Have you ever wondered about looking under the hood and seeing how computer applications really run? Windows Process Monitor can help with that. Not just that, it can also help fix problems by giving a detailed analysis of the process at hand.
It’s a utility that has been part of the Windows ecosystem since the days of Windows XP. A successor to Windows utilities Filemon and Regemon, it combines the functionalities of both these utilities.
What is Windows Process Monitor?
The Windows Process Monitor is a utility that shows the file system, threads, and Registry of a process in real-time.
Think of it as a huge, continuously updating database with lots of rows and columns. When the two legacy utilities were combined, the functionalities of Process Monitor were improved further. With stuff like session IDs, thread stacks, and user names, you get the full behind-the-scenes picture of any application that you want to monitor.
Process Monitor can only run in admin mode as it uses a kernel driver to get all that internal information. This also makes it safe as only the system admin can use the utility.
What Does Windows Process Monitor Do?
Windows Process Monitor has very useful and powerful functions. It captures most of the processes and events happening inside your computer.
However, it doesn’t capture everything happening either. For instance, it won’t capture keystrokes or mouse movement.
Here are some key capabilities/functions of this utility:
- Registry: It covers events happening with the Windows Registry. This involves creating, reading, querying, or deleting keys.
- Files: This is similar to Registry, as the utility also captures the event happening with the file system. It can track the creation, deletion, etc., of files on both the local hard drive and network drive.
- Threads: While the Task Manager or Process Explorer is also used for monitoring processes, the Process Monitor also provides information about process threads, like when they start, pause or finish.
- Network: It only shows the TCP/UDP traffic but not the data that’s traveling over the network.
As you can see, its main job is related to I/O operations on files, registry, and network.
Benefits of Windows Process Monitor
Windows Process Monitor offers a lot of benefits:
- It can detect network outages.
- Suspicious activity by malware can be detected and reviewed.
- Filters for any data fields without destroying the data.
- Quick detection of slow or failing processes and batches.
- More server and application availability.
- Reliable information regarding processes with identifiers.
- Very thorough event capturing with millions of events being captured every session.
- Easy to view interface that presents data in a digestible format.
- You can also see the boot time log for events.
How to Use Windows Process Monitor?
Using Windows Process Monitor is not that simple, especially if you’ve never used it before. The sheer volume of information it presents can be overwhelming.
That said, with a little learning, you can use the tool to reap its benefits. There’s a help file that you can read while looking at the interface in real-time.
You pretty much just need to first figure out how to create filters, as that minimizes the information you have to work with. If you want to examine a particular event, check out the Event Properties. It will open a window and give you the precise information you need to see.
When seeing the event, these fields will help you understand what it is and what it does: time, process name, process ID, detail, path, result.
Process Monitor vs. Process Explorer
You’ve probably also come across the name Process Explorer. Is it the same thing as Process Monitor? Not quite.
These both have similarities as both utilities are part of Windows Sysinternal tools to monitor and check processes. While Process Monitor is a standalone utility, Process Explorer can be seen as an extension of Task Manager.
The Process Monitor focuses more on the I/O operations of the processes in file systems, networks, and registries. The Process Explorer also has similar capabilities, but it also tells you how many resources a process is using, in addition to seeing what DLL files or registry keys the processes are using.
Windows Explorer shows two panels inside the window. The top one shows active processes, while the bottom one depends on which mode it’s in.
If it’s in DLL mode, you’ll see a list of all the DLL files that different processes are using. For instance, if you see rundll32.exe, a program, perhaps a computer game, is using it to launch the DLL files it needs.
For handling DLL issues, Process Explorer is a much better option than Process Monitor.
Windows Process Monitor is a necessary Windows utility that pros can use to see behind the scenes. It can also help detect issues with your PC and nip them in the bud.
If you’re wondering why certain applications are behaving erratically, perhaps this tool can help explain why.