Back in the olden days I used to use the Sysinternals tools Filemon and Regmon when diagnosing system issues. Those were replaced years ago by another Sysinternals tool: Process Monitor.
Process Monitor does it all. You can watch file, registry, processes – you name it. It shows what succeeds, what fails and every possible result in between. I’ve used it a lot since it came out (earlier today, in fact!) but I’ll confess that I’ve really struggled with it. Frankly, even with all the filtering options it can absolutely flood you with data.
Today, in a blazing flash of the obvious, I finally figured out how to really filter the events better. You know, sometimes you’re pretty sure you need to find a file level issue and wading through all the registry entries is annoying. I finally realized that I could filter those completely out as well.
Want to show only the file access entries? I know it sounds obvious to say just filter everything else out – well now I know how:
When creating the filter, “Event Class” is the one to look at. In the example above I’m telling it to exclude (not show) everything that isn’t of an Event Class of “File System”. That way, I’ll only see the file system events.
Obvious in hindsight, but it sure took me a while to suss it out.
Possibly Related posts:
Loading tweets...
3 comments
Andy Parkes
December 17, 2009 at 5:18 am (UTC -7)
I thought this was built-in functionality?
On the toolbar (right hand side) there are a series of toggle buttons that let you filter out registry/file system/networking/process events
By toggling the right buttons you can just show the filesystem activity…or am I missing the point?
Chris
December 17, 2009 at 8:12 am (UTC -7)
… Ya know? I’d never even glanced at those buttons until now. Geeze, talk about a blind spot! I’ve been doing everything the hard way with procmon!
Andy Parkes
December 17, 2009 at 9:16 am (UTC -7)
Glad I could help