Menu
homePrograms

Diagnose Slow Windows Boot Using Process Monitor

Someone may have already read it and been using it for a long time, and someone may not even have heard of it, so I want to tell you about it again, especially since I haven’t been sitting idle for a year and a half. This automatic system tracking of torrent trackers, which automates the process of downloading torrent files.


The most important thing for such a system is to expand the number of supported trackers, not at the expense of quality, of course. During this time, the number of supported trackers has doubled. In fact, it takes several hours to add support for the next tracker, unless it uses some kind of very abstruse engine or is too inconvenient for parsing (this mainly relates to the naming of distribution topics, for example, it was not possible to add animereactor.ru, due to lack of a standard for naming distributions). Now the list of supported trackers looks like this:

  • anidub.com
  • baibako.tv
  • casstudio.tv
  • cinemazal.tv
  • lostfilm.tv
  • newstudio.tv
  • nnm-club.me
  • novafilm.tv
  • rutor.org
  • rutracker.org
  • tfile.me
Trackers are divided into 2 types:
- Forum - those that have updated distributions
- Single - those on which new episodes are posted one at a time

Here I will tell you a little more about how it works, because it is a common question. Many people add a series to monitoring on lostfilm.tv and expect that something should happen right away, but this is not the case. The monitor will react to this series only when it appears in RSS feed, but if you add a theme from rutracker.org, the torrrent file will be downloaded immediately after the first start of the system, and the next time, only when the torrrent file is re-uploaded on the tracker.

Form trackers also have the ability to monitor releasers


In my opinion, this is also convenient and useful when the tracker has a releaser that uploads music in your favorite style, for example.

The second main innovation was, finally, support for torrent clients, which allows you to transfer a torrent file directly to the client that downloads it, and at the same time can delete the previous distribution from the client (no matter what type of distribution, “formula” or “single” ). TM is “friendly” with Transmission and Deluge, because These are the most popular clients among my users and they were asked to “fasten”. This was perhaps the biggest expansion of functionality during this time. But, unfortunately, there are limitations here - this only works on *nix, because the work is done through the console of these clients.


Also, due to the blocking of some trackers by home providers, they were very much asked to add the ability to work through a proxy, which was also implemented and now the system can be wrapped in tor (it will have to be installed and configured, of course, separately). And the class that works with the database has become universal and supports: MySQL, SQLite, PostgreSQL.

Surprisingly, TM has become quite popular, I see that it is installed not only on machines with Windows/Linux/Mac OS on which it naturally works fine, but also on various “boxed” Linux-based devices: zyxel keenetic, various NAS, as well as on nas4free.

I hope this post and my small development will seem useful to someone, and even if only one person starts using it after reading it, that will be enough for me.

In general, I am extremely interested in developing the project further, I will be extremely interested in working with programmers to improve the system or add to it new functionality, add new torrent trackers for work and learn something new for yourself. For this reason, I invite everyone to github.

Well, and most importantly, a link to the latest version 0.9.2 and how to deploy and test the system is described in the readme file in the archive.

And here I will hide the remaining screenshots :)







System requirements:
PHP 5.3 and higher must be built with cURL and PDO support.
Also, in php.ini (for CLI) you need to change the following parameters:
max_execution_time = 300
allow_url_fopen = on (it is advisable to enable this option in php.ini for both the CLI and the web server)
set date.timezone

Expand:

  • download the archive
  • import a database dump from the db_schema directory depending on the database used - *.sql
  • transfer all files to a folder on your server (for example /var/www/htdocs/torrentmonitor/)
  • edit config.php and specify data for accessing the database
  • go to the web interface (the default password is torrentmonitor, change(!) it after the first login).
  • specify credentials from trackers
  • specify in the settings the path for saving torrents (the folder that is monitored by your torrent client), e-mail and enable/disable sending notifications
  • adding torrents for monitoring
  • go to the “test” tab and check if everything is working correctly
  • add to cron engine.php
*/10 * * * * php -q /path/to/folder/torrent_monitor/engine.php

And a few words for the paranoid: Passwords for your accounts are stored in your database, nothing is sent to me. For own peace of mind you can close any activity on my domain, except for the file korphome.ru/torrent_monitor/version.xml, it is needed to check for updates (but if you’re really paranoid, you don’t have to check for updates).

I'd love to hear your thoughts on the topic further development project and interesting functionality.

When download speed decreases Windows It is traditionally recommended to clean the system of temporary files and disable them using optimizer programs unused services, however, all these methods are not always effective. As practice shows, deleting temporary data and cleaning the registry is completely useless, and the use of optimizers also does not have the desired effect, since the algorithms embedded in them act according to a pattern, often disabling components that should not be disabled.


Of course have special utilities, allowing you to accurately determine the reasons slow loading, but their use can cause difficulties not only for ordinary users, but also for beginners system administrators. There is a middle way - to determine the applications, drivers and services that are slowing down Windows boot, you can use a free utility . While allowing you to accurately identify the causes of slow system loading, it is also relatively easy to use.

The utility is multifunctional, but in this example we are interested in one function - monitoring launched during boot Windows processes. It works as follows: in the registry key HKLM\SYSTEM\CurrentControlSet\Services a special service is created that loads the driver procmon23.sys, which tracks the launch of all processes that start after the main boot file is launched Winload.exe . The data is recorded in the log and displayed in the utility window in graphical form, making it easy to determine which component is taking the longest to load.

