![]() Path – this is not the path of the process, it is the path to whatever was being worked on by this event.These can be a little confusing, like RegQueryKey or WriteFile, but we’ll try and help you through the confusion. Operation – this is the name of the operation that is being logged, and there is an icon that matches up with one of the event types (registry, file, network, process).It’s also a great way to isolate a single process for monitoring, assuming that process doesn’t re-launch itself. This is very useful if you are trying to understand which svchost.exe process generated the event. PID – the process ID of the process that generated the event.This doesn’t show the full path to the file by default, but if you hover over the field you can see exactly which process it was. Process Name – the name of the process that generated the event.Time – this column is fairly self-explanatory, it shows the exact time that an event occurred.Here’s what each of the default columns is used for: The default columns show a ton of useful information, but you’ll definitely need some context to understand what data each one actually contains, because some of them might look like something bad happened when they are really innocent events that happen all the time under the hood. We’re just looking at the fact that a process is writing to one of these streams, so we can later figure out more about what is happening. So Process Monitor can capture any type of I/O operation, whether that happens through the registry, file system, or even the network - although the actual data being written isn’t captured. Again, you would probably want to use Process Explorer for tracking these things most of the time, but it’s useful here if you need it. Profiling – These events are captured by Process Monitor to check the amount of processor time used by each process, and the memory use.This can be useful information in certain instances, but is often something you’d want to look at in Process Explorer instead. Process – These are events for processes and threads where a process is started, a thread starts or exits, etc.Network – this will show the source and destination of TCP/UDP traffic, but sadly it doesn’t show the data, making it a bit less useful.File System – this could be file creation, writing, deleting, etc, and it can be for both local hard drives and network drives. ![]() You’ll be surprised just how often this happens. Registry – this could be creating keys, reading them, deleting them, or querying them.Want to understand which registry keys your favorite application is actually storing their settings in? Want to figure out what files a service is touching and how often? Want to see when an application is connecting to the network or opening a new process? It’s Process Monitor to the rescue. This is like taking a peek at a global logfile for every single event that happens on your Windows PC. Unlike the Process Explorer utility that we’ve spent a few days covering, Process Monitor is meant to be a passive look at everything that happens on your computer, not an active tool for killing processes or closing handles. Wrapping Up and Using the Tools Together.Analyzing and Managing Your Files, Folders, and Drives.Using PsTools to Control Other PCs from the Command Line.Using BgInfo to Display System Information on the Desktop.Using Autoruns to Deal with Startup Processes and Malware.Using Process Monitor to Troubleshoot and Find Registry Hacks.Using Process Explorer to Troubleshoot and Diagnose.What Are the SysInternals Tools and How Do You Use Them?.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |