Defrag Tools: #4 - Process Monitor - Examples
- Posted: Aug 20, 2012 at 12:42 PM
- 53,004 Views
- 8 Comments
In this 2 part episode of Defrag Tools, Andrew and I walk you through Sysinternals Process Monitor. Process Monitor allows you to view the File, Registy, Network, Process and Profiling details of the processes running on the computer. The logging allows you to go from a holistic view all the way down to the function in the stack that initiated an event. Process Monitor can be used to troubleshoot nearly all types of issues. As coined by David Solomon - "When in doubt, run Process Monitor".
Part 1 (last week) covers the tool itself.
Part 2 (this week) goes though a wide variety of examples showing how different techniques are required for different investigations.
Resources:
Sysinternals Process Monitor
Timeline:
[00:00] - Last week...
[01:08] - Finding the Registry keys of the Explorer 'Folder Options' dialog
[08:30] - Using Summary reports to see the current filter's resource usage
[15:09] - Capturing a ProcMon log of system boot
[19:25] - Analyzing the boot log
[27:32] - The Startup/Shutdown chapter of the Windows Internals book [4th edition, 5th edition, 6th edition Part 2]. Note, it's Chapter 13, not Chapter 4, as mentioned on the show. Chapter 13 is in Part 2 of the 6th edition.
[28:17] - Next time...Autoruns
More Examples:
Case of the Unexplained... by Mark Russinovich
Sysinternals Gems by Aaron Margosis
Comments Closed
Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation,
please create a new thread in our Forums,
or
Contact Us and let us know.
More episodes in this show
-
Defrag Tools: #3 - Process Monitor
-
Defrag Tools: #4 - Process Monitor - Examples
-
Defrag Tools: #5 - Autoruns and MSConfig
Follow the Discussion
Oops, something didn't work.
What does this mean?
Following an item on Channel 9 allows you to watch for new content and comments that you are interested in. You need to be signed in to Channel 9 to use this feature.What does this mean?
Following an item on Channel 9 allows you to watch for new content and comments that you are interested in and view them all on your notifications page.sign up for email notifications?
really enjoy these videos, I used these Tools alot when working for Microsoft PYPC support and they are very usefull when you get to really know them
Would be terrific if the SysInternals tools came with source code. Or at least if there were source code snippets in the SysInterals books that Mark publishes.
At about 7:00 in, Larry asks what the "SuperHidden" registry setting is for, under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced.
In Microsoft parlance, "super hidden" files are files which have both the System and Hidden file system attributes set. By default they are hidden from view, even if you've chosen to show hidden files. If for some reason you really want to see them, you can change this setting through the Explorer UI by going to Tools/Folder Options/View, and unchecking "Hide protected operating system files (Recommended)."
However, the registry value that actually changes when you do this is called "ShowSuperHidden"! So, what's "SuperHidden" for?
Well, as it turns out... it's a bug. It's been fixed in Windows 8, and "SuperHidden" is gone. There's only "ShowSuperHidden" now.
[01:08] - Finding the Registry keys of the Explorer 'Folder Options' dialog
this can be done much, much easier with RegFromApp:
http://www.nirsoft.net/utils/reg_file_from_application.html
Run it, select the Explorer.exe, change the value and save the data as .reg file
[19:25] - Analyzing the boot log
xbootmgr and xperfview are still the better tools for boot tracing. Generate the summary
to see how long Windows boots. And here you can easily see what is slow. Here it is WinLogonInit which starts services, restore network connections, runs Group policies and logs on the user to the system.
@MagicAndre1981: xperf is scheduled for a future episode. And yes, I agree that it allows you to go deeper. ProcMon does do a very good job though of presenting information required to get an idea of what is happening.
Guys - I've been following your Sysinternals Tools show ...
This is the 1st time I've fired-up ProcMon on my current installation (Win8_RP_x64)
I followed through your 1st example about the Advanced Explorer settings etc (and it worked),
But after that, I needed some relaxation, so I fired-up Crysis (under Steam), and was hit by errors including "check internet access", "unable to contact license server"
I run Norton 360, and all the other programs I've tried have managed to access the internet Ok
I've checked the Steam User's forums, and there appears to be a suspicion that ProcMon makes Crysis think there's "malware" so it won't run
Anay comments folks ?
ps. Crysis2 works fine
Best procmon tip: filter on 'category contains write' to see registry and file changes. Too bad you can't export to a .reg file.
I wish there was a column called 'total disk seek distance'.
@Tom Hall: Procmon may indeed be looked for by crysis. Some games don't like you looking at the I/O operations as they think you are trying to hack the game. All you can do iscrebiit (to unload the driver) and then play the game.
Remove this comment
Remove this thread
close