Article 2: Process Monitor help document (Part 2)

[Screening and highlighting]

Process Monitor provides some methods to configure filters and highlight.

Filter inclusion and exclusion

You can specify the attribute of an event in the filter so that process monitor can only display or exclude events that match the attribute value you specified. All filters are non-destructive detection. That is to say, this will only affect the way process monitor displays events, without affecting the potential event data.

After you select an event, select include and exclude In the event menu) in the sub-menu, you can easily add an attribute of the event to the inclusion and exclusion configuration of the filter. For example, if you only want to display the events generated by a specific process, you can select the process name in the "include" submenu. You can also select multiple events and configure an attribute filter for all the special values contained in these selected events. The "or" Operation of process monitor can combine all filters of specific attribute types, while the "and" operation will combine filters of different attribute types. And the filter contains a path named C: \ WINDOWS. Then, process monitor only displays events originating from notepad.exeor cmd.exe in the specified path C: \ Windows directory.

Figure 15 "include" and "exclude" sub-menus

The filter dialog box also contains more complex filtering options that can be used. You can select Filter) "menu item or click the Filter button on the toolbar to open the filter dialog box. A filter entry consists of an attribute field (such as the authentication ID and process name), a comparison operator, a property value, and a filtering category (including or excluding. For convenience, in the currently loaded trace data, process monitor automatically lists the attribute values in the loaded trace data in the drop-down list, but you can also enter any value. Check boxes enable you to easily disable specified filter entries without deleting them.

Figure 16 process monitor filter dialog box

Context Menu Filtering

If you right-click an entry in Process Monitor, a context menu is displayed. You can view the entry attributes or configure a filter based on the entry attributes. Furthermore, the quick filter item can be added to the menu based on the value of the column you clicked.

Figure 17 context menu Filtering

Destructive screening

By default, process monitor applies to data display and does not save certain items. This allows you to change the filter to obtain different ways to display data without affecting excluded data. However, you can configure process monitor to delete some data, that is, you can use the filter to switch to the destructive filtering method to exclude some currently captured data. You can select Filter) "Drop filtered events" in the menu.

Figure 18 destructive Filtering

Contains process from window

The Toolbar contains a button in the shape of a target. You can drag it into a window, in this way, you can add the process ID of the process owned by this window to the "include" filter of Process Monitor.

Figure 19 "process included in window" button

Comparison between basic mode and advanced mode

The enable advanced output menu item in the filter menu controls whether process monitor runs in basic or advanced mode. In basic mode, process monitor can configure built-in filters in the display to exclude system-related activities and select intuitive names for internal file system operations. For example, in basic mode, process monitor treats the internal irp_mj_read operation as a read operation. The basic mode makes it easy to read the output content, omitting irrelevant events in application faults.

Figure 20 allow advanced output

Storage and reading of filters

Once you have configured a filter, you can select the "Save filters" menu item in the "filter" menu to save the filter. To facilitate your next use, process monitor saves the filter configuration you saved to the "load filter" menu. You can also select "filter) "menu" organize filter "to open the" manage filter "dialog box, thus changing the display order of the filter in the menu. You can use the manage filter dialog box to rename the saved filter and output the filter in a certain format, in this way, you can use the manage filter dialog box on other systems to import filters.

Figure 21 filter management dialog box

Highlight

The highlighting filter of processmonitor enables you to specify the attribute of an event so that an event is displayed in a highlighted color. The "highlight" sub-menu in the "event" menu enables you to quickly access the filter entries that have been defined for highlight and "Event) "The" highlight "menu entry in the menu can also open the" highlighted filtering "dialog box, which is similar to the" include/exclude filtering "dialog box. You can click the "Add filter" button in the highlighted filter dialog box to convert the highlighted filter to include filter.

Figure 22 highlight and filter dialog box

After a highlighted item takes effect, you can use the F4 key to select the next highlighted item in the displayed event. Press SHIFT + F4 to convert the selected direction.

 

Process tree]

The process tree menu entry in the Tools menu can open the process tree dialog box, which displays all processes referenced by the loaded tracing event hierarchically, to reflect their parent-child relationship. Processes with the same parent process are sorted based on their start time. The parent process of the process on the left side of the window does not leave any events in tracking.

After you select a process in the process tree, process monitor obtains a subset of the process data, such as its image address, user account, and start time, these will be displayed at the bottom of the dialog box. For more information about processes, click go to event, it allows process monitor to locate and select the first visible item in the tracing of running processes. You can use filters to exclude all events of a specified process from the view to prevent the operation from being completed.

Figure 23 process tree dialog box

 

[Tracing summary tool]

Process Monitor contains dialog boxes that allow you to collect events in tracking and perform simple data mining.

System details

Processmonitor can capture information about the system, including the machine name, system root directory, and whether your operating system is 32-bit or 64-bit. Process Monitor stores them in log files. You can access these information through the system details dialog box in the Tools menu.

Figure 24 system details dialog box

Event count

In the Tools menu, the event Count dialog box is displayed. It displays the unique value visible to the trace record for the attribute type you specified, along with the number of times events that contain this value in the trace record appear.

Figure 25 event Count dialog box

Process summary

This dialog box summarizes the tracked processes, including their process IDs, image names, and command lines.

Figure 26 Process summary dialog box

File Summary

The file summary dialog box lists all the unique file system paths that have been filtered and tracked. The total time of the file used to perform input/output operations, the number of events referenced by the path, and the number of different operation types are displayed.

Figure 27 file summary dialog box

Registry Summary

The Registry summary dialog box lists all the unique registry paths displayed in tracking filtering. The total time of the registry used to perform input/output operations, the number of events referenced by the path, and the counts of different operation types.

Figure 28 registry summary dialog box

Network Abstract

The "network summary" dialog box lists all unique IP addresses displayed in the filter trace and the number of different types of events, including each address sent and received.

Figure 29 network summary dialog box

Stack Summary

In the stack summary dialog box, you can view the instances of a single stack produced by tracing each process, including the number of stack traces and the total time spent in tracking the same event.

Figure 30 stack summary dialog box

Cross reference summary

This dialog box shows the path written by one process and read by another process.

Figure 31 cross reference dialog box

[Option] There are some settings in the Options menu to change the process monitor behavior.

Figure 32 option menu

Always on top)

Select this option to keep the processmonitor window at the top of other windows.

Font)

This option opens a font selection dialog box in which you can select the font displayed by process monitor.

Figure 33 font selection dialog box

Highlightcolors)

Select this entry to open a dialog box that selects process monitor as the text and background color used by the entry, which can be configured by the highlighted filter.

Figure 34 select highlight dialog box

Configure symbols)

Processmonitor can use symbolic information. If it is available, the function name of the referenced event stack can be displayed. You can find the configuration symbol on the Microsoft debugging tools for Windows webpage.

Figure 35 configure symbol dialog box

History depth)

Processmonitor can view the usage of submitted memory. When the virtual memory is too low, it will close itself. However, the history depth dialog box allows you to limit the number of items it retains, this allows process monitor to run for a long period of time and ensures that the latest events are retained.

Figure 36 history depth dialog box

Profilingevents)

Use this menu entry to open the thread Analysis configuration dialog box, where you can analyze the thread and evaluate the thread analysis generated by the event. When thread analysis is unavailable, process monitor can capture the thread stack and CPU device in tracing, so that you can identify the source of CPU-related operation events.

Figure 37 thread analysis options

Enable boot Logging)

Use this option to configure boot logs for Process Monitor.

Figure 38 boot log options

Article 2: Process Monitor help document (Part 2)