Process Monitor - Hands-On Labs and Examples

Introduction

Process Monitor is a troubleshooting and data collection tool used by many systems administrators as well as Microsoft’s support organization. The goal of this post is to help you gain hands-on experience using this valuable troubleshooting tool and subsequently to facilitate progress towards resolving virtualization issues with your apps should they be encountered.

Most of the content in this document consists of three troubleshooting examples that represent three common types of issues that you may encounter. The first example provides Process Monitor basics, including the critically important filtering capabilities of the tool. The two subsequent examples further utilize the techniques described in the first example. Please note that example two and three do not repeat detailed instructions that are presented in example one. In other words, don't skip example one.

Much of the information presented here comes from various sources available via Microsoft’s public sites; it is just packaged and presented in a different way. Resource links are provided at the end of this document.

Process Monitor Defined

Process Monitor is an advanced monitoring tool for Windows that shows real-time File System, Registry and Process/Thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon. Its uniquely powerful features make Process Monitor a core utility for system troubleshooting.

The Sysinternals web site was created in 1996 by Mark Russinovich and Bryce Cogswell to host their advanced system utilities and technical information. Microsoft acquired Sysinternals in July, 2006.

Process Monitor Requirements

OS Requirements: Windows 2000 SP4 with Update Rollup 1, Windows XP SP2, Windows Server 2003 SP1 or Windows Vista

Process Monitor Enhancements over Filemon and Regmon

  • Configurable boot time logging of all operations
  • Non-destructive filters allow you to set filters without losing data
  • Can log data to a file instead of in process virtual memory
  • Configurable and moveable columns for any event property
  • Advanced logging architecture scales to tens of millions of captured events, gigabytes of log data
  • Monitoring of process and thread startup and exit, including exit status codes
  • Monitoring of image (DLL and kernel-mode device driver) loads
  • More data captured for operation input and output parameters
  • Capture of thread stacks make it possible to identify the root cause of an operation
  • Reliable capture of process details, including image path, command line, user and session ID
  • Filters can be set for any data field, including fields not configured as columns
  • Process tree tool shows relationship of all processes referenced in a trace
  • Native log format preserves all data for loading in a different Process Monitor instance
  • Process tooltip for easy viewing of process image information
  • Detail tooltip allows convenient access to formatted data that doesn't fit in the column
  • Cancellable search

Installation Instructions and Launch Experience

You do not install Process Monitor. You simply download the zip file, extract the zip file contents (EULA.txt, procmon.chm, procmon.exe) to a folder of your choice, and double click on Procmon.exe to launch the tool. When Process Monitor launches you may need to grant permission to run the tool depends on the User Account Control setting running on the computer. Process Monitor can be downloaded at https://www.microsoft.com/technet/sysinternals/processesandthreads/processmonitor.mspx.

As soon as Process Monitor appears it will start capturing File, Registry, and Process/Thread information. To stop or start data capturing activity, click on the “Capture” button, shown below:

clip_image002

(Can be done on any OS that supports Process Monitor)

There are times when you want to identify where in the registry that application settings are stored. Knowing where in the registry this information is stored will allow you do things like scan all computers in the environment for a setting that should be in place. If the setting is not there on a particular computer you can target the computer for subsequent mitigation activity.

To demonstrate how Process Monitor can be used to identify where application settings are stored we will use Notepad.exe. Specifically, we want to identify where in the registry Font and Font Size settings are stored for the Notepad application.

Data Capture Steps:

1. Launch Process Monitor (procmon.exe) by double clicking it

2. Make sure Process Monitor is set to capture data; it should be by default. You can determine if Process Monitor is collecting data via the following ways:

a. Check that the “Capture” button does not have a red “X” over it. If it does have a red “X” over it simply click the capture button once to remove the “X”. This button is a toggle switch that will stop and start the capture of data.

clip_image004

b. Check that events are being captured by viewing status information in the lower left corner of Process Monitor. If the tool is capturing data, the numbers displayed as “Showing ‘X’ of ‘Y’ events” will be incrementing upward.

