Using Process Monitor to capture system events

  • ID de l'article 119038
  • Mis à jour : 15 avr. 2013

The article below gives detailed steps on how to capture a Process Monitor log including how to capture system event while the computer is starting up. For a higher level overview of Process Monitor see article 111549.

If you have been asked by Sophos Technical Support to gather a Process Monitor log, follow the instructions below. Unless specified, gather a normal Process Monitor log.

What Is Process Monitor?

Process Monitor is a free tool from Windows Sysinternals, part of the Microsoft TechNet website. The tool monitors and displays in real-time all file system activity on a Microsoft Windows operating system. Process Monitor is useful for troubleshooting issues when we need to identify the files or registry keys an application is accessing. 

How to use Process Monitor

Gathering a normal Process Monitor log

  1. Log into Windows using an account with administrative privileges

  2. Download Process Monitor from Microsoft TechNet:

  3. Extract the contents of the ProcessMonitor.zip archive to your desktop.

  4. Run Procmon.exe

  5. Process Monitor will begin logging from the moment it starts running. To stop this, click the "Capture" icon ().
     

  6. Clear all the events that Process Monitor recorded by clicking the "Clear" icon ()
     

  7. When you are ready to recreate the issue or scenario as detailed by Sophos Technical Support, click the "Capture" icon () to begin logging.

  8. Once you have recreated the issue or scenario, click the "Capture" icon () to stop logging.

  9. Click the "Save" icon (). The following dialogue will be displayed. Ensure that you have selected "All events" and that you save the file in the native PML file format.
     

  10. Close Process Monitor.

  11. Compress and archive (zip) the PML file.

  12. Send the .zip archive to Sophos Technical Support.
    • If the file is smaller than your email attachment file size limit, email us the file.
    • If the file is smaller than 30MB, you can upload the file via our website as a "Sample Submission". Ensure you enter your case reference (if available) 
    • If the file is larger than 30MB, you can request FTP credentials from a Sophos Technical Support agent. This will allow you to upload the file directly to our servers.

Gathering a boot Process Monitor log

We may need to troubleshoot an issue that is related to your boot process. If this is required, a Sophos Technical Support agent will explicitly specify that we require boot logging. To enable boot logging, follow the following steps.

  1. Log into Windows using an account with administrative privileges

  2. Download Process Monitor from Microsoft TechNet:

  3. Extract the contents of the ProcessMonitor.zip archive to your desktop.

  4. Run Procmon.exe

  5. Process Monitor will begin logging from the moment it starts running. To stop this, click the "Capture" icon ().
     

  6. Click Options > Enable Boot Logging
     


  7. You will be presented with the following dialogue. Ensure that profiling events are generated every second.
     

  8. Reboot the machine and recreate the issue you are facing or the scenario as detailed by Sophos Technical Support.

  9. Once back at the Windows desktop, run Procmon.exe.

  10. Upon opening Procmon.exe, you will be presented with the following dialogue.
     

  11. Click "Yes" and save the logfile.

  12. Close Process Monitor.

  13. Compress and archive (zip) the PML file.

  14. Send the .zip archive to Sophos Technical Support.
    • If the file is smaller than your email attachment file size limit, email us the file.
    • If the file is smaller than 30MB, you can upload the file via our website as a "Sample Submission". Ensure you enter your case reference (if available) 
    • If the file is larger than 30MB, you can request FTP credentials from a Sophos Technical Support agent. This will allow you to upload the file directly to our servers.

 
Si vous avez besoin de plus d'informations ou d'instructions, veuillez contacter le support technique.

Évaluez cet article

Très mauvais Excellent

Commentaires