Using Process Monitor to Track Registry and File System Changes

Process Monitor is an excellent troubleshooting tool from Windows Sysinternals that displays the files and registry keys that applications access in real-time. The results can be saved to a log file, which you can send to an expert for analyzing a problem and troubleshooting it.

Process Monitor window

This article tells you how to use Process Monitor to capture registry and file system accesses by applications. You can also save the events to a log file for further analysis.

Tracing Registry and File System Using Process Monitor

Scenario: Let’s assume you’re unable to write to the HOSTS file in Windows, and want to know what’s happening under the hood. Every step in the following article revolves around this sample scenario.

tips bulb iconNote: If a support technician has asked you to save “All Events,” then you don’t need to set the Filtering options. Proceed to “Step 2” in that case.

Step 1: Running Process Monitor & Configuring Filters

  1. Download Process Monitor from Microsoft.
  2. Extract the zip file contents to a folder of your choice.
  3. Run Process Monitor.
  4. If the Filter dialog doesn’t open automatically, press Ctrl + L to open the Process Monitor Filter dialog.
  5. Click “Reset” to clear the existing filters.
  6. Include the processes that you want to track the activity on. For this example, you want to include Notepad.exe in the (Include) Filters.
    process monitor filters
  7. Click Add, and click OK.
    Tip: You can add multiple entries as well, in case you want to track a few more processes along with Notepad.exe. To keep this example more straightforward, let’s include only Notepad.exe.
  8. From the Options menu, click Select Columns.
  9. Under “Event Details,” enable Sequence Number, and click OK.
    process monitor columns dialog

Step 2: Capturing Events

  1. Open Notepad.
  2. Switch to the Process Monitor window.
  3. Enable the “Capture” mode (if it’s not already ON). You can see the status of the “Capture” mode via the Process Monitor toolbar.
    Process Monitor start capturing

    The highlighted button above is the “Capture” button, which is currently disabled. You need to click that button (or press Ctrl + E) to start tracing. You’ll now see the Process Monitor main window capturing registry and file events by processes in real time.
  4. Cleanup the existing events list using Ctrl + X key sequence (Important) and start afresh
  5. Now switch to Notepad and try to reproduce the problem.
    To reproduce the problem (for this example), try writing to the HOSTS file (C:\Windows\System32\Drivers\Etc\HOSTS) and saving it. Windows offers to save the file (by showing the Save As dialog) with a different name or in another location.

    So, what happens under the hood when you save to HOSTS? Process Monitor shows that, exactly.

    process monitor - track access denied

  6. Switch to the Process Monitor window, and turn off Capturing (Ctrl + E) as soon as you reproduce the problem.
    Important: Reproduce the problem quickly when the trace is On. And turn off capturing as soon as you finish reproducing the problem. This prevents Process Monitor from recording other unneeded data (which makes the analysis more difficult). So it would be best if you did everything as quickly as possible.

    Solution: The log file above tells us that Notepad encountered an ACCESS DENIED error when writing to the HOSTS file. The solution would be to run Notepad elevated (right-click and choose “Run as Administrator”) to write to the HOSTS file successfully.

Step 3: Saving the Output

  1. In the Process Monitor window, select the File menu and click Save
  2. Select Native Process Monitor Format (PML), mention the output file name and Path, and save the file.
    ProcMon PML logImportant: If a support technician has asked you to save “All Events,” select “All Events” and save the file. Otherwise, select “Events displayed using current filter” and save the file.
  3. Right-click on the Logfile.PML file, click Send To, and choose Compressed (zipped) folder. This compresses the file by ~90%. Look at the graphic below. You certainly want to zip the log file before sending it to someone.

Editor’s note: I usually suggest my clients save the log with the All events option for a thorough analysis. If you’re going to send me a Process Monitor log, make sure you enable the All Events option when saving the log file. Also, don’t forget the compress (.zip) the log file first.

One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support. It won't take more than 10 seconds of your time. The share buttons are right below. :)

Ramesh Srinivasan is passionate about Microsoft technologies and he has been a consecutive ten-time recipient of the Microsoft Most Valuable Professional award in the Windows Shell/Desktop Experience category, from 2003 to 2012. He loves to troubleshoot and write about Windows. Ramesh founded in 2005.

6 thoughts on “Using Process Monitor to Track Registry and File System Changes”

  1. Thanks for this – it was refreshingly well-written and was useful for me.
    Sites like this, written by someone who is able to communicate well are
    getting very scarce !

  2. How can we run procmon in background, even when user logs out.
    I am troubleshooting a issue which occurs once in a week and I cant keep procmon running in my session


Leave a Comment