clip_image006

3. Launch Notepad

4. Enter some text into the Notepad document

5. Click on the Format menu and then on the Font menu item

a. In the Font window change the Font to “Batang”
b. In the Font window change the Size to “28”
c. Click on the “Ok” button

6. Save the Notepad document as Example1.txt

7. Close Notepad

8. Stop Process Monitor capture activity by clicking on the “Capture” button shown above in step 2a (the icon should now show an “X” over the magnifying glass)

At this point we have captured File, Registry, and Process/Thread activity during a Font and Font Size change in Notepad.exe in addition to all other activity occurring on the machine during the capture period. As such, we no longer need Notepad running and we do not need Process Monitor to capture any more data. That is why we closed Notepad and stopped Process Monitor from capturing additional data.

Data Review Steps:

The goal of this review is to identify where Notepad.exe stores Font and Font Size information in the registry. Process Monitor captures a lot of data in a short period of time; over a hundred thousand events can be captured in under a minute. Thankfully, the filtering capabilities of Process Monitor will allow us to quickly zone in on the data we are looking for. The real troubleshooting value of Process Monitor is realized via filtering.

1. Since we are only interested in Registry information, we will filter out File and Process information by deselecting the “Show File System Activity” and “Show Process and Thread Activity” buttons. Simply click on these buttons, which function like toggle switches.

clip_image008

Notice that once you deselect File and Process information, the display window only shows operations of type “Reg…” under the Operations column. You can toggle File and Process information on and off and not worry about losing any captured data. All filtering in Process Monitor is non-destructive.

2. You can filter information in two ways. One way is to filter the displayed capture data on the fly. You do this by moving over a line item in the display area and right clicking. This brings up a floating menu that allows you to “Include” and/or “Exclude" displayed data.

clip_image010

In this case, we know we are looking for a Process Name of Notepad.exe. So, right click over any line item that has something other than “Notepad.exe” under the “Process Name” column and select “Exclude” in the floating menu. A subsequent floating window appears that displays a list of the column names; select “Process Name” from this list. The result is that all line items with the Process Name you highlighted via right clicking disappear from the display window. Do this for several other Process Names other than “Notepad.exe”.

3. The second way to filter is to use the “Process Monitor Filter” window. This window allows you to review existing filters, remove existing filters and to add new filters. Click on the “Filter” menu on the toolbar and then on the “Filter…” menu item to launch the “Process Monitor Filter” window.

clip_image012

  • Select “Process Name” from the Column list box
  • Select “is” from the Relation list box
  • Type “Notepad.exe” in the Value text box
  • Select “Include” from the Action list box
  • Click on the Add button
  • Click on Apply and OK

The resulting displayed windows will only show registry information for Notepad.exe; still a lot of data, but we are getting closer.

4. Now, we know we are looking for some type of registry operation that sets or writes a value, specifically the Font and Font size values. So, per the instructions in step 2 above, perform on the fly filtering to exclude operations circled below:

clip_image014

In short, right click over “RegOpenKey”, click “Exclude”, and click “Operation”. Repeat this process for the other three operations shown above (RegQueryValue, RegCloseKey, and RegEnumValue).

5. This should leave us with a relatively small set of captured data in the display window. Scroll through the remaining data to find an Operation called “RegSetValue”; this operation sounds appropriate. So, perform on the fly filtering, by right clicking on a “RegSetValue” line item, but instead of clicking on “Exclude” click on “Include”, and then on “Operation”.

6. With only registry information for the RegSetValue operation of the Notepad.exe process showing in the display window, we have really narrowed our search down. Now, scroll through the displayed data and pay attention to the “Detail” column and the “Path” column. While scrolling through the data, you will notice a registry path that looks appropriate (HKCU\Software\Microsoft\Notepad) and will find the word Batang associated with the IfFaceName key.

clip_image016

7. To go to the registry location identified under the Path column, highlighted above, right click on the path and click on the “Jump To…” menu item. The Registry Editor will open and you will find all of the format settings for Notepad including IfFaceName (Font) and iPointSize (Font Size).

8. Before closing Process Monitor reset the filters by clicking on the “Filter” menu in the toolbar and then on “Reset Filter”.

