By If you can figure out what process is tying up the CPU by studying Task Manager, you’re pretty smart. If you’ve replaced Task Manager with Process Explorer 11 (Free, ) you’re even smarter. Sometimes, though, the real-time view of process activity you get from either of these tools doesn’t get to the root of the problem. For true power users, Process Monitor 2.8 (free, direct) logs every single file, Registry, network, and miscellaneous event that takes place on your computer. And, like Process Explorer, it’s free for both commercial and non-commercial use.
Best comptia A+ Training, Comptia A+ Certification at Certkingdom.com
Information Overload
When you launch Process Monitor, it immediately starts logging a huge variety of system events. As events pour in at high speed, the display automatically scrolls to show the most recent. Toolbar buttons let you turn off auto-scrolling, stop and restart logging, and clear the log. Just a few minutes of logging can easily result in a half-million events or more, so Process Monitor offers many ways to filter out irrelevant information.
Process Monitor’s own default settings filter out events that probably aren’t of interest, such as events caused by the utility’s own process. Clicking the Filter button on the toolbar lets you add your own criteria to further refine the list. Filtered-out lines aren’t gone—you can bring them back into view by editing the filter collection. And if you use Process Monitor repeatedly for the same kind of analysis, you can save and re-use your filters.
Specifications
Free = Yes
OS Compatibility = Windows Vista, Windows XP, Windows 7
Type = Business, Personal, Enterprise, Professional
At times, you may want to peruse a particular event type without hiding other events, in order to see the event in context. For those times Process Monitor lets you highlight event lines matching one or more user-defined criteria.
Each event row includes the sequential event number, date/time stamp, process name, process ID, operation, file/Registry path, result code, and a Detail column that varies for different events. By right-clicking at the intersection of a data column and an event row, you bring up a context menu related to the data in the cell you clicked. Depending on the column, you might be selecting the process firefox.exe or a Registry key that Firefox opened. From this menu you can filter to include or exclude the data, highlight matching events, jump to the corresponding item in REGEDIT or Windows Explorer, or launch a Google search.
I use Process Monitor as part of my toolkit for analyzing the file and Registry changes effected by malware samples in my anti-malware testing. My standard filter excludes events caused by my other monitoring tools and various system events that are ubiquitous and never caused by malware. I save the event log to a .CSV file and use self-written tools to further pare down the deluge of data and cross-reference it with the output of other tools. For me, it’s invaluable.
Other Views
Like Process Explorer, Process Monitor offers a tree-structured display that charts the relationships between processes and the processes that launched them. Where Process Explorer specifically shows processes actively running in memory, the tree in Process Monitor displays all processes that were active while you were logging events. You can see when each process started and stopped or click a button to select the log event representing the process’s launch.
A process activity summary window displays various metrics for each process that was active during the logging period. Some, like file events, Registry events, and CPU usage appear in the form of a usage graph. Others display numeric values for each process, like the number of network events or largest memory usage. Double-clicking a process brings up a window with a bigger version of all the graphed metrics.
Other windows summarize file, Registry and network activities during the logging period. If you’re looking for anomalies in Registry access, for example, it’s a lot easier to scan the summary than to scroll through the entire log. When you find an anomaly or other item of interest, clicking a button filters the log to focus on that item.
Geek Cred Required
If my description of Process Monitor sounds alarming or incomprehensible to you, that’s not at all surprising. This is a tool for expert users and über-geeks, not for the general public or even the average power user. Some of the information offered by Process Monitor is beyond even my understanding. I’ve never had to use the thread stack list or configure its symbols. I’ve never cross-referenced Process Monitor’s logs with program source code. But it’s nice to know those features are available if I ever need them.
Process Explorer is a tool for everyone, a much-improved replacement for Task Manager that lets you see what’s going on in the system right now. Process Monitor digs much deeper. It lets researchers and techies monitor all system activity and analyze the results to find out exactly what a specific process changed or locate anomalous behaviors. It’s not for everyone, but if you need the kind of information it provides, nothing else will do.
No Comment