So, let's download from the developer's website technet.microsoft.com/en-us/sysinternals/processmonitor.aspx and run as administrator. From the main menu select -> Enable Boot Logging.

In the window that opens, check the box Generate thread profiling events with radio button enabled Every second.

Click "OK" And restart your computer. When the desktop appears, run again. A notification window will open "A log of boot-time activity was created...". Click "OK" and save the file P.M.L. to any location convenient for you.

Note: event logging by driver procmon23.sys will start immediately after the system reboot and will continue to background until the user runs the utility . If the utility is not started, the temporary dump file procmon.pmb in the *C:\Windows* directory will fill all free disk space.

In our example, two dump files were created Bootlog.pml And Bootlog-1.pml overall size 464 MB . Before you start analyzing them, click in the window on the title of the data table with the right mouse button, click

And mark the item in the window that opens (column) .

And set the parameters in the filter creation window Duration, more than And 10 , as shown in the screenshot.

10 in this example, this is the number of seconds the processes spent performing their operations.

Now click first "Add", Then "OK", and as a result, the utility window will display the processes that took the most time to load.

For a more detailed analysis, you can use the option from the menu Tools, which displays processes as a tree list indicating additional information about the duration, start and end times of each process.

Having thus revealed problematic processes and by matching them with executable files and services, you can perform correct system optimization by removing the latter from startup.

Quite a lot of material has already been given on the Process Monitor program, and learning the basics of the utility’s functioning has always been accessible even to an untrained user. But still, I personally didn’t quite understand many aspects of the work (and I still don’t understand some :), so I decided to write another note about this very useful utility, so that you can later use the article as a kind of hint. If we consider any operating system from the point of view of generalization, then we can conditionally differentiate it into blocks of code/data that interact with each other based on certain patterns. To get closer to the terms we are familiar with, we will consider the mentioned block a process that combines both code and data, intended to solve a specific problem. Thus, the interaction between similar processes constitutes (with some exceptions) the concept of functioning operating system. While the operating system is running, it runs a large number of processes and the purpose of any of these processes can vary over a fairly wide range.

Each process in the operating system, by the totality of its own operations and the results of their execution, actually determines the fingerprint of the system’s activity at one time or another. But, as we know from theory, the processes themselves are just containers for threads (threads), which directly do all the computational work. It is clear that threads are code, a set of machine instructions executed by the processor, but this is at a fairly low level of perception. If we operate with Windows structures, then threads still contain machine code, but all the functionality of the operating system is available through access to the functions of various system libraries and driver calls, so threads, in addition to simple arithmetic-logical operations, interact with various Windows subsystems: virtual memory, file system, registry, hardware components and many others. Interprocess communication is so intensive that at any given time thousands of such operations are performed in the system. Accordingly, in the realities of Windows, it would be interesting for us to observe the interaction of processes with certain components of the operating system at the level of functions and the results of their execution, since this level of activity is quite sufficient to solve most problems. Such information would be extremely useful to us both from the point of view of purely research interest in the study of algorithms, and from the point of view of finding solutions to certain problems that arise in the process of work. But we will need a tool that can provide such detailed information, because we need to dive into interprocess communication much deeper than the level of built-in tools, to understand what exactly the processes are doing. Something similar is provided to us by a tool called Process Monitor, which belongs to the class of tools with extended functionality, will be the topic of our today's article.
Process Monitor- a program for monitoring process activity in the operating system, which, in operation logging mode, allows you to monitor the activity of processes in relation to such OS subsystems as the file system, registry, and network. Allows you to estimate the amount of CPU time spent executing threads within processes.
Process Monitor provides real-time monitoring for the following classes of events:

  • File system: creating (opening)/closing/reading/writing/deleting file system elements: files, directories, attributes, content.
  • Registry: creating/reading/writing/enumerating/deleting registry elements: branches, keys, values.
  • Network: establishing a connection, transferring data, closing a connection. Information about the source/receiver of TCP/UDP traffic. General information about protocols and packages. The transmitted data itself is not recorded.
  • Process/thread: Create a process, create a thread within a process, terminate a thread/process. detailed information about the process (path, command line, user/session ID), startup/termination, loading images (libraries/drivers), execution stack.
  • Profiling: Special class events recorded to track the amount of CPU time spent by each process. Process memory usage.

The main, most likely scenarios for using Process Monitor immediately come to mind:

  • In which registry keys does this or that program store its settings?
  • What operations does the process perform at startup, during operation, and at the closing stage?
  • Who owns these or those files? How often does the owner contact them?
  • Which process accesses external network nodes?
  • What process slows down the loading of the operating system?

Process Monitor allows you to get an answer to the question: what actions are performed by a particular process in the system.

