How to Track “Access Denied” Registry and File Events Using Process Monitor

A well-written application does proper error handling, notifying the user in detail about the error it countered and how to go about fixing it, rather than failing silently or throwing up an obscure error code and quitting. This post tells you how to trace "Access Denied" events for file and registry activities occurring in the system, using Process Monitor.

(I already have a how-to article on using Process Monitor with example; and this article specifically explains how to track/trace "Access Denied" entries by configuring the Filtering Options in Process Monitor.)

1. Get Process Monitor from Windows SysInternals page.

2. Accept the EULA that appears when you run the program for the first time.

3. Process Monitor starts capturing events automatically. Stop capturing by clicking Capture button (CTRL + E) in the toolbar.

The set of 5 buttons you see in the right is for displaying 5 different activities that are captured.

(Everything is captured anyway, but you can choose what’s shown in the output window.)

  1. Registry

  2. File system

  3. Network activity

  4. Process and Thread activity

  5. Process Profiling

4. Most basic troubleshooting procedure require buttons 1 or 2 (or both, if required) turned on. So, enable buttons 1 & 2 to start with.

5. From the Filter menu, and click Filter (CTRL + L)

6. In the Process Monitor Filter dialog, click the Reset button. This is to clear any filters if you’ve configured earlier.

7. Then, set the filtering options as the one below, to catch specifically "Access Denied" entries.

Result contains DENIED then Include

8. Click Add, and click OK.

9. Start capturing by enabling the Capture toggle button in the toolbar.

10. Now, start to reproduce the problem. Suppose you try to create a registry key and encounter an error.. try to do the same operation while Process Monitor is capturing it in the background.

11. After reproducing the problem, you’ll see Process Monitor list the Access Denied entries (if it has occurred any.)

In this example, I tried to create a registry key under the HKEY_CLASSES_ROOT branch using the REG.EXE command-line, and it countered an Access Denied error. Of course, I knew REG.EXE needs to be run under elevated Command Prompt to create or modify keys in the system areas of the registry. This is for the purpose of illustration.

12. Make a note of the Process name, operation it tried to perform and the file/directory or the registry Path it tried to modify. Alter permissions if necessary.

However, note that not all ACCESS DENIED entries you see in Process Monitor may necessarily be problematic events. Some are perfectly normal. If you’re not sure what’s shown in the log, save the log to a PML file. compress it and send to the respective support team.

One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support. It won't take more than 10 seconds of your time. The share buttons are right below. :)

Ramesh Srinivasan is passionate about Microsoft technologies and he has been a consecutive ten-time recipient of the Microsoft Most Valuable Professional award in the Windows Shell/Desktop Experience category, from 2003 to 2012. He loves to troubleshoot and write about Windows. Ramesh founded in 2005.

Leave a Comment