Sysinternals Process Monitor (Procmon) is one my favorite free tools. Microsoft recently released version 2.5, and just a few days ago Procmon 2.6 fixed a bug on Windows 7. I had a quick look at the new features. I just added this text to my former review of Process Monitor 2.0 at the end. If you already know Procmon, you can skip the introductory text and read about Procmon's 2.6 new features.
Latest posts by Michael Pietroforte (see all)
- Enabling PowerShell remoting fails due to Public network connection type - Thu, Sep 14 2017
- Set default Office 365 mailbox send and receive size limits - Mon, Sep 11 2017
- Change maximum Office 365 attachment size with PowerShell - Thu, Aug 31 2017
This well-known Microsoft tool was already in the 4sysops free admin tool list, but I decided to add a new entry because a new version is now available. The old post was also about Process Explorer, which I reviewed two years ago. I transferred your votes to these articles.
I guess that Process Monitor is in the tool box of many admins, because it is one of the most important troubleshooting tools. The old version, 1.37, allowed you to monitor file system and registry activity. The most important new feature of version 2.0 is that you can now also monitor the network activity of processes.
When you launch Process Monitor the first time, you will be overwhelmed by all the system activity. If you wonder, sometimes, why your computer is slow, you will get a better understanding after you see how many tasks a modern operating system has to perform, simultaneously.
To track down the cause of a malfunctioning program, it is essential that you utilize the powerful filter. If you already know the program that is causing the problem, you can restrict Process Monitor’s output to this program name. If the problem is a bit more complex, I usually enable the autoscroll feature and watch all system activity until something suspicious attracts my attention. Then, I limit the output with the filter by looking for common characteristics of the processes that interest me.
Another way to reduce the output is to let Process Monitor only display registry, file system, network, process and thread, or profiling events. You can use the icons on the right side of the toolbar for this purpose.
If you limit the output to network activity, you can try one of the new features of version 2.0. Process Monitor certainly can’t replace a network sniffing tool, but its filter can also be very useful for network-related troubleshooting. Enabling the Process and Thread option will track the creation and exit of processes and threats. Profiling scans all active threads and generates statistical data, such as the user time and the kernel time of the process.
The Sysinternals blog lists three new features: by-extension and by-directory views in the File Summary dialog; a new Network Summary view, quick filtering in all the summary views, and additional IOCTL and error-result decoding.
The File Summary dialog can be accessed from Procmon's Tools menu. The File Summary gives an overview of the operating system’s file-related activities (see screenshot). Procmon 2.5 offers by-extension and by-directory views in addition to the by-path view found in version 2.0. These new views are quite useful for monitoring file activities because the files can be found much easier than in the by-path view. For example, to see if a certain directory has been accessed by an application, simply navigate to the corresponding folder in the by-directory view. Note that Procmon’s summary views only give an overview of recent changes and are not updated continually as they are in the main interface.
The new quick filtering features in the summary views are also useful, enabling the user to add new Procmon filters easily. For example, to add a filter that will limit the output to events that are related to a specific directory, simply double click on the corresponding folder in the File Summary.
I didn't find any new features in the Network Summary view (except the aforementioned filter link). Perhaps the author of the Sysinternals blog post mistakenly thinks the Network Summary feature is new to version 2.5. I also didn’t find the new IOCTL (input-output-control) and error-result decoding features mentioned in the blog post. However, I might have missed something, so let me know if you find any new features.