You have completed Example 1, congratulations.

Troubleshooting Example 2 – Registry Permissions

(Example must be done on a Vista machine)

Sometimes incorrect permissions on registry keys can prevent users from running an application or a utility. If permissions on a registry key are the cause of an application launch failure, uninstalling and reinstalling may not solve the problem. Using Process Monitor to identify the real cause of the application launch failure may save considerable time and frustration.

To demonstrate how Process Monitor can be used to identify what is preventing an application from launching we will use PsList.exe. PsList is a tool that lets you view detailed information about processes. You will need to download PsList to work through this example. The tool is available via the following link: https://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/PsList.mspx

PsList Setup

1. Download PsList via the link above and save it to “C:\temp”; note the download is a zip file.

2. Extract the zip file contents to its default location – “C:\temp\PsTools”

Problem Setup:

For this demonstration, you need to make sure that the “Authenticated Users” group has no permissions on the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib.

1. Open the Registry Editor (regedit.exe)

2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib

3. Right click on the Perflib key and click on the “Permissions…” menu item

4. Review the list of “Groups or user names” to see if “Authenticated Users” is listed

a. If “Authenticated Users” is listed, highlight it and then click on the Remove button.
b. If “Authenticated Users” is not listed, do nothing

5. Close out of the registry editor.

Data Capture Steps:

1. Launch Process Monitor (procmon.exe) by double clicking it

2. Make sure Process Monitor is capturing data

3. Open a Command window

4. In the Command window type “C:\temp\PsTools\PsList”, without the quotes and hit Enter

clip_image018

Notice the result “Failed to take process snapshot on <computername>.

5. Minimize the command window and stop Process Monitor from capturing any more data.

Data Review Steps:

The goal of this review is to identify why PsList is failing to run. Process Monitor captures a lot of data in a short period of time; over a hundred thousand events can be captured in under a minute. Thankfully, the filtering capabilities of Process Monitor will allow us to quickly zone in on the data we are looking for. The real troubleshooting value of Process Monitor is realized via filtering.

At this point, we do not know where the problem resides. Unlike the Notepad example where we knew we were looking for Registry information, we will not be turning off any of the three major groups of data (File System, Registry, Process and Thread).

1. Since we know the process name we want to isolate (PsList.exe), let’s apply a filter via the Process Monitor Filter window to only show us PsList.exe.

clip_image020

  • Select “Process Name” from the Column selector list box
  • Select “is” from the Relation selector list box
  • Type “PsList.exe” in the Value text box
  • Select “Include” from the Action list box
  • Click on the Add button
  • Click on Apply and OK

2. Looking at display data we still see hundreds of events. If you look at the “Results” column you will see numerous types including a lot that are “Success”. Given that our application is failing to launch, we can safely assume that a result of Success is not what we are looking for. So, filter out all event Results that are Success via on the fly filtering. Right click over a line item that has Success under the Result column, click on Exclude, and then on Result.

3. This now leaves us with a little under one hundred events currently displayed. Manually scroll through the data and look from something that looks suspicious… You should see about five line items that have “Access Denied” under the Result column. Among all of the other events, this is most promising. So, filter out all other Result types via on the fly filtering. Right click over a line item that has Access Denied under the Result column, click on Include, and then on Result.

4. Review the details for the remaining display data. You will notice that the Operation being attempted is “RegOpenKey” and that the key in question is listed under the Path column: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib

5. Right click on the Path HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib and click on “Jump Too…”. This will open the Registry Editor and take us to the Perflib key.

6. Right click on the Perflib key, click on “Permissions…” and add “Authenticated Users” back, with Read permission. Close out of the Registry Editor.

7. Go back to the Command window and try running PsList again by typing “C:\temp\PsTools\PsList.exe”. It should now run without error.

8. Before closing Process Monitor reset the filters by clicking on the “Filter” menu in the toolbar and then on “Reset Filter”.

You have completed Example 2, congratulations.

