Capture Circular ProcMon Logs for an intermittent issue
We’ll delve into how to capture Process Monitor logs with circular overwrite enabled. As per the official documentation, Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such as session IDs and usernames, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.
When running ProcMon over extended periods where log file size is a concern, configuring Procmon with circular overwrite helps by limiting the log file size while retaining only the most recent activity. This method is particularly useful when tracking intermittent issues over time without generating enormous log files.
Let’s walk through how to configure and capturing logs with circular overwrite in ProcMon.
Download and Install ProcMon
There’s no installation process; it’s a standalone executable that you can run directly.
Configure ProcMon Filters (you can skip this if not sure of the process name or other details)
By default, ProcMon logs all system activity, which can generate an overwhelming amount of data. Therefore, configuring filters to focus only on relevant events should be good to avoid noise.
Example: To monitor only a specific application like notepad.exe, create a filter for Process Name equals notepad.exe.
Enable Circular Overwrite (important)
To ensure that your ProcMon session captures only the most recent logs without growing indefinitely:
Set Maximum Log File Size
Circular logging allows you to set a maximum log file size. To do this:
Set Maximum Log File Size
Circular logging allows you to set a maximum log file size. To do this:
Start the Capture
Once everything is set:
Export Logs for Further Analysis
After capturing your data, you may want to export the logs for in-depth analysis or sharing with other team members:
Using ProcMon with circular overwrite is especially helpful when dealing with intermittent issues that can't be easily reproduced. However, it's crucial to stop the data collection as soon as the issue occurs. Otherwise, if the log file size is too small, you risk overwriting the relevant data before capturing the problem.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.