Process Monitor

Last updated
Process Monitor
Other namesProcMon
Original author(s) Winternals Software
Developer(s) Mark Russinovich and Bryce Cogswell
Stable release
v4.01 [1] / June 20, 2024;3 months ago (2024-06-20) (Windows version)
Preview release
v2.0 Preview / July 22, 2024;2 months ago (2024-07-22) (Linux version)
Repository github.com/microsoft/ProcMon-for-Linux
Written in C++
Operating system Windows XP SP2 and higher, Linux
Included with Sysinternals
Available inEnglish
License Windows: Proprietary commercial software
Linux: MIT License [2]
Website Windows Sysinternals

Process Monitor is a tool from Windows Sysinternals, part of the Microsoft TechNet website. The tool monitors and displays in real-time all file system activity on a Microsoft Windows or Unix-like operating system. It combines two older tools, FileMon and RegMon and is used in system administration, computer forensics, and application debugging.

Contents

Overview

Process Monitor monitors and records all actions attempted against the Microsoft Windows Registry. Process Monitor can be used to detect failed attempts to read and write registry keys. It also allows for filtering on specific keys, processes, process IDs, and values. In addition it shows how applications use files and DLLs, detects some critical errors in system files and more. [3]

History

RegMon and its sister application Filemon were primarily created by Mark Russinovich [4] and Bryce Cogswell, employed by NuMega Technologies and later SysInternals prior SysInternals being bought out by Microsoft in 2006.

The two tools were combined to create Process Monitor. [5] [6] Early versions of Process Monitor (up to version 2.8) ran on Windows 2000 SP4 with Update Rollup 1. [7] The current version for Windows only runs on Windows Vista and above.

Initially, ProcMon was only available for Microsoft Windows. In November 2018, Microsoft confirmed it is porting Sysinternals tools, including ProcDump and ProcMon, to Linux. [8] The Linux port of the software is open source. It is licensed under MIT License and the source code is available on GitHub. [9]

FileMon

FileMon (from a concatenation of "File" and "Monitor") was a free utility for 32/64-bit Microsoft Windows operating systems which provided users with a powerful tool to monitor and display file system activity.

FileMon is no longer supported.

RegMon

The RegMon utility from Sysinternals provided forensics on Windows Registry usage.

RegMon is no longer supported.

See also

Related Research Articles

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

<span class="mw-page-title-main">Windows Registry</span> Database for Microsoft Windows

The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and user interfaces can all use the registry. The registry also allows access to counters for profiling system performance.

PageDefrag is a program, developed by Sysinternals, for Microsoft Windows that runs at start-up to defragment the virtual memory page file, the registry files and the Event Viewer's logs.

In the field of computer network administration, pcap is an application programming interface (API) for capturing network traffic. While the name is an abbreviation of packet capture, that is not the API's proper name. Unix-like systems implement pcap in the libpcap library; for Windows, there is a port of libpcap named WinPcap that is no longer supported or developed, and a port named Npcap for Windows 7 and later that is still supported.

A registry cleaner is a class of utility software designed for the Microsoft Windows operating system, whose purpose is to remove redundant items from the Windows Registry.

<span class="mw-page-title-main">Mark Russinovich</span> Spanish-born American software engineer

Mark Eugene Russinovich is a Spanish-born American software engineer and author who serves as CTO of Microsoft Azure. He was a cofounder of software producers Winternals before Microsoft acquired it in 2006.

In Linux systems, initrd is a scheme for loading a temporary root file system into memory, to be used as part of the Linux startup process. initrd and initramfs refer to two different methods of achieving this. Both are commonly used to make preparations before the real root file system can be mounted.

RootkitRevealer is a proprietary freeware tool for rootkit detection on Microsoft Windows by Bryce Cogswell and Mark Russinovich. It runs on Windows XP and Windows Server 2003. Its output lists Windows Registry and file system API discrepancies that may indicate the presence of a rootkit. It is the same tool that triggered the Sony BMG copy protection rootkit scandal.

Windows Sysinternals is a website that offers technical resources and utilities to manage, diagnose, troubleshoot, and monitor a Microsoft Windows environment. Originally, the Sysinternals website was created in 1996 and was operated by the company Winternals Software LP, which was located in Austin, Texas. It was started by software developers Bryce Cogswell and Mark Russinovich. Microsoft acquired Winternals and its assets on July 18, 2006.

This article compares computer software tools that are used for accomplishing comparisons of files of various types. The file types addressed by individual file comparison apps varies but may include text, symbols, images, audio, or video. This category of software tool is often called "file comparison" or "diff tool", but those effectively are equivalent terms — where the term "diff" is more commonly associated with the Unix diff utility.

