{"id":988,"date":"2009-02-01T12:37:49","date_gmt":"2009-02-01T07:07:49","guid":{"rendered":"http:\/\/198.58.113.91\/blog\/?p=988"},"modified":"2022-12-07T10:38:42","modified_gmt":"2022-12-07T05:08:42","slug":"process-monitor-track-events-generate-log-file","status":"publish","type":"post","link":"https:\/\/www.winhelponline.com\/blog\/process-monitor-track-events-generate-log-file\/","title":{"rendered":"Using Process Monitor to Track Registry and File System Changes"},"content":{"rendered":"

Process Monitor is an excellent troubleshooting tool from Windows Sysinternals that displays the files and registry keys that applications access in real-time. The results can be saved to a log file, which you can send to an expert for analyzing a problem and troubleshooting it.<\/p>\n

\"Process<\/p>\n

This article tells you how to use Process Monitor to capture registry and file system accesses by applications. You can also save the events to a log file for further analysis.<\/p>\n

Tracing Registry and File System Using Process Monitor<\/h2>\n

Scenario:<\/strong>\u00a0Let’s assume you’re unable to write to the HOSTS<\/b> file in Windows, and want to know what’s happening under the hood. Every step in the following article revolves around this sample scenario.<\/em><\/p>\n

\"tipsNote:<\/strong> If a support technician has asked you to save “All Events,” then you don’t need to set the Filtering options. Proceed to “Step 2” in that case.<\/p>\n

Step 1: Running Process Monitor & Configuring Filters<\/h3>\n
    \n
  1. Download Process Monitor<\/a> from Microsoft.<\/li>\n
  2. Extract the zip file contents to a folder of your choice.<\/li>\n
  3. Run Process Monitor.<\/li>\n
  4. If the Filter dialog doesn’t open automatically, press Ctrl<\/kbd> + L<\/kbd> to open the Process Monitor Filter dialog.<\/li>\n
  5. Click “Reset” to clear the existing filters.<\/li>\n
  6. Include the processes that you want to track the activity on. For this example, you want to include Notepad.exe<\/code> in the (Include) Filters.
    \n\"process<\/li>\n
  7. Click Add<\/b>, and click OK<\/b>.\n
    Tip:<\/strong> You can add multiple entries as well, in case you want to track a few more processes along with Notepad.exe<\/code>. To keep this example more straightforward, let’s include only Notepad.exe<\/code>.<\/em><\/div>\n<\/li>\n
  8. From the Options<\/b> menu, click Select Columns<\/b>.<\/li>\n
  9. Under “Event Details,” enable Sequence Number<\/b>, and click OK<\/b>.
    \n\"process<\/li>\n<\/ol>\n

    Step 2: Capturing Events<\/h3>\n
      \n
    1. Open Notepad.<\/li>\n
    2. Switch to the Process Monitor window.<\/li>\n
    3. Enable the “Capture” mode (if it’s not already ON). You can see the status of the “Capture” mode via the Process Monitor toolbar.
      \n\"Process<\/p>\n
      The highlighted button above is the “Capture” button, which is currently disabled. You need to click that button (or press Ctrl<\/kbd> + E<\/kbd>) to start tracing. <\/i>You’ll now see the Process Monitor main window capturing registry and file events by processes in real time.<\/em><\/div>\n<\/li>\n
    4. Cleanup the existing events list using Ctrl<\/kbd> + X<\/kbd> key sequence (Important<\/span>) and start afresh<\/li>\n
    5. Now switch to Notepad and try to reproduce the problem<\/b>.\n
      To reproduce the problem (for this example), try writing to the HOSTS file (C:\\Windows\\System32\\Drivers\\Etc\\HOSTS<\/code>) and saving it. Windows offers to save the file (by showing the Save As dialog) with a different name or in another location<\/i>.<\/div>\n

      So, what happens under the hood when you save to HOSTS? Process Monitor shows that, exactly.<\/i><\/h4>\n

      \"process<\/li>\n

    6. Switch to the Process Monitor window, and turn off Capturing (Ctrl<\/kbd> + E<\/kbd>) as soon as you reproduce the problem.\n
      Important:<\/b> Reproduce the problem quickly when the trace is On. And turn off capturing as soon as you finish reproducing the problem. This prevents Process Monitor from recording other unneeded data (which makes the analysis more difficult). So it would be best if you did everything as quickly as possible.<\/div>\n

      Solution:<\/strong> The log file above tells us that Notepad encountered an ACCESS DENIED<\/strong><\/code> error when writing to the HOSTS<\/code> file. The solution would be to run Notepad elevated (right-click and choose “Run as Administrator”) to write to the HOSTS<\/code> file successfully.<\/li>\n<\/ol>\n

      Step 3: Saving the Output<\/h3>\n
        \n
      1. In the Process Monitor window, select the File<\/b> menu and click Save<\/b><\/li>\n
      2. Select Native Process Monitor Format (PML)<\/b>, mention the output file name and Path, and save the file.
        \n\"ProcMonImportant:<\/strong><\/strong> If a support technician has asked you to save “All Events,” select “All Events” and save the file. Otherwise, select “Events displayed using current filter” and save the file.<\/em><\/li>\n
      3. Right-click on the Logfile.PML<\/code>\u00a0file, click Send To, and choose Compressed (zipped) folder<\/code>. This compresses the file by ~90%<\/code>. Look at the graphic below.\u00a0You certainly want to zip the log file before sending it to someone.
        \n<\/li>\n<\/ol>\n