But, unlike tools such as Process Exploer, this is not a real-time utility that allows you to interact with processes on the fly, close handles, kill processes and perform other similar actions, it is rather global magazine, consisting of events occurring in the operating system. The key word in the previous sentence was “detailed”, because this does not mean the events that we are used to seeing, for example, in the Event Log, but lower-level ones that occur on a given set of API functions of some OS components. These, like some others, unique features functionality make the Process Monitor program an almost indispensable tool for troubleshooting and identifying the causes of suspicious activity in the system.
But don’t rush to be enchanted, because for every barrel of honey there is always its own fly in the ointment. So in the case of Process Monitor, there are some “nuances”. You should not consider Process Monitor as a kind of magic wand for all occasions, since it does not “see” everything. For example, it will not track the movement of the mouse pointer, dragging of windows, will not show the contents of network traffic packets, will not show the whole variety of functions called by the program, and this is not a complete list of those things that Process Monitor cannot do. As in any case of diagnosing operating system problems, such tools provide, roughly speaking, limited set functions and operations of the flow, leaving a field for activity and requiring the specialist to make independent conclusions and sometimes quite deep knowledge, which form the basis of any analysis. I do not presume to say that absolutely all problems diagnosed using Process Monitor require high level knowledge of OS architecture, but this is not so a rare event. An example from the wild: I once encountered a bug with Outlook 2010, when compatibility options were set in the properties of the outlook.exe program, which prevented the program from starting with the starting error “It is impossible to open the default mail folders. The message bank cannot be opened.” . Track this problem You can use the Process Monitor utility, but you need to know what exactly to look for in the huge stack of messages from the Outlook process. For that case, we had to look for the WINSRV08SP1 and RUNASADMIN flags when reading the AppCompatFlags key, which in itself suggests that sometimes we need to imagine what we want to find. Ideally (and the ideal is unattainable), it would be nice to imagine exactly how the profile of a program loaded in compatibility mode changes at the level of generated events in relation to a typical application load. Ultimately, it was necessary to understand why exactly mail client Failed to load user configuration. Of course, perhaps this particular example is not so indicative, because it is quite complex, and it would be more reasonable to use other means, I just want to draw your attention to the fact that Process Monitor is not a debugger, and it cannot catch the place where the window display function is called with an error, will not be able to penetrate the logic of the operation of one or another internal function, will not show the state of registers, memory areas and other structures important for the process. Sometimes there is no visible result about the lack of access, so sometimes the collected information implicitly contains a description of the problem and you need to think more about the results obtained by Process Monitor. Occasionally there are cases when functionality Process Monitor" is simply not enough to get to the bottom of the problem, but this does not in any way beg the merits of this instrument, because in most cases it allows you to get to the cause of the bug quite quickly. Well, you won’t immediately take to the debugger for every error and spend hours flying around trying to study the algorithm of the faulty module? .. Although:)
The Process Monitor utility includes the capabilities of earlier Sysinternals programs: the Regmon registry monitoring program and the Filemon file system monitoring program, which have long since disappeared from the scene. In addition, Process Monitor can save the entire event log to a file weighing up to 1 gigabyte.

How it works

While monitoring the activity of Process Monitor, it was identified interesting feature, it turns out the program uses its own kernel mode driver (what about the signature? But the signature is from Symantec). On a 32-bit system, Process Monitor uses a 32-bit filter driver called procmon23.sys both during the execution of the directly executable image and at the operating system boot stage (when the Enable Boot Logging option is enabled). But besides the executable image procmon.exe itself, there are no other binary files in the application’s working directory? The fact is that the driver is packaged in the body of the main executable module procmon.exe. Using any tool for working with PE file resources, you can make sure that the procmon23.sys driver is contained inside the executable file in the RCDRIVERNT resource of the BINRES directory of the resource section, that is, it is part of the main file:

On a 64-bit system, Process Monitor unpacks %TEMP% into a temporary directory when launched. hidden file named Procmon64.exe. The procmon64.exe image is contained in resource 1308 of the BINRES directory inside the resource section of the main procmon.exe file. But in Procmon64.exe itself, the BINRES section of the resource section contains a 64-bit driver that is used during operation.

The procmon23.sys driver can also work as a boot mode driver. When the user activates the Enable Boot Logging option, Process Monitor copies the driver to the %SystemRoot%\System32\Drivers folder and writes it to the registry key HKLM\SYSTEM\CurrentControlSet\Services with the Start parameter value = 0, which indicates that the driver will be loaded at the Winload.exe execution stage when the operating system boots.

It appears that all events monitored by Process Monitor pass through this filter driver. In addition to this, Process Monitor uses technology Event traces(ETW, Event Tracing for Windows), at least for monitoring events network activity. It is not entirely clear yet whether the same driver is used as a controller and receiver for ETW or the executable module itself? Let me remind you that ETW is a kind of extensible logging system built into the Windows system, implemented at the kernel level and allowing (on request) to collect events from user-mode applications and kernel-mode modules. And as we know, almost all components of the operating system include the ability to track ongoing operations. It is clear that the ETW functionality is much broader; it provides extensive information on operation: context switching, interrupt statistics, deferred procedure calls (DPC), interrupt service routines (ISR), creation and destruction of processes and threads, disk I/O, errors pages, processor transitions between p-state modes, registry operations, and much more.

Interface

Before starting, it would be a good idea to obtain the executable module of the utility. You can download Process Monitor from here. The utility is distributed as a portable application and does not require installation, but can simply be extracted from an archive file into an arbitrary directory, which is extremely useful when diagnosing from portable media and when integrated into a preinstallation environment (WinPE).

Because Process Monitor uses its own driver, it requires local administrator rights to run.

