How to troubleshoot interoperability issues using process monitor

Question

How to troubleshoot interoperability issues using process monitor

Issues such as, application (Edge, Chrome, Adobe, etc.) slow, application hung, when a security software is running.

It works fine if the security software is disabled (security software like Symantec Endpoint protection, Kaspersky, Etc.)

Answer 1

it is very difficult if not impossible troubleshoot this kind of problem with process monitor. Both Procmon and the security software will likely use a kernel driver to do their job, but procmon only records interaction of the application with files or registry key. if something is injected into the memory of the app by the security software like a hook dll you may found some trace of that but cannot see what the dll is doing in memory.

so the best you can get from procmon is the interaction between the app and the security software and files which are "touched" by both.. most of the time security software register with the OS to get notification of every action on file and they interfere with the open phase doing a check of the files and slowing down the whole process.

So, to the best of my knowledge you should look for both apps, the app you are monitoring and the security app when they access the same files.. in those moments there may be "interference" from the security software.

A better tool for this is the Windows Performance Analyzer which can go down in the kernel and show all the time taken by every single call, so eventually you can compare with and without the security software..

HTH
-mario