        Editor’s note:<\/strong> I usually suggest my clients save the log with the All events<\/b> option for a thorough analysis. If you’re going to send me a Process Monitor log, make sure you enable the All Events<\/b> option when saving the log file. Also, don’t forget the compress (.zip) the log file first.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

        Process Monitor is an excellent troubleshooting tool from Windows Sysinternals that displays the files and registry keys that applications access in real-time. The results can be saved to a log file, which you can send to an expert for analyzing a problem and troubleshooting it. This article tells you how to use Process Monitor to … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[7],"tags":[414],"class_list":["post-988","post","type-post","status-publish","format-standard","hentry","category-windows","tag-process-monitor"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":2149,"url":"https:\/\/www.winhelponline.com\/blog\/process-monitor-track-access-denied-registry-file-events\/","url_meta":{"origin":988,"position":0},"title":"How to Track “Access Denied” Registry and File Events Using Process Monitor","author":"Ramesh","date":"March 17, 2016","format":false,"excerpt":"A well-written application does proper error handling, notifying the user in detail about the error it countered and how to go about fixing it, rather than failing silently or throwing up an obscure error code and quitting. This post tells you how to trace \"Access Denied\" events for file and\u2026","rel":"","context":"In "Windows"","block_context":{"text":"Windows","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/w10\/p-mon-1.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":1062,"url":"https:\/\/www.winhelponline.com\/blog\/resource-monitor-find-process-locked-file-windows-7\/","url_meta":{"origin":988,"position":1},"title":"How to Use Resource Monitor to Find Which Process Has Locked a File","author":"Ramesh","date":"July 21, 2010","format":false,"excerpt":"Many folks use Process Explorer from Windows Sysinternals to gather information about running processes and their open handles. In addition, there is an excellent but less familiar utility in-built with Windows 7 and higher (including Windows 10\/11). The built-in utility is Resource Monitor, which provides complete details of running processes,\u2026","rel":"","context":"In "Windows"","block_context":{"text":"Windows","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/"},"img":{"alt_text":"openfiles","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2016\/10\/openfiles-4.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":19471,"url":"https:\/\/www.winhelponline.com\/blog\/cannot-import-reg-not-all-data-was-successfully\/","url_meta":{"origin":988,"position":2},"title":"Cannot import .REG file; Not all data was successfully written to registry","author":"Ramesh","date":"October 22, 2020","format":false,"excerpt":"Sometimes, when applying the registry settings using a .reg file, you may get one of the following errors: Cannot import file.reg: Not all data was successfully written to the registry. Some keys are open by the system or other processes, or you have insufficient privileges to perform this operation. Cannot\u2026","rel":"","context":"In "Windows"","block_context":{"text":"Windows","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/"},"img":{"alt_text":"cannot import .reg file - error accessing registry","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2020\/10\/reg-file-import-error-4.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2020\/10\/reg-file-import-error-4.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2020\/10\/reg-file-import-error-4.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2020\/10\/reg-file-import-error-4.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":76091,"url":"https:\/\/www.winhelponline.com\/blog\/boot-trace-process-monitor\/","url_meta":{"origin":988,"position":3},"title":"How to Run a Boot Trace Using Process Monitor","author":"Ramesh","date":"July 25, 2024","format":false,"excerpt":"Process Monitor is an excellent diagnostic tool from Microsoft Sysinternals. It can run a trace during the current Windows session or trace the boot process. Let's see how to enable boot tracing using Process Monitor. Enable Boot Logging using Process Monitor Download Process Monitor and run it. Read and accept\u2026","rel":"","context":"In "Utilities"","block_context":{"text":"Utilities","link":"https:\/\/www.winhelponline.com\/blog\/category\/utilities\/"},"img":{"alt_text":"Process monitor boot logging","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2024\/07\/procmon-boot-log-9.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2024\/07\/procmon-boot-log-9.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2024\/07\/procmon-boot-log-9.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2024\/07\/procmon-boot-log-9.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":5637,"url":"https:\/\/www.winhelponline.com\/blog\/process-monitor-unable-to-write-procmon23-boot-logging\/","url_meta":{"origin":988,"position":4},"title":"Process Monitor “Unable to write PROCMON23.SYS” Enabling Boot Logging","author":"Ramesh","date":"October 25, 2017","format":false,"excerpt":"Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process\/thread activity. It can also trace the entire boot process and save to a PML log file. When enabling the setting \"Enable Boot Logging\" from the Options menu in Process Monitor, the following error\u2026","rel":"","context":"In "Utilities"","block_context":{"text":"Utilities","link":"https:\/\/www.winhelponline.com\/blog\/category\/utilities\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/10\/procmon-boot-logging-error.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":5946,"url":"https:\/\/www.winhelponline.com\/blog\/program-constantly-writing-hard-disk-io\/","url_meta":{"origin":988,"position":5},"title":"Find Which Program is Constantly Reading or Writing to Disk","author":"Ramesh","date":"November 4, 2017","format":false,"excerpt":"Does your hard drive LED in the computer's chassis show non-stop disk input or output activity? If the I\/O operations occur at an alarming rate, sometimes even at 100% disk usage, find the process and stop it from running, especially if you're using Solid State Drive. If you're wondering which\u2026","rel":"","context":"In "Windows"","block_context":{"text":"Windows","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/"},"img":{"alt_text":"track disk io usage","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/11\/track-disk-usage-windows.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/11\/track-disk-usage-windows.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/11\/track-disk-usage-windows.jpg?resize=525%2C300&ssl=1 1.5x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts\/988","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/comments?post=988"}],"version-history":[{"count":0,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts\/988\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/media?parent=988"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/categories?post=988"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/tags?post=988"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}