If Process Monitor is launched with filters installed in previous work sessions, the program opens the filter settings window (Filter). This is done so that the user can, if desired, modify the filters before starting the data collection procedure.
The Process Monitor interface is extremely simple and looks like this by default:

Agree, everything ingenious is really simple. The simplicity of the interface makes it intuitive to perceive what is happening in the system. Immediately after launching Process Monitor, it immediately begins to capture events occurring in the operating system, monitoring the main components, such as: file system, registry, network, process/thread activity. After capture, events that do not fall under the filter are displayed in chronological order in the main application window. Moreover, the user observes such a huge amount of data, which can easily be discouraged at first; all this ton of data instantly fills the main program window and rushes beyond its limits, as eloquently evidenced by the rapidly decreasing side scroll slider. Each line output in this way represents an event that occurred in the system, was visible and captured by the Process Monitor driver, and was not subject to filtering rules. The main body of information is formatted in the form of a table; accordingly, each row is divided into a number of columns, the composition and arrangement of which can be changed through the program settings. The default configuration uses the following columns:

Column Name Designation
1 Time of Day The time the event occurred. Displayed in fractions of seconds in the format HH:MM:SS,SSSSSSS with a precision of seven decimal places. The accuracy of the displayed time value depends on the accuracy of the hardware timer used in the computer (8254/RTC/HPET).
2 Process Name Process name. The column displays the name of the process that performed the operation. Only the process name is displayed, but if you hover your mouse over the name of interest, the full path to the module will also be displayed. The column displays the application icon (icon), packed in the resource section of the binary file.
3 PID Process ID. Quite a useful parameter, especially for “complex” processes such as svchost.exe.
4 Operation Operation. The name of the committed low-level operation performed by the process on the target object. Usually given name matches the name of the function that is called to perform the operation. Additionally, the event class icon (register, file, network, process) is displayed.
5 Path The path to the target object on which the process is performing the operation. Do not confuse with the path to the process (module). Printed only if the path is applicable to the object. Possible values:
  • File system path starting with a drive letter;
  • Path to the registry branch/key;
  • Network path (source and destination addresses and ports);
  • Network path (in UNC format);
6 Result Result of the operation. The result of an operation returned by a function, indicating the degree of success of a particular action. Described in more detail in separate table given below.
7 Detail Detailed information about the details of the event. Such as: Requested access level, data size, data type, network I/O packet size, file attribute codes.

The operation result field (Result) is one of the key ones and requires additional explanation:

Result Result Description
SUCCESS SUCCESS The operation was completed successfully.
ACCESS DENIED ACCESS DENIED The operation was not completed. The object's security descriptor does not grant the process the necessary access rights to the object.
SHARING VIOLATION FILE SHARING VIOLATION The operation was not completed. The object is already open by someone and does not support sharing mode.
NAME COLLISION NAME CONFLICT The process tried to create an already existing object.
NAME NOT FOUND NAME NOT FOUND An attempt to open a non-existent object: the path was found but the object name was not found. Despite the “loud” wording, in most cases it is not of interest when searching for problems. The fact is that this result is quite often returned as a result of regular operations. A typical example This can be used to check the existence of a file or registry key in a specific path. After returning a similar result, the code that performed the check will simply follow a different logical branch. That's why: This result can be used to find problems with reservations.
PATH NOT FOUND PATH NOT FOUND Attempting to open a non-existent object: path not found. Same as the previous one. This result can be used to find problems with reservations.
NO SUCH FILE FILE DOES NOT EXIST An attempt was made to open a non-existent object or group of objects. Usually returned when requesting a group of objects by mask, for example *.exe indicates all files with the .exe extension in the requested directory. If no file matching the set mask is found, then a similar result is returned.
NAME INVALID WRONG NAME The process requested an object with an incorrect name. Likely to occur when the name of the requested object is malformed, contains invalid characters, or is generally invalid.
NO MORE ENTRIES NO ENTRY The process has finished listing the contents of the registry key. Usually speaks of the actual completion of this process, indicates that more entries No.
NO MORE FILES FILES ARE MISSING Occurs when a request is made to list objects in a file system directory. Usually it indicates the actual end of this process, it does not indicate that there are no more files.
END OF FILE END OF FILE End of file reached. The process has reached the end of the file in one of its operations (for example: reading from a file).
BUFFER TOO SMALL BUFFER TOO SMALL Insufficient buffer volume. The allocated buffer is too small to complete this operation; a larger buffer needs to be allocated. An extremely informative status that informs the process function that the buffer specified in the input parameters of the function is small and should be increased. In most cases, it is not considered as key information in failure analysis.
BUFFER OVERFLOW BUFFER OVERFLOW Buffer is full. The buffer allocated by the application is too small to accommodate the requested data. The called function tells the calling function that a larger buffer needs to be allocated. Purely informative status, informs the process function that the buffer should be increased. In most cases, it is not considered as key information when analyzing failures, but still continues to frighten users with unfounded suspicions of hacking and other malicious activity :).
REPARSE REPEATING A process requested an object that references another object. Typically returned when a link is found.
NOT REPARSE POINT NO RE-PROCESSING The requested object does not refer to another object. Typically occurs as a response to passing the FSCTL_GET_REPARSE_POINT control code to the file system driver.
FAST IO DISALLOWED FAST I/O PROHIBITED The FAST I/O mechanism is not available for the requested object, that is, an I/O request using the FAST I/O mechanism to the driver is not supported. In most cases it is not considered as key information in failure analysis.
FILE LOCKED WITH ONLY READERS FILE IS READ ONLY The file or file projection is locked. The file is read-only. The memory manager contacts the file system to acquire a lock while the file section is created in memory during the mapping process. In other words, this result indicates that writing to the file is blocked while the file section is being created, and now no one has write access for this file. In this way, the memory manager can ensure that the data is immutable during the locking period. The result should be considered informative.
FILE LOCKED WITH WRITERS FILE IS WRITTABLE The file or file projection is locked. At least one user can write data to it.
IS DIRECTORY THE OBJECT IS A DIRECTORY The requested object is a directory.
INVALID DEVICE REQUEST INVALID DEVICE REQUEST This request is not valid for the target device.
INVALID PARAMETER INCORRECT PARAMETER An invalid parameter was passed to the service or function.
NOT GRANTED NOT PROVIDED The requested file lock cannot be granted due to other locks.
CANCELLED CANCELED The I/O request was cancelled. For example, a call to NotifyChangeDirectory often returns when checking a file system directory for changes.
BAD NETWORK PATH NETWORK PATH NOT FOUND Network path not found.
BAD NETWORK NAME NETWORK NAME NOT FOUND The specified network name was not found on the remote host.
MEDIA WRITE PROTECTED THE MEDIA IS WRITE PROTECTED The media cannot be written to. The media is write-protected.
KEY DELETED SECTION DELETED An attempt was made to operate on a registry key that has been marked for deletion.
NOT IMPLEMENTED NOT IMPLEMENTED The requested operation was not completed because it is not implemented in the target object.
NO EAS ON FILE NO EXTENDED ATTRIBUTES No more extended attributes found. The error occurs when an attempt is made to request extended attributes from an object that does not have them.
OPLOCK NOT GRANTED SUCCESSFUL LOCK NOT PROVIDED Refusal to grant an opportunistic lock. An oplock (opportunistic lock) is a lock that allows a (network) client to lock a file located on the server and cache data from the file locally (on the client side), while preventing other clients from modifying the file. Opportunistic blocking is associated with the offline files mechanism, which reduces network traffic and improves response time from the server. The OPLOCK NOT GRANTED status is a response to passing the FSCTL_REQUEST_OPLOCK control code to the file system driver. Used to diagnose problematic objects that do not work correctly with network resources.

