Troubleshooting Processes and Registry with Sysinternals Process Monitor

Process Monitor in Windows is one of the best tools to use in troubleshooting. In this course, you'll learn how to get the most out of the second most downloaded tool from the Sysinternals toolkit - Process Monitor.
Course info
Rating
(19)
Level
Beginner
Updated
May 18, 2017
Duration
1h 19m
Table of contents
Description
Course info
Rating
(19)
Level
Beginner
Updated
May 18, 2017
Duration
1h 19m
Description

There is an age old saying in Windows: "If something breaks in Windows, run Process Monitor". This is absolutely true, and Process Monitor is one of the best tools to use in troubleshooting. In this course, Troubleshooting Processes and Registry with Sysinternals Process Monitor, you'll learn how to utilize Process Monitor for troubleshooting. First, you'll explore how to find settings in the Registry and learn how to resolve bottlenecks in performance. Next, you'll cover how to fix broken applications. Finally, you'll learn how to analyze slow boot sequences. By the end this course, you'll know how to effectively use one of the most important troubleshooting tools available.

About the author
About the author

Sami Laiho is one of the world's top experts in Windows OS and Security. Sami specializes in OS internals, troubleshooting, management, and security.

More from the author
More courses by Sami Laiho
Section Introduction Transcripts
Section Introduction Transcripts

Course Overview
Hi everyone, my name is Sami Laiho. Welcome to my course, Troubleshooting Processes and Registry with Sysinternals Process Monitor. I'm a senior technical fellow at my own company, Adminize. Whenever you read about great success stories from industry experts about troubleshooting cases they have solved, they always say they used Sysinternals Process Monitor. Every Windows admin should take this course and learn how the second most downloaded tool in the Sysinternals toolkit works. There are hidden features for even the most seasoned admins out there. Some of the major topics that we will cover include how to find registry settings, how to find performance bottlenecks in Windows, how to find the cause for an application hang. By the end of this course, you'll know how to effectively use one of the most important troubleshooting tools available. Before beginning the course, you should have viewed the first course on this learning path on the Sysinternals Toolkit on Pluralsight. I hope you join me on this Troubleshooting Processes and Registry with Sysinternals Process Monitor, at Pluralsight.

Viewing the Process Tree in Process Monitor
In this module, we will take a look at an internal tool inside of Process Monitor called the Process Tree. When you want to get a bigger picture of what was actually happening during that trace, you can use the Process tree. You can start it from the menu or just use Ctrl+T. Process tree is very good to finding out what was the operating system looking like, exactly like you would looking at Process Explorer on a live system. The good thing about this one is that someone has taken the trace on another machine and can just send it to you and it's like remotely looking at it with Process Explorer. It has a few things to it. It shows you the relationship of processes. It shows you status indicators. It shows you the lifetime of every one of those processes. So it shows you whether the process was live all the way through the end of the trace, or if it stopped in between, or if it was started and restarted. You can also choose to exclude this so that you only see processes that were live when the trace ended. You can also use these tools to create better filters inside of the actual Process Monitor. In addition to graphically showing the parent-child relationship of processes, what makes this tool so good is that it's a very, very good tool for seeing short-lived processes that are just being created all over again, and all over again, and all over again, and just keep repeating. So it's very good for catching these badly behaving processes.

Controlling Log Sizes in Process Monitor
In the next module, we will look at how to control the log sizes that are produced by Process Monitor. Sometimes you need to log for extended periods of time, and like I told you before, you should not leave Process Monitor running with the default settings as it will fill your page file and at some point crash your system. We can, however, control how much events get gathered into that file, which means that we can keep this running for longer periods of time. First of all, if you have a filter that you can use, you can just drop out everything outside of that filter. That's the most effective way of keeping the log file size down. You can also adjust the history depth to just make sure that Process Monitor if you leave it running will not gather more than 1 million events, or up to 199 million events. And you can change from the default of using the page file to a named file. That's good because then you have full control of where that file is, that will of course grow up, but then it will be limited by the hard disk space and hopefully that is a disk that doesn't matter that much if it gets totally filled.

Automating the Use of Process Monitor
In the next module, we're going to take a look at how to automate the use of Process Monitor. This module is here for showing you the command line options that Process Monitor has. You can use it as your replacement for the manual, but if you have other ways of getting this information, you can of course use those as well, but I just want them to be part of this course. I'm not really aiming to tell you what every single command line option inside of Process Monitor does. What I am aiming is to give you a few examples of real life cases and real life situations where these have been very, very useful. I'm going to end this by a demo of showing you how to use this for one of the most important things I need to do quite often, which is how to remotely monitor someone else's processes. And before we get there, I want to show you one example that is actually taken from the book called, Troubleshooting with the Windows Sysinternals Tools, Second Edition. This shows an automated example of how to use Process Monitor. There's a few variables setting the definitions of what we're going to run that will start the capture, then they start the application we want to get a trace from, then they will gracefully terminate Process Monitor, and then they will open up Process Monitor and actually look at that file.

Using the Analysis Tools in Process Monitor
In the last module, we're going to take a look at the analysis tools that are provided by Process Monitor. We'll also go through a summary of the course itself. Inside of Process Monitor there's a number of ways to visualize the captured data, not just going line by line through the trace like you normally do. There are a few different analysis tools that I would like you to take a look at. First of all, there's the Process Activity Summary, which gives you a good overall picture of what happened during the trace, and gives you very detailed information about the resources that these processes used. So I use it heavily for finding hogging processes, for example. Then there is the File Summary, which is great for trying to figure out what files are accessed the most. So get a summary of which file was read and how many times, which file was written to and how many times, and so on. You can have the same kind of thing for the Registry to see which registry keys were accessed the most. You can have a Stacked Summary of what took place inside of the code itself. You can have a Network Summary of how much communication was going, and from where to where. And you have a bit different look at how things were accessed and by whom. So, Cross Reference Summary shows you places that were accessed by multiple parties. And then we have Count Occurrences where you can count occurrences inside of a certain column.