Defrag Tools: #4 - Process Monitor - Examples

Play Defrag Tools: #4 - Process Monitor - Examples
Sign in to queue


In this 2 part episode of Defrag Tools, Andrew and I walk you through Sysinternals Process Monitor. Process Monitor allows you to view the File, Registy, Network, Process and Profiling details of the processes running on the computer. The logging allows you to go from a holistic view all the way down to the function in the stack that initiated an event. Process Monitor can be used to troubleshoot nearly all types of issues. As coined by David Solomon - "When in doubt, run Process Monitor".

Part 1 (last week) covers the tool itself.
Part 2 (this week) goes though a wide variety of examples showing how different techniques are required for different investigations.

Sysinternals Process Monitor

[00:00] - Last week...
[01:08] - Finding the Registry keys of the Explorer 'Folder Options' dialog
[08:30] - Using Summary reports to see the current filter's resource usage
[15:09] - Capturing a ProcMon log of system boot
[19:25] - Analyzing the boot log
[27:32] - The Startup/Shutdown chapter of the Windows Internals book [4th edition, 5th edition6th edition Part 2]. Note, it's Chapter 13, not Chapter 4, as mentioned on the show. Chapter 13 is in Part 2 of the 6th edition.
[28:17] - Next time...Autoruns

More Examples:
Case of the Unexplained... by Mark Russinovich
Sysinternals Gems by Aaron Margosis



Download this episode

The Discussion

  • User profile image

    really enjoy these videos, I used these Tools alot when working for Microsoft PYPC support and they are very usefull when you get to really know them Smiley

  • User profile image

    Would be terrific if the SysInternals tools came with source code. Or at least if there were source code snippets in the SysInterals books that Mark publishes.


  • User profile image

    At about 7:00 in, Larry asks what the "SuperHidden" registry setting is for, under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced.

    In Microsoft parlance, "super hidden" files are files which have both the System and Hidden file system attributes set. By default they are hidden from view, even if you've chosen to show hidden files. If for some reason you really want to see them, you can change this setting through the Explorer UI by going to Tools/Folder Options/View, and unchecking "Hide protected operating system files (Recommended)."

    However, the registry value that actually changes when you do this is called "ShowSuperHidden"! So, what's "SuperHidden" for?

    Well, as it turns out... it's a bug. It's been fixed in Windows 8, and "SuperHidden" is gone. There's only "ShowSuperHidden" now. Smiley

  • User profile image

    [01:08] - Finding the Registry keys of the Explorer 'Folder Options' dialog

    this can be done much, much easier with RegFromApp:

     Generic Comment Image

    Run it, select the Explorer.exe, change the value and save the data as .reg file Smiley

    [19:25] - Analyzing the boot log

    xbootmgr and xperfview are still the better tools for boot tracing. Generate the summary
    Generic Comment Image

     to see how long Windows boots. And here you can easily see what is slow. Here it is WinLogonInit which starts services, restore network connections, runs Group policies and logs on the user to the system.

  • User profile image

    @MagicAndre1981: xperf is scheduled for a future episode. And yes, I agree that it allows you to go deeper. ProcMon does do a very good job though of presenting information required to get an idea of what is happening.

  • User profile image
    Tom Hall

    Guys - I've been following your Sysinternals Tools show ...

    This is the 1st time I've fired-up ProcMon on my current installation (Win8_RP_x64)
    I followed through your 1st example about the Advanced Explorer settings etc (and it worked),
    But after that, I needed some relaxation, so I fired-up Crysis (under Steam), and was hit by errors including "check internet access", "unable to contact license server"

    I run Norton 360, and all the other programs I've tried have managed to access the internet Ok

    I've checked the Steam User's forums, and there appears to be a suspicion that ProcMon makes Crysis think there's "malware" so it won't run

    Anay comments folks ?

    ps. Crysis2 works fine

  • User profile image

    Best procmon tip:  filter on 'category contains write' to see registry and file changes.  Too bad you can't export to a .reg file.

    I wish there was a column called 'total disk seek distance'.


  • User profile image

    @Tom Hall: Procmon may indeed be looked for by crysis. Some games don't like you looking at the I/O operations as they think you are trying to hack the game. All you can do iscrebiit (to unload the driver) and then play the game. Smiley

  • User profile image


    Very interesting but  bit too deep for me to fully understand and use.

    I am running W7 Home premium and something is turning on the Speaker/Headphones (I normally have them muted and use the Microsoft control to turn them on and off). As I am booting a speaker symbol with a white scale opens on the screen and unmutes the speaker/headphones. I used Process Monitor to make a boot log but can't seem to find out what is un-muting the speakers.

    I have watched the videos several times but they move so fast and my knowledge is very limited so I get lost.

    Can you give me some tips on what to look for so I can track this event down.

    I would be glad to upload my bootlog file if that would help!

    Thanks in advance for your help and guidance!






Add Your 2 Cents