* - I tried to use color to mark those results that may be significant for finding problems, but everything is quite arbitrary and the presence of some results may not indicate an error; everything needs to be considered in the context of what is happening and surrounding events.
Newly recorded events are added to the end of the list of events in chronological order, and, accordingly, if there are many events, they instantly go beyond the boundaries of the active window. Thus, when basic settings interface, the information in the window remains static and reflects only the events captured first, latest events are written to the end of the list and the change in its overall length is indicated only by the changing size of the side scroll cursor. However, this behavior of the program can be changed by enabling Autoscroll of the list of events by enabling the corresponding option, or by pressing the combination Ctrl keys+A. In this case, the list of events will continuously scroll up, showing the latest system events in real time.

Toolbar

Let us explain the purpose of the buttons located on the toolbar of the Process Monitor utility interface:

From left to right:

  • Open - Loading previously saved events (traces);
  • Save - Saves all captured events (traces);
  • Capture - Enable/Disable event capture;
  • Autoscroll - Autoscroll events in the main screen;
  • Clear - Clears the main window and all captured events;
  • Filter - Setting up event filtering and highlighting;
  • Highlight - Setting up event highlighting;
  • Include Process From Window - Configure event filtering for a specific window on the desktop. Allows you to point the target at the selected window, Process Monitor itself will determine whether the window belongs to a process and enable filtering by this process;
  • Show Process Tree - Process tree;
  • Find - Search for events based on specified criteria;
  • Jump To Object - Jump to a registry key or file. Process Monitor analyzes the contents of the Path column of the selected row, launches the registry explorer/editor and opens the corresponding tree element;
  • Show Registry Activity - Switch the display state of registry activity events among all system events;
  • Show File System Activity - Switch the state of displaying file system activity events among all system events;
  • Show Network Activity - Switch the state of displaying network activity events among all system events;
  • Show Process and Thread Activity - Switch the state of displaying process/thread activity events among all system events;
  • Show Profiling Events - Switch the state of display of profiling events among all system events. Profiling – Events recorded by the Process Monitor utility to calculate the amount of CPU time and memory used by each process.

Hotkeys

Combination Description
Ctrl+E Activation/stopping of event recording.
Ctrl+X Clearing the log of captured events.
Ctrl+A enable/disable auto-scrolling of events.
Ctrl+F search for an event among all captured events.
Ctrl+C Copies the selected event as a delimited string of text.
Ctrl+J go to the selected object.
Ctrl+L opening the filter settings window.
Ctrl+R Reset the filter to default settings.
Ctrl+H opening the backlight window.
Ctrl+T opening the process tree.

Event filtering

As already noted, the number of events occurring (generated by various components) in the system is quite large. The number of events that Process Monitor “sees” is smaller, but not by much. A reasonable question arises: do we need all events? The answer is obvious. Most of the events that are displayed in the main program window are completely unnecessary in the context of certain highly specialized user tasks. Well, the user does not need to see the loading events of the image of a suddenly launched update program, while he is busy studying the registry keys that store the configuration of the program he is interested in. It is with the goal of hiding unnecessary events that Process Monitor has flexible and powerful filtering tools. The filter allows you to hide unnecessary events, thereby limiting the number of displayed elements and narrowing the search area for the problem.

By filtering, you can hide an event, that is, turn off its display. However, all events will be recorded, and you can view filtered (hidden) events at any time by disabling (resetting) the filter.