Troubleshooting Example 3 – File Permissions

(Example must be done on a Vista machine)

Sometimes incorrect permissions on files can prevent users from running an application or a utility. If permissions on a file are the cause of an application launch failure, uninstalling and reinstalling may not solve the problem. Additionally, sometimes the errors messages generated during the application launch failure can be misleading. Using Process Monitor to identify the real cause of the application launch failure may save considerable time and frustration.

To demonstrate how Process Monitor can be used to identify what is preventing an application from launching we will use PurblePlace.exe. Purble Place is a game that comes with Windows Vista and is rated “E” for everyone.

Problem Setup:

For this demonstration, you need to make sure that the “Users” group has no permissions on the file PurblePlace.dll.

1. Open Windows Explorer and navigate to “C:\Program Files\Microsoft Games\Purble Place”

2. Right click on the PurblePlace.dll and click on Properties. Then, click on the Security tab and the Edit button.

3. Review the list of “Groups or user names” to see if “Users” is listed

a. If “Users” is listed, highlight it and then click on the Remove button. Then, click on the Apply and OK buttons. Lastly, close out of the Properties window.
b. If “Users” is not listed, click on the Cancel button and close out of the Properties window.

4. Close Windows Explorer.

Data Capture Steps:

6. Launch Process Monitor (procmon.exe) by double clicking it

7. Make sure Process Monitor capturing data

8. Launch Purble Place by clicking on Start, Games, and Purble Place. The following error should be generated:

clip_image022

This is an example of a misleading error message, because the file does exist.

9. Stop Process Monitor from capturing any more data.

Data Review Steps:

The goal of this review is to identify why Purple Place is failing to run. Based on the error message that was generated, it appears that PurblePlace.dll is missing. We will review the data Process Monitor captured to uncover the truth. Process Monitor captures a lot of data in a short period of time; over a hundred thousand events can be captured in under a minute. Thankfully, the filtering capabilities of Process Monitor will allow us to quickly zone in on the data we are looking for. The real troubleshooting value of Process Monitor is realized via filtering.

At this point, we do not know where the problem resides. Unlike the Notepad example where we knew we were looking for Registry information in the beginning, we will not be turning off any of the three major groups of data (File System, Registry, Process and Thread).

1. Since the error message specified the file name “PurblePlace.dll”, let’s apply a filter via the Process Monitor Filter window to only show us events related to it.

clip_image024

  • Select “Path” from the Column selector list box
  • Select “contains” from the Relation selector list box
  • Type “PurblePlace.dll” in the Value text box
  • Select “Include” from the Action list box
  • Click on the Add button
  • Click on Apply and OK

2. As you can see from the resulting display data under the Path column, PurblePlace.dll was found. You also see that the application is getting an Access Denied result when it tries to do a Generic Read; sounds like a permission problem and not a missing file problem.

clip_image026

3. Let’s go fix the permissions of PurblePlace.dll. To do this, right click under the Path column on a line that shows the PurblePlace.dll and click on “Jump Too…”.

4. Right click on the PurblePlace.dll and click on Properties. Then, click on the Security tab and the Continue button (once more depending on the machine’s User Account Control settings).

5. In the Permissions windows click on the Add button, then type “Users”, and click OK. Lastly, click on Apply and OK

6. Now try launching Purble Place by clicking on Start, Games, and Purble Place. It should run without error.

7. Before closing Process Monitor reset the filters by clicking on the “Filter” menu in the toolbar and then on “Reset Filter”.

You have completed Example 3, congratulations.

Process Monitor / Sysinternals Resources

Webcast - Advanced Windows Troubleshooting with Process Monitor: https://msevents.microsoft.com/cui/WebCastEventDetails.aspx?EventID=1032345496&EventCategory=4&culture=en-US&CountryCode=US

Process Monitor: https://www.microsoft.com/technet/sysinternals/processesandthreads/processmonitor.mspx

Process Monitor Forum: https://forum.sysinternals.com/

Windows Sysinternals: https://technet.microsoft.com/en-us/sysinternals/default.aspx

========

As you can see, Process Monitor can not only help troubleshoot regular application related issues but is invaluable when troubleshooting sequencing issues using Microsoft Application Virtualization (aka SoftGrid).

Enjoy!

Steven Rouleau | Technical Account Manager