Basic Steps for Making a Process Monitor (ProcMon) Capture
ProcMon is an indispensable tool that zillions of people have used. Here are some easy steps for starting, stopping, and saving a Procmon capture.
Download ProcMon from https://technet.microsoft.com/en-us/sysinternals/bb896645.aspx.
Copy ProcMon.exe to the server or workstation that you're performing troubleshooting on
Launch Procmon by double-clicking Procmon.exe
When you see the option to set filters, generally you don't need to. You can always filter the results after the capture is complete. Just click OK
Stop the capture by clicking the icon of the magnifying glass, as seen below. (By default the capture begins immediately when Procmon.exe is launched.) Alternatively, you can use the keyboard and press CTRL+E.
When the capture is stopped, a red slash mark should appear across the icon of the magnifying glass.
- If you really want to set some filters such that less data is captured, now is arguably the best time in my opinion. When in doubt, don't add any filters. But if there are some processes that you are certain that you can exclude from the capture, it's easy to do. For example, if you wanted to exclude Skype.exe because you see it in the capture and know it's irrelevant, just right-click Skype.exe and select "Exclude Skype.exe"
- Clear the events from the capture by clicking the icon that resembles an eraser on paper. (Or by clicking Ctrl+X.)
- Begin to take the steps necessary to reproduce the problem. But when you have one step that remains—when you are one mouse-click away from reproducing the problem—hesitate long enough to. . .
Start the process monitor capture by clicking the icon of the magnifying glass.
Perform your one last mouse click to reproduce the problem, wait for the problem to be fully reproduced, and then quickly. . .
Click the icon of the magnifying glass again to stop the Procmon capture.
From the file menu, save the capture with a unique name and with the .pml format.
One of the most basic, common, and first things I usually do is to set a filter on the procmon results that searches the results column for "Access Denied."
Start by clicking the icon (or CTRL+L) that looks a bit like a coffee filter or snow cone as seen below. . .
Toggle the first two options to RESULT + CONTAINS. Type in the word DENIED into the blank field. Click ADD and click APPLY.