Filtering and Highlighting
Process Monitor offers several ways to configure filters or highlighting.
Include and Exclude Filters
You can specify event attributes such that Process Monitor will only display or exclude events with matching attribute values. All filters are non-destructive, meaning that they affect only which events Process Monitor displays, not the underlying event data.
When an event is selected the Include and Exclude sub-menus in the Event menu allows you to easily add one of the event's attributes to the configured Include or Exclude filters. For example, to only show events executed by a particular process name choose the Process Name entry from the Include submenu. You can also select multiple events and simultaneously configure an attribute filter for all of the unique values contained in the selected events. Process Monitor ORs together all the filters that are related to a particular attribute type and ANDs together filters of different attribute types. For example, if you specified process name include filters for Notepad.exe and Cmd.exe and a path include filter for C:\Windows, Process Monitor would only display events originating in either Notepad.exe or Cmd.exe that specify the C:\Windows directory.
More complex filtering options are available in the Filter dialog, which you open by selecting Filter from the Filter menu or by clicking on the Filter toolbar button. A filter entry consists of an attribute field (e.g. Authentication ID, Process Name, etc.), a comparison operation, an attribute value, and a filter type of either Include or Exclude. For convenience, Process Monitor will automatically populate the attribute value drop-down with values that are present in the loaded trace data, but you can enter arbitrary values. Checkboxes allow you to easily disable specific filter entries without having to delete them.
Filter Context Menu
If you right-click on an item in the display Process Monitor displays a context menu that let's you view the item's properties or configure a filter based on the item's attributes. Further, quick-filter entries are added to the menu for the value of the column on which you click.
Destructive Filtering
By default, Process Monitor filters apply to the data it displays, not what it saves. This allows you to change filters to obtain different views of data without affecting the excluded data. However, you can configure Process Monitor to delete any data that's excluded by a filter at the time the data is captured by toggling destructive filtering mode, which you do by choosing Drop Filtered Events from the Filter menu.
Include Process from Window The toolbar includes a button shaped like a target that you can drag off and drop onto a window to cause Process Monitor to add the process ID of the process that owns the window to the Include filter.
Basic vs. Advanced Mode
The Filter menu's Enable Advanced Output menu item controls whether Process Monitor is operating in Basic or Advanced Mode. When in Basic mode Process Monitor configures built-in filters to exclude system-related activity from the display and uses intuitive names for internal file system operations. For example, Process Monitor shows the internal IRP_MJ_READ operation as Read when in Basic mode. Basic mode makes output easier to read and omits events usually not relevant for application troubleshooting.
Saving and Loading Filters
Once you have configured a filter you can save it using the Save Filters menu item in the Filter menu. Process Monitor adds filters you save to the Load Filter menu for easy access and you can change the order in which the filters display in the menu using the Organize Filters dialog that you open with Organize Filters in the Filter menu. You can use the Organize Filter dialog to rename saved filters as well as to easily export filters to a format that you can then reimport using the Organize Filter dialog on other systems.
Highlighting
Process Monitors highlighting filters enable you to specify event attributes that cause an event to be shown with a highlight color. The Highlight submenu in the Event menu provides quick access for defining highlight filter entries and the Highlight menu entry in the Filter menu opens the Highlight Filter dialog, which operates similarly to the Include/Exclude Filter dialog. You can convert highlight filters to include filters by selecting the Add Filter button on the Highlight Filter dialog.
When a highlight is in effect, you can use the F4 key to select the next highlighted item in the displayed events. Select Shift+F4 to reverse the direction of the selection.