Many calculations and processes happen behind the scenes in every program you use, and for the most part they are not that important for the user to understand. Sometimes you need the finer details of what’s going on in every program on your computer. Process Monitor is a handy tool to have and understand when the time comes.
What is Process Monitor?
Process Monitor is a Windows utility that helps you understand what different programs on your computer are doing. You never see a lot of behind-the-scenes activity as a regular user, like background downloads, processes sharing information, or errors that aren’t passed on to the person using the program. Process Monitor can help you see this type of information.
It is not as user-friendly as some Windows utilities and is mainly used by system administrators. In fact, you must have administrator access to the computer you are using to run the process monitor tool. If you don’t have it yet, contact your system administrator for assistance.
What can I do with Process Monitor?
Process Monitor is a program designed to give you information. While you can’t use it to troubleshoot problems directly, it can help you figure out exactly what’s going on so you know what to do. Having more information is always good for troubleshooting issues on your PC.
How to install Process Monitor?
Process Monitor is not built into Windows like some other monitoring tools. You need to register while installing it. Before you start, you need a program that can unzip files.
- Go to the Process Monitor download page. It’s free from Microsoft and should install quickly, depending on your internet connection speed.
- Open your download page to find the zipped file.
- Right-click on the file and choose the option to unzip to a folder of the same name.
- Wait for the process to complete.
- Open the folder.
- Double click
procmon.exeand follow the steps that appear to complete the process. When done, Process Monitor should appear on your screen.
You can drag the exe file to a location where it is easy to find and use it to open Process Monitor in the future if you prefer.
What options can I set on Process Monitor?
There are a few things you can adjust to make the program more user-friendly for you.
What information can you view in Process Monitor?
There are many columns to choose from. The name, operation, time of day, path, details and result are displayed automatically. You can hide or show the others as you wish by modifying your columns.
Application details allow you to get more information about the process the monitor is reporting on.
- Process name
- Image path
- Command line
- Company Name
- The description
Event details give you more information about the specific event occurring in the reported application.
- Sequence number
- Event class
- date and time
- Time of the day
- Relative time
- Completion time
Process management gives you more information about the exact process taking place.
- Session ID
- Authentication ID
- Process ID
- Thread ID
- Parent PID
You choose which columns you want to display based on the information you are trying to find. You don’t need to enable each column to get more details about the collected events.
If you want to see any of this information about a particular event, here’s how.
- Scroll to event line you want to read in Process monitor.
- Right click on the line.
- Picking out Properties.
- Click it Event tab to find out more about the event in question. You can find information about date, file path, duration, class, etc.
- Click it Process tab to learn more about the process itself. It can tell you which company created the software running the process, what that software is, the architecture, if it is virtualized, and the modules involved.
- Click it Stack tab to see more information about stored modules.
- Hurry close to return to the main Process Monitor window when you have finished reading the details.
In the properties of a particular event, you can choose to copy all to save the information to a clipboard. This is useful if you are logging data for troubleshooting or sharing with another person.
Using filters in Process Monitor
One way to narrow down certain information and find what you’re looking for is to use filters. There are millions of processes recorded and reported by Process Monitor, so understanding filters is extremely useful when looking for something specific.
- Click on Filtered at the top of the Process Monitor window.
- Picking out Filtered from the menu.
- Select the variable you want to search in the first scrolling menu. Each potential column is an option, so you can search for anything from architecture to virtualization.
- Select how you want the filter to be handled from the second drop down list. You can choose from: is, is not, less than, greater than, starts with, ends with, contains or excludes. However, you can only choose one option at a time.
- Select an option from the third drop-down menu menu to tell it what variable you are looking for. The options change depending on your selection in the first two drop-down menus. For example, if you choose Architecture, the options are 32 and 64 bit. If you choose Virtualized, the options are True, False, or N/A.
- Choose what to do with the result of the fourth drop down list menu. You can include it in the results or exclude it from the results.
- Click on To add.
- Click on Apply. Applying the filter may take some time. For example, when I searched for virtualized processes marked as True, it took over six minutes to search 109 million entries and find the correct results.
- Click on OKAY. You will see the search results returned by your filter. For example, my search for virtualized processes revealed that Steam’s GameOverlay is considered a Virtuzlied process. I can also see that it repeats very frequently and the results range from Success to Buffer Overfilled.
You can add and remove multiple filters in this menu, which can help narrow down the many results returned and show you what you need.
Tips and tricks for using Process Monitor
- At the top of the window are four pictorial icons representing registry activity, file system activity, network activity, and process and thread activity. You can deselect them to remove the matching results from the list or select them to include the results in the list. If you know what kind of activity you’re looking for, adding or removing those can make it easier to find.
- To see the activity in the Process tree view, click on the symbol at the top of the window with three squares connected by lines. This will allow you to see data differently that might be more useful, depending on your current task.
- You don’t want to run Process Monitor when you don’t need it because it uses a lot of memory. Your computer may not run as efficiently when active.
- You can choose to highlight certain types of events to make them easier to spot. This way you won’t delete other events from the list and can see what’s happening simultaneously, but some events will stand out more.
- You can always clear your filters from the Filter menu. This is usually fast, but it may take a while, depending on your system.
Should I use Process Monitor?
Many people get by without ever having to use Process Monitor. As you get deeper into computer troubleshooting, having robust monitoring tools can help you better understand and find problems with your computer.
Much of the information you see in Process Monitor isn’t as easily accessible in other ways. Although it seems daunting at first, it’s worth taking the time to explore what the utility has to offer.