Process Monitor

Process Monitor (Procmon) is a Sysinternals tool that provides real-time monitoring of file system, registry, process, thread, and network activity on Windows. It combines the functionality of Filemon and Regmon for comprehensive system visibility.

Installation

Windows

# Download from Sysinternals Live
# https://live.sysinternals.com/procmon.exe

# Download and extract from releases
wget https://download.sysinternals.com/files/ProcessMonitor.zip
unzip ProcessMonitor.zip

# Run directly (portable executable)
Procmon.exe

# Or save and use portable version
copy Procmon.exe "C:\Program Files\Sysinternals\"

Verify Installation

# Show version
Procmon.exe -?

# Start with command-line options
Procmon.exe /AcceptEULA /BackingFile trace.pml

Core Concepts

Event Types Monitored

Category	Events
File System	Create, Read, Write, Delete, Rename files/folders
Registry	Query, Set, Create, Delete registry keys/values
Process	Start, Stop, Load DLL, Create thread
Network	TCP/UDP connect, send, receive
Profiling	CPU sampling, performance data

Basic Usage

Starting Procmon

# Start with default settings (captures all events)
Procmon.exe /AcceptEULA

# Minimize to system tray on startup
Procmon.exe /AcceptEULA /Minimized

# Load saved trace file
Procmon.exe /AcceptEULA trace.pml

# Start with backing file (capture to disk)
Procmon.exe /AcceptEULA /BackingFile C:\traces\capture.pml

Recording and Playback

# Start capturing
Procmon.exe /AcceptEULA &

# Let it run and capture events
# Then use File menu or:

# Stop capture via command
# (Use Ctrl+E in GUI)

# Load trace for analysis
Procmon.exe trace.pml

# Convert .pml to CSV
ProcmonConfigurationExporter.exe /LoadConfig cfg.pml /SaveAs CSV output.csv

Command-Line Options

Option	Description
`/AcceptEULA`	Accept terms without prompt
`/Minimized`	Start minimized to tray
`/BackingFile <file>`	Save events to file
`/NoFilter`	Don’t load default filter
`/Quiet`	No window on startup
`/RunTime <seconds>`	Auto-stop after N seconds
`/Terminate`	Stop running instance

Filtering and Searching

Filter Examples

# Filter by process name (GUI menu or right-click)
# Process Name contains "notepad"

# Filter by file path
# Path contains "temp" AND operation is WriteFile

# Filter by result (success/failure)
# Result is "SUCCESS"

# Exclude system processes
# Process Name is not "System" AND not "explorer.exe"

# Find registry activity
# Operation class is Registry

# Monitor specific application startup
# Image Path contains "application.exe"

# Track DLL loading
# Operation is Load Image

Advanced Filtering

# Find all failed operations
Result is "NAME NOT FOUND" OR Result is "ACCESS DENIED"

# Monitor temp file activity
Path contains "AppData\Local\Temp"

# Track service installations
Object Name contains ".sys" AND Operation contains "CreateFile"

# Network connections by process
Operation is "IRP_MJ_CREATE" AND "TCP"

# Find suspicious HKLM writes
Operation is "RegSetValue" AND Path contains "HKLM"

Analysis Workflows

Malware Behavior Analysis

# 1. Start Procmon
Procmon.exe /AcceptEULA /BackingFile malware_trace.pml

# 2. Execute malware or suspicious script
# 3. Stop capture (Ctrl+E)
# 4. Apply filters for behavior

# Filter for persistence mechanisms
# Registry paths containing HKLM\Software\Microsoft\Windows\Run
# File creation in Startup folders
# DLL injection into System processes

Performance Troubleshooting

# Monitor application startup
# Start capture before launching slow app
# Look for excessive disk I/O, registry queries
# Identify bottlenecks (many repeated failed operations)

# Result contains "NAME NOT FOUND" - file/registry not found
# High count = wasted disk I/O searching for missing files

# Repeated reads from same location = cache issue

Security Investigation

# Track suspicious process behavior
# Look for process hollowing (CreateProcess without WriteFile)
# Monitor DLL loading from temp directories
# Check for registry/file writes to System directories
# Track process to process communication

# Typical indicators:
# - System.exe spawning PowerShell
# - Explorer.exe loading unusual DLLs
# - Services writing to user directories
# - Processes creating named pipes

Trace File Operations

Saving and Loading Traces

# Save current trace to file
# File menu > Save or Ctrl+S > select .pml format

# Load saved trace for analysis
Procmon.exe capture.pml

# Export trace to CSV
# File menu > Export > CSV

# Save filtered view
# Apply filters, then File > Save

# Compare two traces
# Open one trace, then open another in separate window
# Look for differences in process behavior

Working with Large Traces

# Limit capture to specific process
# Filter window > include only target process

# Capture for limited time
Procmon.exe /AcceptEULA /RunTime 60 /BackingFile trace.pml
# Stops after 60 seconds

# Load trace and search
# Ctrl+F to open Find toolbar
# Search for filename, process name, registry key

# Apply timeline filters
# Tools > Options > filter by timestamp

Real-Time Analysis

GUI Features

Feature	Purpose
Column Headers	Click to sort by field
Color Coding	Success (white), Error (red)
Stack Trace	View call stack that generated event
Properties	Show full event details
Jump To	Navigate to related events
Find Routine	Search selected DLL in IDA/WinDbg
Count Occurrences	Statistical analysis

Interpreting Results

CreateFile -> WriteFile -> CloseFile = Normal file write
ReadFile with NAME NOT FOUND result = Missing file lookup
RegOpenKey failure = Registry access denied
Multiple failed attempts = Application retry logic

