Troubleshooting with Process Monitor

Published 01 June 07 06:03 AM

In our post last month regarding a Basic Troubleshooting Toolkit, one of the tools we mentioned was Process Monitor.  The new version of Process Monitor combines the old Process Monitor tool with the File Monitor (FileMon) and Registry Monitor (RegMon) tools.  So today we're going to provide a quick overview of Process Monitor and then work through a couple of scenarios.  So let's get started ...

Process Monitor is one of the most versatile tools to use in troubleshooting.  Issues we use Process Monitor for include:

  • Troubleshoot Application Failures (installs and uninstalls, launch failures etc)
  • Troubleshoot File System issues (access, permissions, etc)
  • Troubleshoot Registry issues (access, permissions, etc)
  • Enable Boot logging to monitor the system from boot
  • Examine the stack of an Application
  • Troubleshoot misleading error messages
  • Determine the registry settings for an application

Setting up Process Monitor is very easy - there's actually no real setup required!

  1. Download Process Monitor 
  2. Extract the .zip file, and run Procmon.exe
  3. Click Agree to the EULA screen
  4. Process Monitor will start logging automatically

OK, now that you have Process Monitor up and running, let's quickly point out a couple of features on the interface:

image In the main toolbar, you'll see this set of buttons.  By toggling these buttons on / off, you can choose whether or not to view the Registry Activity, the File System Activity and the Process / Thread activity.

If you double click on an event in the log you can bring up the property sheet for that event which includes basic information about the event on the first tab.  The Process Tab includes information about the path, the Process ID, the Parent Process ID, the User and relevant DLL files.  Finally, the Stack tab provides a very basic view of the stack for that event.  The stack output indicates Kernel-mode calls with a "K" and User-mode calls with a "U".  If Process Monitor is able to locate symbols for images referenced in the trace it will attempt to resolve addresses to the functions in which they reside.

You can also configure Process Monitor to log activity very early in the boot process - during the initialization of boot-start device drivers.  To configure Boot Logging, select "Enable Boot Logging" from the Options Menu.

Let's take a look at a couple of sample scenarios that I set up:

Scenario 1: Uninstalling an Application 

I'm interested in PowerShell - so I have been playing with a trial version of PowerGadgets to create Powershell Gadgets.  Recently, my trial period expired, so I had to uninstall the software.  When I tried to uninstall the software, I encountered the following error:

clip_image0021

Hmm - OK, so it looks like there's a problem with this file.  I see the Power Gadgets folder in my Program files directory, and I see the correct .ifx file there, so what's the problem?  Time to fire up Process Monitor and track down the real failure ...

I launched a Process Monitor capture and tried to uninstall the program again.  This time, I can see that there's a "PATH NOT FOUND" error logged in Process Monitor.  Hmm ... I thought that path was there, right?

clip_image0041

Now I see where the problem is!  The program is looking for C:\Program Files\PowerGadgets - but the actual file path is C:\Program Files\Power Gadgets - there's a space in the folder name.  To be fair, the original error message shows that the uninstaller is looking for a folder without a space in the name, but I just overlooked it the first time!

clip_image0061

After renaming the folder to “PowerGadgets”, the uninstall works as expected.

clip_image0081

As you can see, I missed this simple difference the first time - it's easy to do - but after looking at the Process Monitor log and the failure, I could see where the problem lay.  On to our next example ...

Scenario 2: Service Startup Failure

When I try and start my APC UPS Service, I receive the following error:

clip_image0101

Hmm - a problem with a path when starting the service usually indicates some problem with the registry information.  One way to troubleshoot this would be to just open up Registry Editor and look at the properties for the service - but let's use Process Monitor instead - because we can trace both File and Registry information simultaneously if we need to look at both sets of information.  Time to fire up Process Monitor and start a capture ...

clip_image0121

Looking at the log above, we are not actually running into an issue with the path not being found.  The problem is that we are getting an “ACCESS DENIED” message when we try to read the service information from the HKLM\System\CurrentControlSet\Services\APC UPS Service registry key.  I checked the permissions on this registry key, and discovered that the Local Admin group had Deny access.  Once this was corrected - the service started up just fine.