<span class="mw-page-title-main">Process Explorer</span> Freeware system monitor for Windows

Process Explorer is a freeware task manager and system monitor for Microsoft Windows created by SysInternals, which has been acquired by Microsoft and re-branded as Windows Sysinternals. It provides the functionality of Windows Task Manager along with a rich set of features for collecting information about processes running on the user's system. It can be used as the first step in debugging software or system problems.

<span class="mw-page-title-main">Microsoft PowerToys</span> Set of freeware system utilities developed by Microsoft

Microsoft PowerToys is a set of freeware system utilities designed for power users developed by Microsoft for use on the Windows operating system. These programs add or change features to maximize productivity or add more customization. PowerToys are available for Windows 95, Windows XP, Windows 10 and Windows 11. The PowerToys for Windows 10 and Windows 11 are free and open-source software licensed under the MIT License and hosted on GitHub.

The Java Development Kit (JDK) is a distribution of Java technology by Oracle Corporation. It implements the Java Language Specification (JLS) and the Java Virtual Machine Specification (JVMS) and provides the Standard Edition (SE) of the Java Application Programming Interface (API). It is derivative of the community driven OpenJDK which Oracle stewards. It provides software for working with Java applications. Examples of included software are the Java virtual machine, a compiler, performance monitoring tools, a debugger, and other utilities that Oracle considers useful for Java programmers.

netsniff-ng Linux networking toolkit

netsniff-ng is a free Linux network analyzer and networking toolkit originally written by Daniel Borkmann. Its gain of performance is reached by zero-copy mechanisms for network packets, so that the Linux kernel does not need to copy packets from kernel space to user space via system calls such as recvmsg . libpcap, starting with release 1.0.0, also supports the zero-copy mechanism on Linux for capturing (RX_RING), so programs using libpcap also use that mechanism on Linux.

Memory forensics is forensic analysis of a computer's memory dump. Its primary application is investigation of advanced computer attacks which are stealthy enough to avoid leaving data on the computer's hard drive. Consequently, the memory must be analyzed for forensic information.

Docker is a set of platform as a service (PaaS) products that use OS-level virtualization to deliver software in packages called containers. The service has both free and premium tiers. The software that hosts the containers is called Docker Engine. It was first released in 2013 and is developed by Docker, Inc.

<span class="mw-page-title-main">Windows Subsystem for Linux</span> Compatibility layer for running Linux binary executables natively on Windows

Windows Subsystem for Linux (WSL) is a feature of Microsoft Windows that allows developers to run a Linux environment without the need for a separate virtual machine or dual booting. There are two versions of WSL: WSL 1 and WSL 2. WSL is not available to all Windows 10 users by default. It can be installed either by joining the Windows Insider program or manually via Microsoft Store or Winget.

Microsoft, a technology company historically known for its opposition to the open source software paradigm, turned to embrace the approach in the 2010s. From the 1970s through 2000s under CEOs Bill Gates and Steve Ballmer, Microsoft viewed the community creation and sharing of communal code, later to be known as free and open source software, as a threat to its business, and both executives spoke negatively against it. In the 2010s, as the industry turned towards cloud, embedded, and mobile computing—technologies powered by open source advances—CEO Satya Nadella led Microsoft towards open source adoption although Microsoft's traditional Windows business continued to grow throughout this period generating revenues of 26.8 billion in the third quarter of 2018, while Microsoft's Azure cloud revenues nearly doubled.

<span class="mw-page-title-main">ProcDump</span> Command-line application

ProcDump is a command-line application used for monitoring an application for CPU spikes and creating crash dumps during a spike. The crash dumps can then be used by an administrator or software developer to determine the cause of the spike. ProcDump supports monitoring of hung windows and unhandled exceptions. It can also create dumps based on the values of system performance counters.

References

  1. "Process Monitor - Windows Sysinternals". learn.microsoft.com.
  2. "Process Monitor for Linux (Preview)". Sysinternals. 30 October 2022.
  3. "Download Process Monitor (ProcMon)". BleepingComputer.
  4. Mark Russinovich’s Blog Archived 2015-05-30 at the Wayback Machine
  5. RegMon for Windows
  6. Process Monitor, Microsoft Technet
  7. "How to use Sysinternals Process Monitor and Process Explorer to Troubleshoot SharePoint". Archived from the original on 2011-08-20. Retrieved 2011-08-01.
  8. Cimpanu, Catalin (5 November 2018). "Microsoft working on porting Sysinternals to Linux". ZDNet . CBS Interactive . Retrieved 5 November 2018.
  9. "Process Monitor for Linux (Preview)". GitHub . 24 October 2021.