Event Properties

Process Monitor

Event Properties

You can access the properties for an individual event by double-clicking on the event, or by selecting the Properties menu item from the Event menu or the context menu when you right-click on an event. The Event Properties dialog consists of the Event, Process and Stack pages. You can move to the next or preceding displayed or highlighted event with the arrow buttons at the bottom of the Event Properties dialog.

Event

The Event page displays information specific to an event, including its sequence number, issuing thread, event class and operation, result, timestamp, and if applicable, resource path. Only file system and Registry events define resource paths. The lower area of the Event page lists details collected for an event that are dependent on the event operation. The details are the same as shown for an event in the Detail column of the main display, but each detail is shown on a separate line.

Process

An event's Process page shows information about the process that executed an event. Along with the data associated with a process' image, such as the path and version strings, the Process page shows process execution attributes like the process ID, user account in which the process is executing, and if the event was generated on a 64-bit Windows system, whether the process is 32-bit or 64-bit. For processes executing on Windows Vista systems, Process Monitor shows the integrity level of the process and whether or not it's virtualized.

The bottom area of the process page displays the list of images loaded, and the addresses at which they are loaded, in the process at the time the event executed. Double-click on an image in the list to view more information about the image, including its version information.

Stack

The Stack page shows the thread stack of the thread when the event was recorded. The stack can be useful for determining the reason an event took place and the component responsible for the event. Kernel-mode frames of a stack are designated with the letter 'K' on the left of the frame and user-mode stacks (user-mode stacks are not available on 64-bit systems prior to Vista SP1/Windows Server 2008) with the letter 'U'. If Process Monitor is able to locate symbols for images referenced in the trace it will attempt to resolve addresses to the functions in which they reside. Symbols resolution can take time if symbols must be retrieved from the network, for example from the Microsoft symbol server. Use the Symbol Configuration dialog, which you access from the Options menu, to configure symbols.

If you specify a path to source files in the Symbol Configuration dialog, the Stack dialog's Source button will enable for any frame for which line-number symbols information is available and the source file is present in the paths you include. Clicking on the Source button opens a text viewer that highlights the source code line referenced.

To view more information about an image listed in the stack trace either double-click on the frame or select the frame and press the Properties button below the stack trace area.

Select the Stack menu entry from the Event menu to open the Event Properties dialog directly to the Stack page.