Since filtering is one of the key elements of Procmon, its capabilities are very well developed in this program. You can filter events using any event attributes available to the program. There are several ways to filter events in Process Monitor:

Filter by class

This is the most general, one might say coarse event filtering, which allows you to exclude an entire class of events from the output at once: registry, file system, network, process/thread activity, profiling events. Setting up filtering by event class is represented by five buttons on the right side of the toolbar:

Accordingly, at the moment when any of the listed class buttons is deactivated (pressed) by the user on the command bar, general set filters, a corresponding filter is added with the Exclude instruction, hiding all events of this class from the output.

Filter menu

Whatever types of filters are used in Process Monitor, they are all available through the Filter menu and the Filter sub-item. This is a complete (general) set of filtering parameters and is presented in the following form:

The same filter settings window can be quickly called up in other ways: by pressing the Ctrl + L key combination or by clicking on the Filter button on the toolbar. The filter settings window provides the user with quite rich options for masking system events. The Process Monitor Filter window is divided into two parts: the top contains interface elements for adding a filter, the bottom contains a list of those already applied to to standard output filters. The filter is added by passing from left to right through all attributes, which, in turn, are represented by drop-down lists. Some attributes are related to each other, that is, selecting an attribute from one list may lead to automatic setting of the value in other lists. In some fields you can edit the value. After completing the formation, to add a filter, you must click the Add button; it adds new filtering parameters to the filters presented in the lower area of ​​the window.
To edit the rules of the selected filter, simply double-click on the corresponding line describing the filter at the bottom of the window. This will move the parameters to top part(the corresponding conditions will be filled in), where you can edit them and by pressing the Add button again, complete editing the filter, again moving it to the bottom of the window, to the list of active filters. You can remove a filter using the Remove button. After editing the filters, they can be put into effect (activated) by clicking the OK or Apply button. To restore the default filter settings to the initial state that was present when the program was first launched, click the Reset button.
As you may have noticed, by default the list of predefined filters contains a set of rules of the Exclude type. These rules serve to mask events that the authors believe are activity events of operating system components that, in most scenarios, do not provide useful information for application troubleshooting. Here you can find exceptions for: processes of the Procmon (Process Monitor), Procexp ( Process Explorer), Autoruns, system processes, low-level I/O requests from Windows drivers IRP_MJ, low-level FAST_IO operations, trace events, pagefile.sys events, NTFS manager metadata events.

Quick filter

You can apply a so-called "quick filter" to some of the event parameters displayed in the main window. It is activated by pressing right button mouse on the event in the main program window:

In the context menu that opens, you can see several different filtering methods at once. Depending on which column value in the row was clicked right key mouse, we can exclude or include from the entire output array events that have a match in the column value. This is done by selecting the appropriate item starting with Include ... (Include) and Exclude ... (Exclude). The context menu also contains the following items: Edit Filter..., Exclude Events Before, Exclude Events After.

Filtering by window owner

In addition to the basic filtering options, the Procmon utility has the ability to filter events by the application window handle (identifier). It's quite comfortable functional feature, since it provides the user with the opportunity to view the events of the process whose window appears on the desktop. To enable this functionality, find the crosshair icon on the toolbar:

Drag it onto the window you're interested in and Procmon will create a corresponding filter for the process that owns the selected window, changing the output in the main window accordingly.

Event highlighting

In addition to filters, Procmon has the ability to mark events by highlighting them with color. While filtering hides unnecessary events from the output, highlighting simply highlights the necessary events in the list. Directly, it seems, it does not apply to filters, since it does not hide events, but only marks them with a different color in the list. You can open the Process Monitor backlight settings window either by pressing the Ctrl + H key combination or by clicking on the corresponding icon on the taskbar. It looks like this:

As you can see, it is identical to the filter settings window, except that by default it has no settings, that is, the backlight is completely disabled. The algorithm for setting the backlight parameters and sampling the results of the Highlighting window is in many ways similar to those in the Filter window.

Search by events

Filtering results is excellent! The filter allows us to flexibly manipulate a sample from the general flow of events, however, in most cases it is quite difficult to create conditions under which the range of filtered events would be narrowed to some acceptable minimum. There are still a lot of results, and sometimes in the area of ​​filtered rows you need to find a suddenly discovered constant. Sometimes it is useful to find some keyword in the entire volume of captured information without understanding which column it may be located in, so creating a filter turns out to be problematic. These and many other operational points speak in favor of using a traditional search, familiar to everyone from childhood. The search window is called up by pressing the key combination Ctrl + F or by going through the Edit - Find menu:

The search window already familiar from other Microsoft products will be displayed. The search is carried out using the values ​​of all output fields of the Process Monitor main window without exception, and when the first match is found, the utility scrolls the screen to the found value and marks the entire line with the detected key fragment in blue.

Event details

Process Monitor receives from various components operating system has a fairly large amount of additional information. All of them are displayed in the Detail column. Most of them are purely informational, so they are usually skipped during analysis. Here you can find the requested access level for the operation, details of function requests, additional parameters for some functions, names of driver packages, etc.

