- Can’t uninstall app: Delete or change Windows apps that have been flagged as non-removable - Thu, Mar 16 2023
- FSLogix VHDX compaction: Resize virtual disks - Thu, Dec 1 2022
- Sysinternals Process Monitor: Real-time file system, registry, and process monitoring - Fri, Oct 28 2022
Process Monitor requires no installation. You simply download the executable, then copy it to your target endpoint and run it directly. It does require administrative rights to run.
As a quick and straightforward example, I'm going to show how I use Process Monitor to capture the settings that drive certain parts of the Windows user interface. In end-user computing, we are often asked to make specific parts of the UI look a particular way for our users. While there are sometimes Group Policy Objects and Intune settings that can help us with setting up the user interface in this way, these settings can be unsuitable or difficult to find. In these cases, Process Monitor can help us identify the settings in use so that we can manage them centrally.
The first thing to do is replicate the change to the settings while Process Monitor is running. Be aware that Process Monitor will generate a lot of data, as it records everything that happens on the system. So, it is prudent to keep the amount of time you run Process Monitor to a minimum.
Start Process Monitor on the device you are going to make the changes on, and then turn off the capture by clicking File > Capture Events.
Next, clear the already captured events by clicking Edit > Clear Display.
The Process Monitor window should now be empty, as shown below:
Now, get ready to make the changes you are trying to capture. For instance, if you are capturing something in a specific application, open the application so that you do not generate all the extra noise from the application launch. As we are simply capturing some desktop settings, though, we just need to be at the Windows desktop.
Start the capture again by clicking File > Capture Events, and then make the changes you want. Below is a short video clip showing the capture being made. When you have finished, stop the capture again by clicking File > Capture Events.
You can see that we have changed the settings for small Taskbar icons, turned off Cortana, Task View, and Search, and set "Show file extensions" in Explorer.
We now need to parse the Process Monitor output to find which operating system settings correspond to making these changes. You can also save the Process Monitor output, if required, as a PML file so that you can view the logged output on another computer, if you so desire. You do this by clicking File > Save and selecting the path as below, or you can simply parse the output on the device you have captured it on.
To parse the output, we need to cut out as much extraneous noise as possible. You will notice that our 40-second capture has logged 309,183 events! It is important to understand what sort of settings you are looking for to cut this down.
Open the filtering menu by clicking Filter > Filter, which will display as below:
There are already some default exclusions in place that keep out Process Monitor's own entries and low-level system processes; you should leave these in place for most situations.
First, you need to select what you want to filter by. For instance, if you are working with a setting in a specific application (such as the browser), you can initially filter by process name. As we are looking for changes that were made in the shell process (Explorer), we will create our first filter, as below.
Don't forget to click Add after you have created the filter.
If you click OK, you can see that we've filtered 300,000 events down to about 66,000, but this is still a lot!
So, let's add a second filter. This time, we will look specifically for writes to the registry by the Explorer process, as the registry is where configuration changes in Window are commonly (although not exclusively) held.
Create the next filter by setting it to Operation Is RegSetValue.
Once you have added and applied this filter, we now have 178 events to look at. Compared to 300,000, this is a much more manageable number.
You could try to filter this further, if required. For instance, I know that some of the settings shown are writing to HKCU\Software\Classes, which my experience tells me is unlikely to be useful data. So I can apply a further filter to tune these out by adding a filter of Path Contains HKCU\SOFTWARE\Classes Exclude as below:
Now, I have 138 events in total, which is a reasonable number for an administrator to pick through.
From this point onward, it becomes a matter of using common sense or even trial and error to pick out the required settings. We can easily pick out the setting for show file extensions, which is HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt.
If you then double-click the highlighted setting, it will show you the value that has changed.
So we know now from this that the setting we changed, which set Show file extensions to positive, is driven by a registry value located in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced, is called HideFileExt, and which needs to be set to a DWORD value of 0 for the setting to be the way we want it.
By parsing the rest of the output, we can pull out other settings that seem to apply to the ones we have changed.
Here are a few other useful settings:
Changing Taskbar icons to small: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\TaskbarSmallIcons DWORD 1
Removing Search: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\SearchboxTaskbarMode DWORD 0
Removing Task View button: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTaskViewButton DWORD 0
Removing Cortana: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCortanaButton DWORD 0
It is then quite simple to create a Group Policy preference item (or to use another method) to enforce or suggest any combination of these settings, if required.
Process Monitor can also be very useful for diagnosing application crashes or misbehavior. For instance, when confronted with an application that throws an error when run without admin rights, Process Monitor can quickly pinpoint the issue.
In this case, I simply run the application and then create a filter that looks for any instances of Access Denied in the Result entry, as applications often require admin rights because of a lack of permissions to either the file system or the registry.
You should see then pretty quickly if there are any places the application is trying to write where access is not working.
You can then simply rectify the application's problem by applying the correct permissions to the file system areas where it is trying to write.
Process Monitor can also be run at startup, if necessary, by enabling Boot Logging as below. Note that this will create very large output files, though, so be aware if you are low on disk space.
One final point to make about Process Monitor is that, as it uses a filter driver, other applications that also use filter drivers (e.g., Ivanti, FSLogix) may give misleading or incorrect results. To ensure that you are getting the right information, you should disable or adjust the altitude of any other filter drivers that may be overlaying the user session.
Subscribe to 4sysops newsletter!
In summary, Process Monitor is a vital tool for administering and troubleshooting Windows systems and applications, and should be in the toolbox of every administrator. Using it for simple problems, such as those detailed above, can help you gain an understanding of it and how to tune your filters, and this will help as the issues you tackle become more complicated.