog-2.PML, etc.

    

12. The PML trace log will be huge, usually in gigabytes. If you’re going to send the file to someone or share it on the cloud, be sure to zip it. To zip the log(s), select the file(s), right-click, select Send to, and select “Compressed (zipped) folder” from the Send To menu.
13. Zipping the log(s) reduces the file size by a whopping 90%.

That’s it.

Related article

Using Process Monitor to Track Registry and File System Changes