Image Path - The full path to the process.Event Class - What type of operation it was (File System or Registry).There are a few particularly helpful ones to choose: In addition, you can add more columns by going to Options > Select Columns. Detail - Various details about the operation such as the specific registry data read/written or information on the file operation.Path - The path to the file or registry key that was requested.Operation - The type of operation that was performed.PID - The PID of the process that triggered the event.Process name - The name of the process that triggered the event.Time of Day - The exact time of the event.Once the data is collected, you'll see the following columns in the data table by default: That helps making parsing through the data a little easier.
Since Procmon tends to capture a lot of data very quickly, it's important to know how to use it effectively. This button will start and stop data capturing. To stop capturing, press Ctrl+E or the magnifying glass icon on the toolbar. Once it's opened, it will immediately begin collecting and showing current process events. Once it's downloaded and unzipped, you should right click and run it as administrator.
Most easily, you can download it directly at. Like all Sysinternals tools, Procmon can be obtained in a number of ways. By watching all of the reads/writes of the app, you can find the file you're looking for. For example, you may have trouble locating a configuration or log file for a certain application. In addition, if you ever just need to find what files or registry keys are being used, Procmon can help you find out. Registry keys or values missing or being named incorrectly.
Process Monitor, or Procmon is one of the tools in the Sysinternals suite and is invaluable in troubleshooting certain types of Windows and application issues.