[Windows] Let's use the survey tool "Process Monitor"!From how to get it to how to use it easily (+ how to get the startup log)

Tips / Knowledge

Hello!This time, one of the tools often used for research related to Windows, "ProcessMonitorI will introduce how to get it and how to use it easily.

"Process Monitor"Software provided by MicrosoftOne of theFreeCan be used in.It is a useful tool mainly when investigating when something goes wrong.

Similar, the Windows standard has a monitoring tool called "Task Manager".
It's pretty good in itself, and I don't think it's bad for a load survey of which applications and services are running.

But which applicationManipulate filesAre you doingRegistryWhat you are doingExamine in detailI still want a research tool of the "Process Monitor" class.

This time of "Process Monitor"Easy to use from the introduction, And seemingly confusingHow to take a boot logI will introduce.

Source

Process Monitor is an application provided by Microsoft.
You can download it from Microsoft's public page.

Process Monitor-Windows Sysinternals
Monitor file system, Registry, process, thread and DLL activity in real-time.

If you move to the above page, the following download page will be displayed.
Red frameClick the download link in to start downloading.

* This is the version as of November 2020, 11.

"ProcessMonitor.zipWill be downloaded, so unzip it and you're ready to go.
* Installation work is not required, so please store it in your favorite location after decompressing.

Basic usage

First, let's start it normally.

Looking at the unzipped folder, "Procmon.exe" "Procmon64.exeThere are three types of executable files: "Procmon64a.exe".
For 32 Bit respectively,For 64bit, Because it is for other architecturesAccording to the Windows environment to be investigatedPlease start.

The license will be displayed when you start it for the first time.
If there is no problem, "AgreeClick to proceed.

Since User Account Control may be activated, "YesClick to continue.

Then it is working now like thisProcess operating statusWill be displayed.

As a simple operation method,Red ○With the button in the part surrounded byReal-time scrolling and pausingToggle.

Blue frameThe part surrounded byType of operation(For example, if it's a registry markRegistry(Operations for) are filtered.

Let's filter by process name

This time, as a more practical method of investigation,Filter by process nameLet's play.
This allows you to track the logs of a single process.

First of allGreen ○Surrounded byFilter buttonClick.

Then, the screen for setting the filter will appear as shown below.
Click the list on the far left to display the pull-down menu, and from that, "ProcessName"Click.After that, I want to trackText box with process nameEnter in "AddClick the button.

Then the filter will be added as shown below.The contents of the filter are displayed as they are, but it means that the "Process Name" filters the log of "explorer.exe" and displays it. ..

* The filters that are "Exclude" by default are the process names used by "Process Monitor" itself.It is initially excluded so that it does not get in the way.

* Write the "Process Name" firmly up to the extension.Even in the above example, it is not displayed properly when ".exe" is removed.

If you can set it properly, like thisOnly the information you need is filteredBeing veryEasy to seeな り ま す.
Since the amount of logs that can be picked up is not a hamper, like thisExtraction functionIs essential.

★ The process name is "Task Manager"-"Details tabOr on the consoletasklistYou can check it by executing the command.

Check the process name on the task manager details tab
Check the process name with the tasklist command

Let's get the boot log (boot log)

Due to the nature of common applicationsYou cannot log unless the OS is running.
However, there are times when you want to see something working while the OS boots.

"ProcessMonitorIsLog until it startsIt has some functions, but it's a little difficult to find, so I'll introduce it as well.

There is also a pattern that the boot log is done for investigation, but if anything, it is done for investigation to Microsoft or software vendors.Often used when providing logsI think so.

First, "ProcessMonitorFrom the top menu of ""Options"Click.
Then, from the pull-down list, "Enable Boot Logging, So click on it.

Then the pop-up below will appear, soCheck the checkboxPutClick OKTo do.
* By defaultBlue ○The part surrounded by is checked, but if you do not have any intention, just execute it.

If you can do this, you are ready to go.
At startupDataCollect automaticallyBecause it will doRestart your PCTo do.

When the restart is complete, "ProcessMonitor"Start-upTo do.
Then the following pop-up will appear, so "OK"Click.

A message asking if you want to save the collected data before Process Monitor is started

Then,Save dialogWill open, so change the file name to any oneClick saveTo do.

This completes the operation up to saving.
Since it is a fairly large amount of data, it will take some time to save it.
A progress bar like the one below will be displayed.Let's wait for a while.

When completed, as belowThe boot log is savedWill be
Double clickOpen with or "ProcessMinitorWhen you open it withView contentsこ と が で き ま す.

After that, I will investigate based on this,Share with the person in chargeIt's OK if you do it!

Afterword

This time, I introduced how to obtain and use Microsoft's research tool "Process Monitor".

"Process Monitor" is a free tool, but it has the minimum functionality required for research.
Of course, paid tools may be more convenient to use, such as more detailed settings and an automatic repair function that leverages the knowledge of the software company.

In my work, I often exchange information with Microsoft.
At such times, Microsoft support personnel may also request Process Monitor operation logs and startup logs.Therefore, I think it is not a bad thing to remember how to collect logs with this tool.

I'm very grateful that it's free and can be used without activation.
* Paid tools may require the Internet to be activated, so depending on the situation, it may not even be possible to install them.

It's a very useful software, but it's a long-lived tool, so let's learn how to use it and become strong in Windows!

I hope it helps you.

Comment

Translate »
I copied the title and URL