These are both fairly simple scenarios - but they illustrate the value of using Process Monitor as a troubleshooting tool.

Additional Resources:

 - Blake Morrison

by CC Hameed
Filed under: ,

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# Ivan Giugni said on June 1, 2007 12:32 PM:

Hi Blake
I tried to reproduce the PowerGadgets uninstall error that you got but I wasn't able to do so. Our default installation folder is <Program Files>\PowerGadgets (without a blank space), but I tried changing it to <Program Files>\Power Gadgets when installing, and it allowed me to uninstall with no problems.

Ivan Giugni
Product Manager
PowerGadgets

 

# CC Hameed said on June 5, 2007 8:00 AM:

Hello Ivan -

Both of the scenarios that we listed above are things we deliberately broke.  In the PowerGadgets scenario, we used the default installation options to install to C:\Program Files\PowerGadgets.  What we went in and did after the installation was completed was rename the folder.  The key is that this was a post-installation change that we made to deliberately break the uninstall process.

Hope this clears up any confusion.

- CC

# Ask the Performance Team said on July 13, 2007 6:19 AM:

Here on the Performance team we support the functionality of the Windows Installer engine and the installation

# Mr. Beavers said on October 22, 2007 3:40 PM:

I tried connecting my monitor to the PC but I see no image on the screen . I also noticed that when I tried two monitors, the PC didn't not recognized those monitors but when I unpluged them the monitor came on.The power supply is working great. I'm thinking it is motherboard that causing problems.

Thanks for your time

Damian

# merlean said on February 2, 2008 10:35 PM:

I would like to uninstall all miscrosoft trial programs on my emachine and install office 2000 professional.  Will I be able to do this without any problems

# Jon Campanali said on August 29, 2008 4:00 PM:

When I try to run the procmon it says it requires Administrative Group membership.

Well, I'm logged in as local admin to the XP Pro box.

# molotov said on September 1, 2008 6:44 PM:

Hi Jon,

You may wish to have a look at this lengthy topic:

http://forum.sysinternals.com/forum_posts.asp?TID=10559

# Lorraine Smith said on October 10, 2008 11:40 PM:

monitor menu keeps flickering off and on unwanted

Leave a Comment

(required) 
(optional)
(required) 

About CC Hameed

I joined Microsoft as a Support Engineer on the Performance team in September 2005. Prior to that I spent a couple of years working the late night shift on our Platforms 24x7 team. Working for Microsoft was always a dream job - so I am living the dream! I was on the Windows Vista Beta team in 2006, which was one of the coolest projects I have ever worked on, until I took on the task of driving the AskPerf Blog. As you can tell by my logo, I am a huge Manchester United fan and I have successfully managed to brainwash my two daughters into sharing my passion for the Red Devils much to the dismay of their mother! I also coach both my daughters' soccer teams. In addition I am an avid MMO gamer, and have an extensive DVD movie collection.
Go

This Blog

Syndication

Disclaimer: All postings are provided "AS IS" with no warranties, and confer no rights. This weblog does not represent the thoughts, intentions, plans or strategies of Microsoft. Because a weblog is intended to provide a semi-permanent point-in-time snapshot, you should not consider out of date posts to reflect current thoughts and opinions.


CTS Platforms Team Blogs
Directory Services
Networking
Setup / Core
Small Business Server
SMS & MOM
Softgrid
SUS / WSUS Support

Useful Microsoft Blogs
Exchange
Internet Explorer Team
IIS
LATAM (Portugese / Spanish)
MSRC (security)
NT Debugging
OEM Team Blog (Vista)
Powershell
Terminal Services
MS HotFix & Hot Issue Blog

Blog Tools


Add to Technorati Favorites
Add to Google
Add to My Yahoo!
Subscribe with Bloglines

Computers Blogs - Blog Top Sites

Page view tracker