![]() ![]() You can also load saved configurations (filters included) via the command-line using the /LoadConfig switch followed by the path of the file e.g./procmon.exe /LoadConfig C:\ProcmonConfigs\file_deletion.pmc. As you learned above, you can export and import procmon filters via PMF files. You’ll see that all procmon filters are saved with a PMF extension. ![]() Provide a name, choose a path and click OK. If you expect to load procmon on another computer and keep all of your saved filters, you’re out of luck. Using procmon’s filter-saving and organizing features, you can manage and save as many of these sets as you wish. You can also click on the Reset button to automatically remove all of the custom filter rules.Īs you can see below, you can create any kind of rule directly from this menu no need to go to the Process Monitor Filter box at all! If you’re a procmon power user, they’ll probably come a time when you have sets of filter rules for various occasions. Finally, since you want all of the events where explorer.exe queries a registry key, be sure to include the RegQueryKey operation also.Ĭlick OK and you’ll then see the main window remove all of the events that do not match the filter rules you just defined. In the last section, you saw what the Process Monitor Filter box looked like and viewed all of the rules. In plain English, these rules tell procmon to not display (exclude) a process with the name of procmon.exe, for example. These filters are applied because you’ll typically not need to see the events these filterss exclude. If you scroll down in the Process Monitor Filter box, you’ll see many different types of rules defined. You’ll see as soon as you click an icon, procmon applies an event filter.īy default, the farthest icon to the right (the black and green graph) isn’t enabled. By clicking on these buttons, you can enable and disable entire event classes. It uses virtual memory to store all of those events and if you’re not careful, you might end up crashing Windows! In the menu bar, you’ll see five of the same icons being displayed in the Operation column. Don’t leave procmon capturing events for longer than you need. You’ll be presented with a dialog box where you can customize the viewable columns. This value can be as simple as SUCCESS or specific to the event like REPARSE, BUFFER OVERFLOW, NAME NOT FOUND, etc. ![]() – The type of event like if the process opened a file, changed a registry key value, etc. Operation – The type of event like if the process opened a file, changed a registry key value, etc. Each event in all classes is represented in a single list pane of seven columns: As you can see in the screenshot above under the Operation column, there are various icons each representing different classes of Windows events. If you don’t want procmon to automatically begin capturing events, you can start it from the command line by running procmon.exe /NoConnect. The moment you run procmon, it begins capturing many different kinds of Windows events. Procmon has other command-line switches customizing behavior but you’ll learn about this in the coming sections. Although less likely in this day and age, whenever you launch procmon, it detects whether you’re running a 64-bit or 32-bit OS. By default, procmon launches prompting you to accept an end-user license agreement (EULA) and also open up a window. You’ll then see a folder like any ol’ network share containing all of the Sysinternals files including procmon. Below is a PowerShell code snippet if you’ve saved it to your home folder. Once you’ve got it downloaded, extract the ZIP file with your favorite tool. In this Ultimate Guide, you’re going to learn everything there is to know about using the procmon utility from installing, basic usage all the way to various use cases that will help you track down all kinds of activity. ![]() If you need to inspect Windows registry, file system, process, or network activity and have decided to use procmon, this article is for you. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |