Troubleshooting with Process Monitor

Troubleshooting with Process Monitor

  • Comments 19
  • Likes

In our post last month regarding a Basic Troubleshooting Toolkit, one of the tools we mentioned was Process Monitor.  The new version of Process Monitor combines the old Process Monitor tool with the File Monitor (FileMon) and Registry Monitor (RegMon) tools.  So today we're going to provide a quick overview of Process Monitor and then work through a couple of scenarios.  So let's get started ...

Process Monitor is one of the most versatile tools to use in troubleshooting.  Issues we use Process Monitor for include:

  • Troubleshoot Application Failures (installs and uninstalls, launch failures etc)
  • Troubleshoot File System issues (access, permissions, etc)
  • Troubleshoot Registry issues (access, permissions, etc)
  • Enable Boot logging to monitor the system from boot
  • Examine the stack of an Application
  • Troubleshoot misleading error messages
  • Determine the registry settings for an application

Setting up Process Monitor is very easy - there's actually no real setup required!

  1. Download Process Monitor 
  2. Extract the .zip file, and run Procmon.exe
  3. Click Agree to the EULA screen
  4. Process Monitor will start logging automatically

OK, now that you have Process Monitor up and running, let's quickly point out a couple of features on the interface:

image In the main toolbar, you'll see this set of buttons.  By toggling these buttons on / off, you can choose whether or not to view the Registry Activity, the File System Activity and the Process / Thread activity.

If you double click on an event in the log you can bring up the property sheet for that event which includes basic information about the event on the first tab.  The Process Tab includes information about the path, the Process ID, the Parent Process ID, the User and relevant DLL files.  Finally, the Stack tab provides a very basic view of the stack for that event.  The stack output indicates Kernel-mode calls with a "K" and User-mode calls with a "U".  If Process Monitor is able to locate symbols for images referenced in the trace it will attempt to resolve addresses to the functions in which they reside.

You can also configure Process Monitor to log activity very early in the boot process - during the initialization of boot-start device drivers.  To configure Boot Logging, select "Enable Boot Logging" from the Options Menu.

Let's take a look at a couple of sample scenarios that I set up:

Scenario 1: Uninstalling an Application 

I'm interested in PowerShell - so I have been playing with a trial version of PowerGadgetsto create Powershell Gadgets.  Recently, my trial period expired, so I had to uninstall the software.  When I tried to uninstall the software, I encountered the following error:

clip_image0021

Hmm - OK, so it looks like there's a problem with this file.  I see the Power Gadgets folder in my Program files directory, and I see the correct .ifx file there, so what's the problem?  Time to fire up Process Monitor and track down the real failure ...

I launched a Process Monitor capture and tried to uninstall the program again.  This time, I can see that there's a "PATH NOT FOUND" error logged in Process Monitor.  Hmm ... I thought that path was there, right?

clip_image0041

Now I see where the problem is!  The program is looking for C:\Program Files\PowerGadgets - but the actual file path is C:\Program Files\Power Gadgets - there's a space in the folder name.  To be fair, the original error message shows that the uninstaller is looking for a folder without a space in the name, but I just overlooked it the first time!

clip_image0061

After renaming the folder to “PowerGadgets”, the uninstall works as expected.

clip_image0081

As you can see, I missed this simple difference the first time - it's easy to do - but after looking at the Process Monitor log and the failure, I could see where the problem lay.  On to our next example ...

Scenario 2: Service Startup Failure

When I try and start my APC UPS Service, I receive the following error:

clip_image0101

Hmm - a problem with a path when starting the service usually indicates some problem with the registry information.  One way to troubleshoot this would be to just open up Registry Editor and look at the properties for the service - but let's use Process Monitor instead - because we can trace both File and Registry information simultaneously if we need to look at both sets of information.  Time to fire up Process Monitor and start a capture ...

clip_image0121

Looking at the log above, we are not actually running into an issue with the path not being found.  The problem is that we are getting an “ACCESS DENIED” message when we try to read the service information from the HKLM\System\CurrentControlSet\Services\APC UPS Serviceregistry key.  I checked the permissions on this registry key, and discovered that the Local Admin group had Deny access.  Once this was corrected - the service started up just fine.

These are both fairly simple scenarios - but they illustrate the value of using Process Monitor as a troubleshooting tool.

Additional Resources:

 - Blake Morrison

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Hi Blake
    I tried to reproduce the PowerGadgets uninstall error that you got but I wasn't able to do so. Our default installation folder is <Program Files>\PowerGadgets (without a blank space), but I tried changing it to <Program Files>\Power Gadgets when installing, and it allowed me to uninstall with no problems.

    Ivan Giugni
    Product Manager
    PowerGadgets

     

  • Hello Ivan -

    Both of the scenarios that we listed above are things we deliberately broke.  In the PowerGadgets scenario, we used the default installation options to install to C:\Program Files\PowerGadgets.  What we went in and did after the installation was completed was rename the folder.  The key is that this was a post-installation change that we made to deliberately break the uninstall process.

    Hope this clears up any confusion.

    - CC

  • Here on the Performance team we support the functionality of the Windows Installer engine and the installation

  • I tried connecting my monitor to the PC but I see no image on the screen . I also noticed that when I tried two monitors, the PC didn't not recognized those monitors but when I unpluged them the monitor came on.The power supply is working great. I'm thinking it is motherboard that causing problems.

    Thanks for your time

    Damian

  • I would like to uninstall all miscrosoft trial programs on my emachine and install office 2000 professional.  Will I be able to do this without any problems

  • When I try to run the procmon it says it requires Administrative Group membership.

    Well, I'm logged in as local admin to the XP Pro box.

  • Hi Jon,

    You may wish to have a look at this lengthy topic:

    http://forum.sysinternals.com/forum_posts.asp?TID=10559

  • monitor menu keeps flickering off and on unwanted

  • It turn off all the hard drive when trying to break something to run process monitor. Then when I turn on again it make a grinding noise. How do this stop?

  • Is there any setting that Perform Moitor provides to raise an event when an application hits a process limi

  • how does one create a log file using "process monitor"?

  • The TechNet On-Demand Webcast link appears to be incorrect

  • @Damian:  Thanks for the heads up.  I could not find the new link, so I replaced it with one from Defrag Tools.

  • The download Process Monitor link above is throwing a

    This XML file does not appear to have any style information associated with it. The document tree is shown below.

         <Error><Code>OutOfRangeInput</Code><Message>One of the request inputs is out of range.

    RequestId:21602d7b-854b-46be-bfc4-9c325867b2c7

    Time:2013-03-26T03:07:06.9178208Z</Message></Error>

  • @Anak:  Thanks for the heads up.  I updated the link even though it was the same site...weird.