Exploring the Event

All information collected by the Process Monitor utility in the process of recording events is presented in the form of a huge table, each row of which reflects only a generalized description of a specific event that occurred. So what, do you think this information presented in the main screen of the utility in the form of limited information divided into several columns is enough? Sometimes yes, but often not! We must give credit to the authors of Process Monitor for providing the logic for a more detailed study of recorded events. Let's double-click on the event line and see what happens? After double-clicking, a separate window opens, looking like this:

In the Event tab, we see general information about the event of interest to us. In general, this particular tab is not of great value to the researcher, since it contains information that can be obtained in the utility interface in other ways. But the two remaining tabs of the window may definitely interest us. The middle tab is called Process and looks like this:

Here we see the path to the module (Path), command line, with which the module was launched ( Command Line), the user with whose privileges the process was launched (User), the login session identifier (Auth ID) in which the process, the owner of the operation, is running, and the integrity level assigned to the process, the owner of the operation, when launched. Special attention is given to the information window with a list of libraries loaded in (Modules), which greatly helps to identify uninvited guests in the form of various types of malware. But for advanced researchers, the real value is the last, rightmost Stack tab, which allows you to see the call stack of the main thread of a process:

As we can see, in this tab you can find the classic chain of function calls, well known to us from the WinDbg debugger, called the call stack. First, it allows you to track the sequence of function calls from the moment the thread's start function begins executing. Secondly, by the sequence of function calls, you can determine which modules (libraries) these functions belong to, thereby identifying system components that either require updating or should not be used in a given module at all (for example: viruses).

Use cases

Some notes on Process Monitor program statuses:

  • An event whose operation field is Load Image helps in diagnosing program startup problems. If the program does not start for some reason, then look in general list event with the Load Image operation and look at the lists of DLLs that are loaded (described by their events) immediately after the image loading event. If we recall the algorithm for loading an image, we will understand that usually the Load Image operation is followed by search events for the necessary DLL libraries. The fact is that the Windows loader prepares the process address space by projecting everything into it necessary for the program libraries and performing implicit linking at the initial stage. If one of the DLLs required by the main program has an error loading its image, then it is obvious that the Windows loader will not be able to launch the main program. The image loading event is recorded with the status "access denied" (ACCESS DENIED);
  • Statuses that you should pay attention to first: ACCESS DENIED, SHARING VIOLATION, NAME NOT FOUND (there are exceptions to the latter). The NAME NOT FOUND status is in most cases a fairly typical completion status; you shouldn’t exaggerate its significance so much and consider it the culprit of all the troubles. Often, the status is displayed when the application checks the presence of a file or registry key (containing the program configuration), and based on the results of this check, it executes this or that code, that is, it makes logical branching depending on the result of the request. The program may not find the registry key containing its own configuration, and in such cases we will see the same NAME NOT FOUND status. In short, the NAME NOT FOUND status must be viewed in the context of the event that led to it.
  • To determine the culprit of excessive load on disk subsystem: launch Procmon, create a filter with the settings Path - begin with - C:\ (although any logical drive of interest can be specified here) and click OK. Then, after a short data collection (~one minute), go to the Tools menu and select the Process Activity Summary item. In the window that opens, sort by the File Events column and get at the top of the list the names of processes that are actively working with the file system. Then, to find out which files are involved in intensive data exchange, you can select the Tools menu and the File Summary item, and in the window that opens, observe the list of files involved in disk operations. The output is automatically sorted by the Total Events column, so at the top of the list we see the files most intensively used in disk I/O operations.

Boot phase diagnostics

Quite often there are situations when problems with the operating system begin long before the user interface is drawn, already at the boot stages. To diagnose such network failures, there are a number of specialized tools, such as, for example. The Process Monitor utility fits well into this range. Procmon records the events of all processes executing during the boot phases, using the boot phase driver called procmon23.sys (the name may vary from version to version), which was described at the beginning of the article. Unfortunately, the driver starts at the stage of the Winload.exe module, which prevents the earlier stage of Bootmgr from being fixed, however, in most cases, you can turn a blind eye to this little detail. Enabling logging of the boot process is activated through the Enable Boot Logging option in the Options menu.

In addition to enabling the mechanism, Procmon offers to enable thread profiling at regular intervals. This is important because in most cases, boot problems are related to the slow operation of certain processes. It is in order to track such “slowing down” processes that profiling is enabled, which allows you to create sort of snapshots of the activity of threads within a process (call stack and other data) at regular intervals. As a result, the recorded information helps to understand exactly what operations the thread is spending CPU time on.
After enabling the Enable Boot Logging option, you can reboot the operating system. After the download is complete, run the Process Monitor utility to save log files of the download process and see the following dialog box:

In which we are asked to save the events of the download process into a separate log file with the extension .pml. Depending on the amount of information, the log file can be saved either in a single file or divided into a series of files of approximately equal size.

The amount of information recorded by the Process Monitor driver at boot stages for a “medium-loaded” :) operating system Windows systems 7 SP1 x64, big enough. A typical size with thread profiling enabled can exceed 1500 megabytes.

After saving the log files of the boot phase activity, you can later analyze them by opening them in Process Monitor or double click by .pml file, or by opening it directly through the File - Open menu. However, there is one caveat: if the file or set of log files for the boot process is too large, and the utility cannot find enough space in the page file or virtual space of the process to create a buffer, then the error “Unable to open Bootlog.pml for reading” is displayed. ". I personally solved it by temporarily enabling the swap file, which I traditionally have disabled altogether.

Today I will try to understand the problem of correct operation of software under user rights using the example of software (Prima Expert Digital Microscope) for a digital microscope from JSC LOMO.


Like many enterprises, we have a strict security policy prescribed in the STP and ordinary employees do not have administrator rights, so from time to time there are problems with the operation of the software under the user's account. account, because The software requires advanced rights.