Time-Based Analysis

# Timeline column shows when each event occurred
# Look for temporal patterns:
# - Startup phase (rapid file access)
# - Idle phase (no activity)
# - Termination phase (cleanup)

# Filter by time range
# Tools > Options > Time Range

Troubleshooting

Performance Issues

Procmon is slowing down the system

# Reduce scope with filters before recording
# Only monitor specific process or path

# Use backing file instead of keeping in memory
Procmon.exe /AcceptEULA /BackingFile trace.pml /Minimized

# Stop capture if not needed
# Ctrl+E or File > Capture Events (toggle)

# Reduce buffer size
# Tools > Options > Profiling > reduce History Buffer Size

Trace file is too large

# Limit collection time
# Tools > Options > Capture > Single Run Time (seconds)

# Filter during recording
# Apply filter before starting capture
# Include/Exclude specific operations

# Use drop filter to exclude noise
# Exclude common operations: ReadFile, GetFileAttributes, etc.

Analysis Issues

Can’t find specific activity

# Use Find bar (Ctrl+F) to search
# Search in all columns or specific field

# Apply filters systematically
# Start broad, then narrow down

# Check time range
# Activity may have occurred before capture started
# Use backup file to extend trace window

# Enable all columns
# Tools > Show All Columns to see data

Event details are unclear

# Double-click event to see full details
# Properties pane shows all available information

# Check Stack tab to see call stack
# Reveals which code path generated the event

# Right-click > Jump To related operations
# Follow the sequence of related events

Example Workflows

Application Startup Analysis

# 1. Start Procmon
Procmon.exe /AcceptEULA

# 2. Clear events
# Edit > Clear Display

# 3. Launch target application
# (while Procmon is recording)

# 4. Stop recording
# Ctrl+E

# 5. Analyze startup sequence
# Look for:
# - DLL loading order
# - Config file reading
# - Registry lookups
# - Network connections

Security Incident Response

# 1. Start background capture
Procmon.exe /AcceptEULA /BackingFile incident.pml /Minimized

# 2. User reports suspicious activity or file appears

# 3. Stop capture
# Procmon.exe /Terminate

# 4. Load and analyze trace
Procmon.exe incident.pml

# 5. Filter for suspicious process
# Process Name is "svchost.exe" (or unknown process)

# 6. Examine all file/registry/network activity
# Look for:
# - Registry HKLM writes (persistence)
# - Downloads to user directory
# - Connection to external IP
# - Unusual DLL loads

Debugging DLL Load Failures

# 1. Capture DLL loading attempts
# Filter: Operation is "Load Image"

# 2. Find failed loads
# Result contains "NAME NOT FOUND"

# 3. Check alternate search locations
# Path shows where Windows searched

# 4. Resolve by:
# - Adding to PATH
# - Placing in System32
# - Using SetDllDirectory

Tips and Best Practices

Start Procmon BEFORE launching target application to capture startup
Use /BackingFile to save to disk - prevents memory overflow on large captures
Apply filters BEFORE recording when possible - reduces overhead
Exclude common operations (GetFileAttributes, QueryFileInformation) to reduce noise
Use Timeline column to correlate with other system events
Save and name traces with timestamps and descriptive names
Test captured traces regularly - corrupted data won’t load later
Understand operation sequences: OpenFile -> ReadFile -> CloseFile is normal
Use jump/follow features to trace related operations across processes
Document filter criteria used for reproducibility

Resources

Process Monitor Official: https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
Sysinternals Suite: https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
Filter rules documentation: https://docs.microsoft.com/sysinternals
Registry Path Reference: https://docs.microsoft.com/windows/win32/sysinfo/registry-hives
SANS Incident Handler Handbook

Last updated: 2026-03-30

Best Practices

Security

Always verify checksums when downloading binaries
Use strong authentication methods (API keys, certificates)
Regularly update to the latest version
Follow principle of least privilege
Enable audit logging for compliance
Use encrypted connections when possible
Validate all inputs and configurations
Implement proper access controls

Performance

Use appropriate resource limits for your environment
Monitor system performance regularly
Optimize configuration for your use case
Use parallel processing when beneficial
Implement proper caching strategies
Regular maintenance and cleanup
Profile performance bottlenecks
Use efficient algorithms and data structures

Operational

Maintain comprehensive documentation
Implement proper backup strategies
Use version control for configurations
Monitor and alert on critical metrics
Implement proper error handling
Use automation for repetitive tasks
Regular security audits and updates
Plan for disaster recovery

Development

Follow coding standards and conventions
Write comprehensive tests
Use continuous integration/deployment
Implement proper logging and monitoring
Document APIs and interfaces
Use version control effectively
Review code regularly
Maintain backward compatibility

Resources

Official Documentation

Community Resources

Learning Resources

Git - Complementary functionality
Docker - Alternative solution
Kubernetes - Integration partner

Last updated: 2025-07-06|Edit on GitHub

Process Monitor

Installation

Windows

Verify Installation

Core Concepts

Event Types Monitored

Basic Usage

Starting Procmon

Recording and Playback

Command-Line Options

Filtering and Searching

Filter Examples

Advanced Filtering

Analysis Workflows

Malware Behavior Analysis

Performance Troubleshooting

Security Investigation

Trace File Operations

Saving and Loading Traces

Working with Large Traces

Real-Time Analysis

GUI Features

Interpreting Results

Time-Based Analysis

Troubleshooting

Performance Issues

Analysis Issues

Example Workflows

Application Startup Analysis

Security Incident Response

Debugging DLL Load Failures

Tips and Best Practices

Resources

Best Practices

Security

Performance

Operational

Development

Resources

Official Documentation

Community Resources

Learning Resources

Related Tools