In our post last month regarding a Basic Troubleshooting Toolkit, one of the tools we mentioned was Process Monitor. The new version of Process Monitor combines the old Process Monitor tool with the File Monitor (FileMon) and Registry Monitor (RegMon) tools. So today we’re going to provide a quick overview of Process Monitor and then work through a couple of scenarios. So let’s get started …
Process Monitor is one of the most versatile tools to use in troubleshooting. Issues we use Process Monitor for include:
- Troubleshoot Application Failures (installs and uninstalls, launch failures etc)
- Troubleshoot File System issues (access, permissions, etc)
- Troubleshoot Registry issues (access, permissions, etc)
- Enable Boot logging to monitor the system from boot
- Examine the stack of an Application
- Troubleshoot misleading error messages
- Determine the registry settings for an application
Setting up Process Monitor is very easy – there’s actually no real setup required!
- Download Process Monitor
- Extract the .zip file, and run Procmon.exe
- Click Agree to the EULA screen
- Process Monitor will start logging automatically
OK, now that you have Process Monitor up and running, let’s quickly point out a couple of features on the interface:
In the main toolbar, you’ll see this set of buttons. By toggling these buttons on / off, you can choose whether or not to view the Registry Activity, the File System Activity and the Process / Thread activity.
If you double click on an event in the log you can bring up the property sheet for that event which includes basic information about the event on the first tab. The Process Tab includes information about the path, the Process ID, the Parent Process ID, the User and relevant DLL files. Finally, the Stack tab provides a very basic view of the stack for that event. The stack output indicates Kernel-mode calls with a “K” and User-mode calls with a “U”. If Process Monitor is able to locate symbols for images referenced in the trace it will attempt to resolve addresses to the functions in which they reside.
You can also configure Process Monitor to log activity very early in the boot process – during the initialization of boot-start device drivers. To configure Boot Logging, select “Enable Boot Logging” from the Options Menu.
Let’s take a look at a couple of sample scenarios that I set up:
Scenario 1: Uninstalling an Application
I’m interested in PowerShell – so I have been playing with a trial version of PowerGadgetsto create Powershell Gadgets. Recently, my trial period expired, so I had to uninstall the software. When I tried to uninstall the software, I encountered the following error:
Hmm – OK, so it looks like there’s a problem with this file. I see the Power Gadgets folder in my Program files directory, and I see the correct .ifx file there, so what’s the problem? Time to fire up Process Monitor and track down the real failure …
I launched a Process Monitor capture and tried to uninstall the program again. This time, I can see that there’s a “PATH NOT FOUND” error logged in Process Monitor. Hmm … I thought that path was there, right?
Now I see where the problem is! The program is looking for C:\Program Files\PowerGadgets – but the actual file path is C:\Program Files\Power Gadgets – there’s a space in the folder name. To be fair, the original error message shows that the uninstaller is looking for a folder without a space in the name, but I just overlooked it the first time!
After renaming the folder to “PowerGadgets”, the uninstall works as expected.
As you can see, I missed this simple difference the first time – it’s easy to do – but after looking at the Process Monitor log and the failure, I could see where the problem lay. On to our next example …
Scenario 2: Service Startup Failure
When I try and start my APC UPS Service, I receive the following error:
Hmm – a problem with a path when starting the service usually indicates some problem with the registry information. One way to troubleshoot this would be to just open up Registry Editor and look at the properties for the service – but let’s use Process Monitor instead – because we can trace both File and Registry information simultaneously if we need to look at both sets of information. Time to fire up Process Monitor and start a capture …
Looking at the log above, we are not actually running into an issue with the path not being found. The problem is that we are getting an “ACCESS DENIED” message when we try to read the service information from the HKLM\System\CurrentControlSet\Services\APC UPS Serviceregistry key. I checked the permissions on this registry key, and discovered that the Local Admin group had Deny access. Once this was corrected – the service started up just fine.
These are both fairly simple scenarios – but they illustrate the value of using Process Monitor as a troubleshooting tool.