Basic Steps for Making a Process Monitor (ProcMon) Capture
Published Feb 15 2019 07:29 PM 56.1K Views

ProcMon is an indispensable tool that zillions of people have used. Here are some easy steps for starting, stopping, and saving a Procmon capture.

 

  1. Unzip ProcessMonitor.zip
  2. Copy ProcMon.exe to the server or workstation that you're performing troubleshooting on
  3. Launch Procmon by double-clicking Procmon.exe
  4. When you see the option to set filters, generally you don't need to. You can always filter the results after the capture is complete. Just click OK
  5. Stop the capture by clicking the icon of the magnifying glass, as seen below. (By default the capture begins immediately when Procmon.exe is launched.) Alternatively, you can use the keyboard and press CTRL+E.
  6. When the capture is stopped, a red slash mark should appear across the icon of the magnifying glass.
  7. If you really want to set some filters such that less data is captured, now is arguably the best time in my opinion. When in doubt, don't add any filters. But if there are some processes that you are certain that you can exclude from the capture, it's easy to do. For example, if you wanted to exclude Skype.exe because you see it in the capture and know it's irrelevant, just right-click Skype.exe and select "Exclude Skype.exe"
  8. Clear the events from the capture by clicking the icon that resembles an eraser on paper. (Or by clicking Ctrl+X.)
  9. Begin to take the steps necessary to reproduce the problem. But when you have one step that remains—when you are one mouse-click away from reproducing the problem—hesitate long enough to. . .
  10. Start the process monitor capture by clicking the icon of the magnifying glass.
  11. Perform your one last mouse click to reproduce the problem, wait for the problem to be fully reproduced, and then quickly. . .
  12. Click the icon of the magnifying glass again to stop the Procmon capture.
  13. From the file menu, save the capture with a unique name and with the .pml format.

 

One of the most basic, common, and first things I usually do is to set a filter on the procmon results that searches the results column for "Access Denied."

Start by clicking the icon (or CTRL+L) that looks a bit like a coffee filter or snow cone as seen below. . .

Toggle the first two options to RESULT + CONTAINS. Type in the word DENIED into the blank field. Click ADD and click APPLY.

Author: Christopher T. Haun

2 Comments
Brass Contributor

@Jawahar Ganesh Sthank you for sharing. 

Copper Contributor

@Jawahar Ganesh S , can procmon instance be run to capture only a particular process, ex-w3wp.exe without a user being logged in, like from Windows Task scheduler at a specific time? 

I understand that one can setup a task to run the procmon at a particular time, could you highlight if any arguments can be provided to only capture one process and save it as a log.

Co-Authors
Version history
Last update:
‎Sep 06 2021 02:37 PM
Updated by: