Aaron Margosis http://www.Sysinternals.com http://blogs.technet.com/Sysinternals http://live.sysinternals.com/procmon.exe \\live.sysinternals.com\tools\procmon.exe (Remove zone information) One or more threads Virtual memory address space Security Tokens Open handles.
Download ReportTranscript Aaron Margosis http://www.Sysinternals.com http://blogs.technet.com/Sysinternals http://live.sysinternals.com/procmon.exe \\live.sysinternals.com\tools\procmon.exe (Remove zone information) One or more threads Virtual memory address space Security Tokens Open handles.
Aaron Margosis http://www.Sysinternals.com http://blogs.technet.com/Sysinternals http://live.sysinternals.com/procmon.exe \\live.sysinternals.com\tools\procmon.exe (Remove zone information) One or more threads Virtual memory address space Security Tokens Open handles The good, the bad, the ugly The good, the better, the best Process Explorer Process Monitor [-u username [-p password]] (Eye chart) Option Description -d Don’t wait for the process to terminate. Process Performance Options -background -low -belownormal -abovenormal -high -realtime -a n,n… -c [-f|-v] -n seconds Run the process at a different priority. Specify the CPUs on which the process can run. Remote Connectivity Options Copies the specified program from the local to the remote system. If you omit this option, the application must be in the system path on the remote system. Adding -f forces the copy to occur; -v performs a version or timestamp check and copies only if the source is newer. Specifies timeout in seconds connecting to remote computers. Runtime environment options -s Run the process in the System account. -i [session] Run the program on an interactive desktop. -x Run the process on the Winlogon secure desktop. -w directory Set the working directory of the process. -e Does not load the specified account’s profile. -h Use the account’s elevated context, if available. -l Run the process as a limited user. /accepteula Non-interactively, with PsExec -s PsExec -s -d Procmon.exe /AcceptEula /Quiet /BackingFile C:\Procmon.pml PsExec -s -d Procmon.exe /AcceptEula /Terminate http://blogs.technet.com/b/MarkRussinovich http://blogs.msdn.com/b/aaron_margosis http://blogs.technet.com/b/fdcc WCL315 | The Case of the Unexplained, 2010: Troubleshooting with Mark Russinovich What is the Springboard Series? Inside of Microsoft we are To the IT pro, our goal is • A turnkey IT pro engagement platform for depth and breadth • The program to mobilize MS marketing and field to focus on desktop OS IT pros • Be the definitive resource for Desktop IT pros • Open, honest; show don’t tell • Information at right time, right level across Adoption Lifecycle Virtual Roundtable Events Straight-talk Monthly Feature Articles and Overview Guides Springboard Technical Experts Panel Event Support and Resources TalkingAboutWindows Video Blogs one-Windows TechCenter in 10 languages www.microsoft.com/teched www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st http://northamerica.msteched.com/registration You can also register at the North America 2011 kiosk located at registration Join us in Atlanta next year /e On Vista or newer, requests UAC elevation when Procexp is started. /t Start Procexp minimized and visible only in the notification area (the “tray”). /p:r /p:h /p:n /p:l Sets the initial process priority for Procexp: Realtime, High, Normal, or Low. Procexp’s default level is High if no priority is specified. /s:PID Selects the process identified by process identifier PID, which must be specified in decimal. For example: Procexp.exe /s:520 Ctrl+A Save displayed data to a new file (File | Save As) Ctrl+C Copy current row from main window or lower pane Ctrl+D Display DLL View Ctrl+F Find Handle or DLL Ctrl+H Display Handle View Ctrl+I Display System Information dialog box Ctrl+L Display/Hide Lower Pane Ctrl+M Search online Ctrl+R Start a new process (File | Run) Ctrl+S Save displayed data to a file (File | Save) Ctrl+T Show process list in tree view (View | Show Process Tree) Ctrl+1, Ctrl+2, etc. Load first column set, second column set, etc. Space Pause/Resume automatic updating Del Kill selected process Shift+Del Kill process tree – selected process and its descendants F1 Display Help F5 Refresh now – update displayed data http://www.microsoft.com/whdc/devtools/debugging Command Line Options (eye chart, for future reference) Option Description /OpenLog pml-file Opens a previously saved Procmon log file. Note that a log file must be opened by an instance of Procmon running in the same processor architecture as that which recorded it. /BackingFile pml-file /PagingFile Save events in the specified backing file. Using a named backing file enables a log file capacity limited by free disk space. Note that this option is sticky – the file you specify becomes the Procmon log not just for the instance you’re launching, but becomes a permanent setting change. Save events in virtual memory, backed by the system page file. /NoConnect Start Procmon but do not automatically begin capturing data. By default, Procmon starts event capture on start. /NoFilter Clear the filter at startup. This removes all filter rules except the exclusion of Profiling events. /AcceptEula Don’t display the End User License Agreement (EULA) dialog box on first use. Use of this option implies acceptance of the EULA. /LoadConfig config-file Load a previously saved configuration file. (See the section on Configuration Files for more information.) /Profiling Enables the Thread Profiling feature. /Minimized Start Procmon minimized. /WaitForIdle Wait for an instance of Procmon to become ready to accept commands. See below for an example of how to use this option. /Terminate Terminate any instance of Procmon running on the same Win32 Desktop and then exit. /Quiet Don’t confirm filter settings during start up. By default, if filter rules have been configured, Procmon displays the filter dialog box to allow you to modify them before capturing data. /Run32 Run the 32-bit version to load 32-bit log files (x64 only). /HookRegistry /SaveAs1 path This switch, which is available only on 32-bit Vista, Server 2008 and Windows 7, has Procmon use system-call hooking instead of the Registry callback mechanism to monitor Registry activity, which enables it to see Microsoft Application Virtualization (App-V, formerly Softgrid) virtual Registry operations on these operating systems. This option must be used the first time that Process Monitor is run on a system and should only be used to troubleshoot App-V sequenced applications. Export the captured log to an XML, CSV or PML file. (This option is valid only when used with the /OpenLog option.) The output format is determined by the path’s file extension, which must be .xml, .csv or .pml. Export to XML and include stack traces. See the Saving Procmon Traces section for more information. (This option is valid only when used with the /OpenLog option.) /SaveAs2 path Export to XML and include stack traces and symbols. See the Saving Procmon Traces section for more information. (This option is valid only when used with the /OpenLog option.) /SaveAs path