Process Monitor

Process Monitor (Procmon) is a Sysinternals tool that provides real-time monitoring of file system, registry, process, thread, and network activity on Windows. It combines the functionality of Filemon and Regmon for comprehensive system visibility.

Installation

Windows

# Download from Sysinternals Live
# https://live.sysinternals.com/procmon.exe

# Download and extract from releases
wget https://download.sysinternals.com/files/ProcessMonitor.zip
unzip ProcessMonitor.zip

# Run directly (portable executable)
Procmon.exe

# Or save and use portable version
copy Procmon.exe "C:\Program Files\Sysinternals\"

Verify Installation

# Show version
Procmon.exe -?

# Start with command-line options
Procmon.exe /AcceptEULA /BackingFile trace.pml

Core Concepts

Event Types Monitored

Category	Events
File System	Create, Read, Write, Delete, Rename files/folders
Registry	Query, Set, Create, Delete registry keys/values
Process	Start, Stop, Load DLL, Create thread
Network	TCP/UDP connect, send, receive
Profiling	CPU sampling, performance data

Basic Usage

Starting Procmon

# Start with default settings (captures all events)
Procmon.exe /AcceptEULA

# Minimize to system tray on startup
Procmon.exe /AcceptEULA /Minimized

# Load saved trace file
Procmon.exe /AcceptEULA trace.pml

# Start with backing file (capture to disk)
Procmon.exe /AcceptEULA /BackingFile C:\traces\capture.pml

Recording and Playback

# Start capturing
Procmon.exe /AcceptEULA &

# Let it run and capture events
# Then use File menu or:

# Stop capture via command
# (Use Ctrl+E in GUI)

# Load trace for analysis
Procmon.exe trace.pml

# Convert .pml to CSV
ProcmonConfigurationExporter.exe /LoadConfig cfg.pml /SaveAs CSV output.csv

Command-Line Options

Option	Description
/AcceptEULA	Accept terms without prompt
/Minimized	Start minimized to tray
/BackingFile <file>	Save events to file
/NoFilter	Don’t load default filter
/Quiet	No window on startup
/RunTime <seconds>	Auto-stop after N seconds
/Terminate	Stop running instance

Filtering and Searching

Filter Examples

# Filter by process name (GUI menu or right-click)
# Process Name contains "notepad"

# Filter by file path
# Path contains "temp" AND operation is WriteFile

# Filter by result (success/failure)
# Result is "SUCCESS"

# Exclude system processes
# Process Name is not "System" AND not "explorer.exe"

# Find registry activity
# Operation class is Registry

# Monitor specific application startup
# Image Path contains "application.exe"

# Track DLL loading
# Operation is Load Image

Advanced Filtering

# Find all failed operations
Result is "NAME NOT FOUND" OR Result is "ACCESS DENIED"

# Monitor temp file activity
Path contains "AppData\Local\Temp"

# Track service installations
Object Name contains ".sys" AND Operation contains "CreateFile"

# Network connections by process
Operation is "IRP_MJ_CREATE" AND "TCP"

# Find suspicious HKLM writes
Operation is "RegSetValue" AND Path contains "HKLM"

Analysis Workflows

Malware Behavior Analysis

# 1. Start Procmon
Procmon.exe /AcceptEULA /BackingFile malware_trace.pml

# 2. Execute malware or suspicious script
# 3. Stop capture (Ctrl+E)
# 4. Apply filters for behavior

# Filter for persistence mechanisms
# Registry paths containing HKLM\Software\Microsoft\Windows\Run
# File creation in Startup folders
# DLL injection into System processes

Performance Troubleshooting

# Monitor application startup
# Start capture before launching slow app
# Look for excessive disk I/O, registry queries
# Identify bottlenecks (many repeated failed operations)

# Result contains "NAME NOT FOUND" - file/registry not found
# High count = wasted disk I/O searching for missing files

# Repeated reads from same location = cache issue

Security Investigation

# Track suspicious process behavior
# Look for process hollowing (CreateProcess without WriteFile)
# Monitor DLL loading from temp directories
# Check for registry/file writes to System directories
# Track process to process communication

# Typical indicators:
# - System.exe spawning PowerShell
# - Explorer.exe loading unusual DLLs
# - Services writing to user directories
# - Processes creating named pipes

Trace File Operations

Saving and Loading Traces

# Save current trace to file
# File menu > Save or Ctrl+S > select .pml format

# Load saved trace for analysis
Procmon.exe capture.pml

# Export trace to CSV
# File menu > Export > CSV

# Save filtered view
# Apply filters, then File > Save

# Compare two traces
# Open one trace, then open another in separate window
# Look for differences in process behavior

Working with Large Traces

# Limit capture to specific process
# Filter window > include only target process

# Capture for limited time
Procmon.exe /AcceptEULA /RunTime 60 /BackingFile trace.pml
# Stops after 60 seconds

# Load trace and search
# Ctrl+F to open Find toolbar
# Search for filename, process name, registry key

# Apply timeline filters
# Tools > Options > filter by timestamp

Real-Time Analysis

GUI Features

Feature	Purpose
Column Headers	Click to sort by field
Color Coding	Success (white), Error (red)
Stack Trace	View call stack that generated event
Properties	Show full event details
Jump To	Navigate to related events
Find Routine	Search selected DLL in IDA/WinDbg
Count Occurrences	Statistical analysis