So what do I have at the start, Quality Control department technical control) requested the installation of the microscope-accompanying software “Expert Prima version 1.0” on a regular user machine with Windows XP.

The installation was completed, but the following problem was discovered. The program does not see the camera and cuts off the interface after launching as a user; it works correctly under the software administrator.

The first thing I tried was to give the user permission to change the directory with the LOMO program.

This action did not produce positive results. Armed with the Process Monitor utility, I set up a filter in it for the Prima.exe process and launched the Prima Expert software.

The utility displays all affected system resources for Prima.exe to run

I sort by the Detail field and go look at the affected bushes, I’m interested in the Desired Access: Read/Write value.

I give the user full access to the registry folders:

HKLM\Software\Microsoft\VfWWDM Mapper
HKLM\System\CurrentControlSet\control\MediaResources\msvideo\MSVideo.VFWWDM

Why these folders? Because the user has full access to HKCU - this is his branch.

I run it to check, the program works as expected.

I hope the article will be useful to novice admins and enicers. I have been using this method for a very long time. It's versatile and has never let me down.

Many people are interested in the question “How do I find out what a program does when installing, starting, closing, running? How can I follow the program? Answer: Using another program called Process Monitor.

ProcessMonitor- a program for Windows that shows in real time where files are written or deleted from, which files are read by a particular program, what actions the program does with the registry, how and when the monitored program uses the network (Internet), and also monitors processes and streams. The program is equipped with a powerful filter for tracking necessary processes or events. Process Monitor is the premier tool for troubleshooting system problems and getting rid of malware(viruses).

Now let’s take a closer look at how to work with the program and analyze its key functions. For a more detailed introduction to the program, see the “video” column on the right, since a complete description of the program will require writing a book).

This is what the main program window looks like when you start Process Monitor. Recording begins immediately after launch Windows processes this is accessing and creating files, accessing the registry, network, etc.

Of course, a very large amount of information is recorded at once, and it’s not very easy to find what you need in it, but here filters will come to our aid, but we’ll talk about them a little later, first, we’ll deal with the program interface.

On the main program panel:

Its main functions are posted. Rightmost group of icons

These are the preliminary (coarse) filtering icons. From left to right: show access to the registry, to the file system, to the network (Internet), show processes and threads, profiling for each process. Accordingly, if you select one icon, for example, an access to the registry, then only the access to the registry will be shown, if there are two, then two, etc. I note that even if you do not select any icons, recording still continues and if you turn it on, events before it was turned on will be shown.

The next two points are search and transition:

Accordingly, if you click search, a window will appear where you will need to enter a phrase or parameters, and if you click go, an explorer will open, if you look, for example, what kind of file is being created or the registry editor, if you look at what registry parameters are changed or read.

Next menu group filters

The first item is the filter itself; when clicked, a window will open where you will need to select filtering parameters.
The second point is highlighting certain lines, i.e. It’s also a filter, but it simply selects the necessary data.
The third point “sight” is needed for quick addition process if you don't know what it's called. For example, some window has opened, but you don’t know what kind of window it is, click on the crosshair and hold it, dragging it onto the window that appears, a filter will be automatically created that will monitor this process.

The next menu group is responsible for displaying events in the main window

Magnifying glass is stop and start tracking. The list with an arrow automatically scrolls when a new entry appears. And the list with an eraser is to clear the list of events that are displayed on the tap.

The last two menus, I think there’s no need to explain much about saving or loading traced processes

Now let’s look at how the program works using an example. Let's say we want to find out what some application is doing on our computer. Let this application be a notepad. In processes we know in advance that it is called as notepad.exe. Launch Process Monitor, press the “Filter” button (Ctrl+L) and see the following window:

By default, it already includes several filters that exclude various types from the list system processes, processes of the Process Monitor program itself and others that are usually not needed for analysis.

Let's create our own filter that will show only the process notepad.exe. To do this, click the first down arrow, where by default it says “Architecture” and select “Process Name” from the proposed list. Fig. 1. Next, from the second list, select the “is” item, which is the default Fig. 2. In the next menu we can select a process from those already running or add it ourselves by writing “notepad.exe” in the field. We haven’t launched the notepad yet. Let’s write it ourselves. Fig.3. The last point is how to position this process “Include” to leave only it, and “Exclude” to exclude it from the general flow. Select “Include” Fig.4. Click the “Add” button below to add a filter.

As a result, we should get the following:

We click “Apply” “Ok” at the bottom and we see that the list in the program has become clear, this is because we enabled the filter for a process that is not yet running and added a condition to ignore everything except this process.

We launch notepad and see the following:

The first line we see is the launch of the process with PID and Parent PID, then a thread is created, graphic files are loaded, a file is created in the C:WindowsPrefetch folder and named NOTEPAD.EXE-D8414F97.pf. We can immediately go to this folder; to do this, just highlight the line in in this case fifth and click on the main panel green arrow, and the folder in which this file was created will immediately open. Next comes loading various system libraries, reading settings from the registry, both system and user, and much more.

There is another icon on the main menu that was not mentioned before:

This is the process tree icon. If you click it, you will see the following window:

This tree shows which program, which process was launched, the folder where it was launched from, how long the process lived and a lot of different information.

That's all, as I already said, everything will need to be written a whole book, so watch the videos on the right; they tell more and show more).