Process Monitor does it all. You can watch file, registry, processes – you name it. It shows what succeeds, what fails and every possible result in between. I’ve used it a lot since it came out (earlier today, in fact!) but I’ll confess that I’ve really struggled with it. Frankly, even with all the filtering options it can absolutely flood you with data.
Today, in a blazing flash of the obvious, I finally figured out how to really filter the events better. You know, sometimes you’re pretty sure you need to find a file level issue and wading through all the registry entries is annoying. I finally realized that I could filter those completely out as well.
Want to show only the file access entries? I know it sounds obvious to say just filter everything else out – well now I know how:
When creating the filter, “Event Class” is the one to look at. In the example above I’m telling it to exclude (not show) everything that isn’t of an Event Class of “File System”. That way, I’ll only see the file system events.
Obvious in hindsight, but it sure took me a while to suss it out.