Sysinternals Process Monitor runs on a Windows device and uses a filter driver to log real-time file system, registry, and process/thread monitoring. It is a vital tool for troubleshooting Windows and combines the capabilities of two older Sysinternals tools: filemon and regmon.
Process Monitor user interface

Process Monitor user interface

Process Monitor requires no installation. You simply download the executable, then copy it to your target endpoint and run it directly. It does require administrative rights to run.

As a quick and straightforward example, I'm going to show how I use Process Monitor to capture the settings that drive certain parts of the Windows user interface. In end-user computing, we are often asked to make specific parts of the UI look a particular way for our users. While there are sometimes Group Policy Objects and Intune settings that can help us with setting up the user interface in this way, these settings can be unsuitable or difficult to find. In these cases, Process Monitor can help us identify the settings in use so that we can manage them centrally.

The first thing to do is replicate the change to the settings while Process Monitor is running. Be aware that Process Monitor will generate a lot of data, as it records everything that happens on the system. So, it is prudent to keep the amount of time you run Process Monitor to a minimum.

Start Process Monitor on the device you are going to make the changes on, and then turn off the capture by clicking File > Capture Events.

Process Monitor capture activity

Process Monitor capture activity

Next, clear the already captured events by clicking Edit > Clear Display.

Process Monitor clearing activity

Process Monitor clearing activity

The Process Monitor window should now be empty, as shown below:

Process Monitor activity cleared

Process Monitor activity cleared

Now, get ready to make the changes you are trying to capture. For instance, if you are capturing something in a specific application, open the application so that you do not generate all the extra noise from the application launch. As we are simply capturing some desktop settings, though, we just need to be at the Windows desktop.

Start the capture again by clicking File > Capture Events, and then make the changes you want. Below is a short video clip showing the capture being made. When you have finished, stop the capture again by clicking File > Capture Events.

You can see that we have changed the settings for small Taskbar icons, turned off Cortana, Task View, and Search, and set "Show file extensions" in Explorer.

We now need to parse the Process Monitor output to find which operating system settings correspond to making these changes. You can also save the Process Monitor output, if required, as a PML file so that you can view the logged output on another computer, if you so desire. You do this by clicking File > Save and selecting the path as below, or you can simply parse the output on the device you have captured it on.

Saving Process Monitor output

Saving Process Monitor output

To parse the output, we need to cut out as much extraneous noise as possible. You will notice that our 40-second capture has logged 309,183 events! It is important to understand what sort of settings you are looking for to cut this down.

Open the filtering menu by clicking Filter > Filter, which will display as below:

Filtering Process Monitor output

Filtering Process Monitor output

There are already some default exclusions in place that keep out Process Monitor's own entries and low-level system processes; you should leave these in place for most situations.

First, you need to select what you want to filter by. For instance, if you are working with a setting in a specific application (such as the browser), you can initially filter by process name. As we are looking for changes that were made in the shell process (Explorer), we will create our first filter, as below.

Filtering Process Monitor output by process name

Filtering Process Monitor output by process name

Don't forget to click Add after you have created the filter.

If you click OK, you can see that we've filtered 300,000 events down to about 66,000, but this is still a lot!

Process Monitor number of filtered events

Process Monitor number of filtered events

So, let's add a second filter. This time, we will look specifically for writes to the registry by the Explorer process, as the registry is where configuration changes in Window are commonly (although not exclusively) held.

Create the next filter by setting it to Operation Is RegSetValue.

Filtering Process Monitor by operation

Filtering Process Monitor by operation

Once you have added and applied this filter, we now have 178 events to look at. Compared to 300,000, this is a much more manageable number.

Reducing the number of Process Monitor events

Reducing the number of Process Monitor events

You could try to filter this further, if required. For instance, I know that some of the settings shown are writing to HKCU\Software\Classes, which my experience tells me is unlikely to be useful data. So I can apply a further filter to tune these out by adding a filter of Path Contains HKCU\SOFTWARE\Classes Exclude as below:

Filtering Process Monitor by path

Filtering Process Monitor by path

Now, I have 138 events in total, which is a reasonable number for an administrator to pick through.

Further reducing the number of events

Further reducing the number of events

From this point onward, it becomes a matter of using common sense or even trial and error to pick out the required settings. We can easily pick out the setting for show file extensions, which is HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt.

Hiding file extensions

Hiding file extensions

If you then double-click the highlighted setting, it will show you the value that has changed.

Displaying the details of a changed value

Displaying the details of a changed value

So we know now from this that the setting we changed, which set Show file extensions to positive, is driven by a registry value located in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced, is called HideFileExt, and which needs to be set to a DWORD value of 0 for the setting to be the way we want it.

By parsing the rest of the output, we can pull out other settings that seem to apply to the ones we have changed.

Parsing the remaining Process Monitor output

Parsing the remaining Process Monitor output

Here are a few other useful settings:

Changing Taskbar icons to small: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\TaskbarSmallIcons DWORD 1

Removing Search: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\SearchboxTaskbarMode DWORD 0

Removing Task View button: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTaskViewButton DWORD 0

Removing Cortana: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCortanaButton DWORD 0

It is then quite simple to create a Group Policy preference item (or to use another method) to enforce or suggest any combination of these settings, if required.

Using Group Policy preferences to deploy settings

Using Group Policy preferences to deploy settings

Process Monitor can also be very useful for diagnosing application crashes or misbehavior. For instance, when confronted with an application that throws an error when run without admin rights, Process Monitor can quickly pinpoint the issue.

In this case, I simply run the application and then create a filter that looks for any instances of Access Denied in the Result entry, as applications often require admin rights because of a lack of permissions to either the file system or the registry.

Filtering Process Monitor by Access Denied

Filtering Process Monitor by Access Denied

You should see then pretty quickly if there are any places the application is trying to write where access is not working.

Events where access was denied

Events where access was denied

You can then simply rectify the application's problem by applying the correct permissions to the file system areas where it is trying to write.

Process Monitor can also be run at startup, if necessary, by enabling Boot Logging as below. Note that this will create very large output files, though, so be aware if you are low on disk space.

Enabling boot logging

Enabling boot logging

One final point to make about Process Monitor is that, as it uses a filter driver, other applications that also use filter drivers (e.g., Ivanti, FSLogix) may give misleading or incorrect results. To ensure that you are getting the right information, you should disable or adjust the altitude of any other filter drivers that may be overlaying the user session.

Subscribe to 4sysops newsletter!

In summary, Process Monitor is a vital tool for administering and troubleshooting Windows systems and applications, and should be in the toolbox of every administrator. Using it for simple problems, such as those detailed above, can help you gain an understanding of it and how to tune your filters, and this will help as the issues you tackle become more complicated.

avatar
1 Comment
  1. Very useful trick. I use it all the time to figure out the registry setting when needed.

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account