How To: Use Process Monitor To Capture System Events

Version 7

    Purpose

     

    The article below gives detailed steps on how to capture a Process Monitor log including how to capture system event while the computer is starting up. If you have been asked by Shavlik Support to gather a Process Monitor log,  you can follow the instructions below.

     

    What Is Process Monitor?

     

    Process Monitor is a free tool from Windows Sysinternals, part of the Microsoft TechNet website. The tool monitors and displays in real-time all file system activity on a Microsoft Windows operating system. Process Monitor is useful for troubleshooting issues when we need to identify the files or registry keys an application is accessing.

     

    How to use Process Monitor

     

    Gathering a Process Monitor log

     

    1. Log into Windows using an account with administrative privileges

    2. Download Process Monitor from Microsoft TechNet:

    3. Extract the contents of the ProcessMonitor.zip archive to your desktop.

    4. Run Procmon.exe as administrator.

    5. Process Monitor will begin logging from the moment it starts running. To stop this, click the "Capture" icon

     

    1-5.png

    6. Clear all the events that Process Monitor recorded by clicking the "Clear" icon

     

    1-6.png

    7. When you are ready to recreate the issue or scenario, click the "Capture" icon to begin logging.

    8. Once you have recreated the issue or scenario, click the "Capture" icon to stop logging.

     

    9. Save the Process Monitor by going to File > Save

     

    1-9.png

     

    10. Compress and archive (zip) the PML file.

    11. Send your log to your Landesk Support Engineer for further review. (See: How To: Upload A File To Shavlik Support (FTP)

     

    Gathering a boot Process Monitor log

     

    There are occasions that you may need to troubleshoot an issue related to your boot process.  To enable boot logging,  perform the following steps:

     

    1. Log into Windows using an account with administrative privileges

    2. Download Process Monitor from Microsoft TechNet:

    3. Extract the contents of the ProcessMonitor.zip archive to your desktop.

    4. Run Procmon.exe

    5. Process Monitor will begin logging from the moment it starts running. To stop this, click the "Capture" icon

    2-5.png

    6. Click Options > Enable Boot Logging

    2-6.png

     

    7. You will be presented with the following dialogue. Ensure that profiling events are generated every second.

    2-7.png

    8. Reboot the machine and recreate the issue you are facing

    9. Once back at the Windows desktop, run Procmon.exe.

    10. Upon opening Procmon.exe, you will be presented with the following dialogue.

    2-10.png

    11. Click "Yes" and save the log file.

    12. Close Process Monitor.

    13. Compress and archive (zip) the PML file.

    14. Send your log to your Shavlik Support Engineer for further review. (See: How To: Upload A File To Shavlik Support (FTP) )

     

    Affected Product(s)

     

    Shavlik Protect 9.x