Comment Feed for Channel 9 - Defrag Tools: #3 - Process Monitor http://media.ch9.ms/ch9/5678/438d3438-d90c-4309-90b3-a5ffbbe35678/DefragTools3_220.jpg Channel 9 - Defrag Tools: #3 - Process Monitor In this 2 part episode of Defrag Tools, Andrew and I walk you through Sysinternals Process Monitor. Process Monitor allows you to view the File, Registy, Network, Process and Profiling details of the processes running on the computer. The logging allows you to go from a holistic view all the way down to the function in the stack that initiated an event. Process Monitor can be used to troubleshoot nearly all types of issues. As coined by David Solomon - "When in doubt, run Process Monitor". Part 1 (this week) covers the tool itself.Part 2 (next week) goes though a wide variety of examples showing how different techniques are required for different investigations. Resources:Sysinternals Process Monitor Timeline:[01:03] - Episode Overview[01:55] - www.sysinternals.com[03:30] - Launching & EULA[04:00] - Events traced[06:28] - Sysinternals Administrator's Reference - [Amazon][07:00] - File Menu - Open, Save, Backing Files/Pagefile, Capture Events and Configuration[10:34] - Edit Menu - Copy, Find, Highlight, Bookmarks, Auto Scroll and Clear Display[14:52] - Events Menu - Jump To, Search Online, (Quick) Filtering, Filemon/Regmon heritage, Highlight &Filter dialogs[22:48] - Filter Menu - Advanced Output, Load/Save/Organize Filters, Drop Filtered Events[25:02] - Tools Menu - Next episode...[25:28] - Options Menu - Symbols, History Depth, Profiling and Network Addresses[28:47] - Command Line - Refer to the book, help file and the dialog[29:08] - Columns - in particular, the Relative Time and Duration columns[31:48] - Next episode, examples... en Tue, 21 May 2013 06:20:07 GMT Tue, 21 May 2013 06:20:07 GMT Rev9 Re: Defrag Tools: #3 - Process Monitor Hi,

Nice videos in show.

Process explorer shows what are all the handle (also the File Object associated with it) is held by process. Process monitor shows us the Win32 calls.

Can we combine those two pieces of information? Can we get the handle value returned from CreateFile call (shown in the ProcMon)?

posted by Debojyoti

]]> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-3-Process-Monitor#c634805502422782874 Tue, 14 Aug 2012 14:10:42 GMT http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-3-Process-Monitor#c634805502422782874 Debojyoti Re: Defrag Tools: #3 - Process Monitor @Debojyoti: Great question. The answer unfortunately is No. ProcMon doesn't run in the right area of the kernel to know what handle is allocated for the successful operation.

The way Process Monitor gets the file operations is to insert itself as a filter driver. It is called first, just after FltrMgr.sys. It logs the result of IRP_MJ_CREATE operations that is receives as ProcMon 'CreateFile' operations. If you turn Advanced Output on, you'lll see that the Operation will be renamed from CreateFile to IRP_MJ_CREATE (the real name). At the time that the ProcMon driver sees the result of the IRP_MJ_CREATE operation (and last time it is involved in the call), all that exists is the pointer to the object. The object hasn't been added the handle table of the target process.

It isn't feasible to leverage the Process Explorer data either. ProcExp is only able to view the handle data on a process by process basis - this design doesn't gel with how Process Monitor works.

Note that some, if not most, CreateFile operations in ProcMon aren't actually a CreateFile call, they are the result of a memory mapping (nt!MmCreateSection) call that maps a file in to an address space, be it directly (CreateFileMapping) or indirectly (LoadLibrary).

ProcMon simplifies the world - maybe a little too much.

Once again - great question!  Thanks for watching.

posted by windev

]]> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-3-Process-Monitor#c634805918576582536 Wed, 15 Aug 2012 01:44:17 GMT http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-3-Process-Monitor#c634805918576582536 windev Re: Defrag Tools: #3 - Process Monitor
Thanks for the insight, I feel that we could all muck-around with the tool and learn what we did here - as I think we have.

This was an opportunity to teach something new, what it means, how to find a process, how to track a file open, a registry failing, etc etc, but it was lost on a simple how it works video..

Sorry all, but you lost a fan.

posted by Dave Colvin

]]> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-3-Process-Monitor#c634806263115422680 Wed, 15 Aug 2012 11:18:31 GMT http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-3-Process-Monitor#c634806263115422680 Dave Colvin Re: Defrag Tools: #3 - Process Monitor @Dave Colvin: Next week's video should have more of what you wanted to see.

posted by ChadBeeder

]]> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-3-Process-Monitor#c634806805917851744 Thu, 16 Aug 2012 02:23:11 GMT http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-3-Process-Monitor#c634806805917851744 ChadBeeder Re: Defrag Tools: #3 - Process Monitor @windev I understood the point.

Thanks for your reply. ProcMon is a good tool and I use it in a great extent to get my work done.

It would be nice if you put something on Channel 9 on NetMon (http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=4865).


I am looking forward for the next videos.

posted by Debojyoti

]]> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-3-Process-Monitor#c634810713344976733 Mon, 20 Aug 2012 14:55:34 GMT http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-3-Process-Monitor#c634810713344976733 Debojyoti Re: Defrag Tools: #3 - Process Monitor @Debojyoti: NetMon (and Fiddler) is on the list of future episides - probably around episode #15.

posted by windev

]]> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-3-Process-Monitor#c634810943135388627 Mon, 20 Aug 2012 21:18:33 GMT http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-3-Process-Monitor#c634810943135388627 windev