Mystery behind Sysinternals Process Monitor (Procmon.exe) & Out of space C: Drive

  • Article

This post is about Sysinternals Process Monitor. Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. You can watch my recently published video Sysinternals Tools for IT Professionals – PART I 

This is how ProcMon looks like when it is showing all the activities.

image

One of the features in Process Monitor is BOOT LOGGING feature. To enable boot logging click on Options –> Enable Boot Logging

image

Once clicked, it will give following screen. First line is very IMPORTANT, it says Process Monitor is configured to log activity during the next boot.

You may choose Generate profiling events or not and click OK.

image

The moment to you click OK, it attaches the PROCMON20.sys driver and on next reboot it will start logging. You can check this with Sysinternals Autoruns. Smile

image

Now, restart your PC.

Well, now that you have rebooted and you start using machine on regular basis. If you are using the system WITHOUT RE-OPENING PROCMON.EXE & SAVING THE LOGS, there is a file created in C:WindowsProcmon.pmb by ProcMon Driver. This file is keep on growing by storing all logs/events so that you can access them later. THIS IS THE EXACT REASON YOU WILL END UP SEEING YOUR C: LOOKING LIKE THIS.

Zero Space

After system reboot, launch Procmon.exe, you will see following box. Click on Yes to save the collected data.

1

You will get an option to save the log data with .PML file extension. I have named the file BOOT.PML. Then it will start saving the data…

1 A

Meanwhile, go to Windows Explorer and the the Windows Folder. Inside the Windows Folder you will see the file Procmon.pmb, which has grown to about 3 GB in just about 10 minutes of boot time..

2

Once the complete data is saved in the BOOT.PML file, you will see the log data.

1 B

Well, now that you know what’s happening exactly, you need to close some applications or delete some temp data. Create some free space on your machine so that you can launch any application (including Procmon.exe Smile). make sure you do this quick fast because as long as you are not saving the logs, the file will be growing up continuously.

CONCLUTION

WHAT I WANTED TO HIGHLIGHT HERE IS THE FACT THAT THIS IS NOT A BUG IN THE TOOL BUT THE BEHAVIOUR OF THE TOOL. YOU MUST MAKE SURE THAT AFTER THE REBOOT YOU ARE SAVING THE LOGS TO AVOID GETTING INTO SUCH SITUATION.

Enjoy