Interpreting Results

CreateFile -> WriteFile -> CloseFile = Normal file write
ReadFile with NAME NOT FOUND result = Missing file lookup
RegOpenKey failure = Registry access denied
Multiple failed attempts = Application retry logic

Time-Based Analysis

# Timeline column shows when each event occurred
# Look for temporal patterns:
# - Startup phase (rapid file access)
# - Idle phase (no activity)
# - Termination phase (cleanup)

# Filter by time range
# Tools > Options > Time Range

Troubleshooting

Performance Issues

Procmon is slowing down the system

# Reduce scope with filters before recording
# Only monitor specific process or path

# Use backing file instead of keeping in memory
Procmon.exe /AcceptEULA /BackingFile trace.pml /Minimized

# Stop capture if not needed
# Ctrl+E or File > Capture Events (toggle)

# Reduce buffer size
# Tools > Options > Profiling > reduce History Buffer Size

Trace file is too large

# Limit collection time
# Tools > Options > Capture > Single Run Time (seconds)

# Filter during recording
# Apply filter before starting capture
# Include/Exclude specific operations

# Use drop filter to exclude noise
# Exclude common operations: ReadFile, GetFileAttributes, etc.

Analysis Issues

Can’t find specific activity

# Use Find bar (Ctrl+F) to search
# Search in all columns or specific field

# Apply filters systematically
# Start broad, then narrow down

# Check time range
# Activity may have occurred before capture started
# Use backup file to extend trace window

# Enable all columns
# Tools > Show All Columns to see data

Event details are unclear

# Double-click event to see full details
# Properties pane shows all available information

# Check Stack tab to see call stack
# Reveals which code path generated the event

# Right-click > Jump To related operations
# Follow the sequence of related events

Example Workflows

Application Startup Analysis

# 1. Start Procmon
Procmon.exe /AcceptEULA

# 2. Clear events
# Edit > Clear Display

# 3. Launch target application
# (while Procmon is recording)

# 4. Stop recording
# Ctrl+E

# 5. Analyze startup sequence
# Look for:
# - DLL loading order
# - Config file reading
# - Registry lookups
# - Network connections

Security Incident Response

# 1. Start background capture
Procmon.exe /AcceptEULA /BackingFile incident.pml /Minimized

# 2. User reports suspicious activity or file appears

# 3. Stop capture
# Procmon.exe /Terminate

# 4. Load and analyze trace
Procmon.exe incident.pml

# 5. Filter for suspicious process
# Process Name is "svchost.exe" (or unknown process)

# 6. Examine all file/registry/network activity
# Look for:
# - Registry HKLM writes (persistence)
# - Downloads to user directory
# - Connection to external IP
# - Unusual DLL loads

Debugging DLL Load Failures

# 1. Capture DLL loading attempts
# Filter: Operation is "Load Image"

# 2. Find failed loads
# Result contains "NAME NOT FOUND"

# 3. Check alternate search locations
# Path shows where Windows searched

# 4. Resolve by:
# - Adding to PATH
# - Placing in System32
# - Using SetDllDirectory

Tips and Best Practices

• Start Procmon BEFORE launching target application to capture startup
• Use /BackingFile to save to disk - prevents memory overflow on large captures
• Apply filters BEFORE recording when possible - reduces overhead
• Exclude common operations (GetFileAttributes, QueryFileInformation) to reduce noise
• Use Timeline column to correlate with other system events
• Save and name traces with timestamps and descriptive names
• Test captured traces regularly - corrupted data won’t load later
• Understand operation sequences: OpenFile -> ReadFile -> CloseFile is normal
• Use jump/follow features to trace related operations across processes
• Document filter criteria used for reproducibility

Resources

• Process Monitor Official: https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
• Sysinternals Suite: https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
• Filter rules documentation: https://docs.microsoft.com/sysinternals
• Registry Path Reference: https://docs.microsoft.com/windows/win32/sysinfo/registry-hives
• SANS Incident Handler Handbook

---

Last updated: 2026-03-30

Best Practices

Security

• Always verify checksums when downloading binaries
• Use strong authentication methods (API keys, certificates)
• Regularly update to the latest version
• Follow principle of least privilege
• Enable audit logging for compliance
• Use encrypted connections when possible
• Validate all inputs and configurations
• Implement proper access controls

Performance

• Use appropriate resource limits for your environment
• Monitor system performance regularly
• Optimize configuration for your use case
• Use parallel processing when beneficial
• Implement proper caching strategies
• Regular maintenance and cleanup
• Profile performance bottlenecks
• Use efficient algorithms and data structures

Operational

• Maintain comprehensive documentation
• Implement proper backup strategies
• Use version control for configurations
• Monitor and alert on critical metrics
• Implement proper error handling
• Use automation for repetitive tasks
• Regular security audits and updates
• Plan for disaster recovery

Development

• Follow coding standards and conventions
• Write comprehensive tests
• Use continuous integration/deployment
• Implement proper logging and monitoring
• Document APIs and interfaces
• Use version control effectively
• Review code regularly
• Maintain backward compatibility

Resources

Official Documentation

• Official Website
• Documentation
• API Reference
• Installation Guide
• Configuration Reference

Community Resources

• Community Forum
• Discord Server
• Reddit Community
• Stack Overflow

Learning Resources

• Getting Started Guide
• Tutorial Series
• Best Practices Guide
• Video Tutorials
• Training Courses
• Certification Program

Related Tools

• Git - Complementary functionality
• Docker - Alternative solution
• Kubernetes - Integration partner

---

Last updated: 2025-07-06|Edit on GitHub