it:ad:sysinternals:procmon

IT:AD:SysInternals:ProcMon

Summary

Can be used to monitor access from an app to Files and Registry.

Can be filtered to show only access to files in a certain directory (eg: watching file locks in a drop folder).

Process

  • Requires Admin rights to Start
  • Requires Filtering
    • ProcessName, is, devenv.exe, include
      • Tip: don't forget to select include|exclude (top far right of dialog)
  • Then could go on using the Filter tool, but it's easier to right-click the list items you don't want, and from the ContextMenu, select:
    • Exclude RegQueryKey' * Exclude RegOpenKey * Exclude RegOpenValue * Exclude RegSetValue * You can exclude File paths as well (Exclude c:\whatever`) and then use the Filter screen to change it from is to begins so that whole swarths disappear.
  • Tips:
    • ProcessName is not 'devenv.exe' – try the '…vhost.exe' one insteadl
    • c:\TMP did not work, whereas c:\TMP\Dropfolder did. Minimum length?! Go figure…
  • /home/skysigal/public_html/data/pages/it/ad/sysinternals/procmon.txt
  • Last modified: 2023/11/04 03:32
  • by 127.0.0.1