Using Process Monitor
Executing Process Monitor requires local Administrative group membership. When you launch Process Monitor it immediately starts monitoring three classes of operation: file system, Registry and process.
File System Process Monitor displays file system activity for all Windows file systems, including local storage and remote file systems. Process Monitor automatically detects the arrival of new file system devices and monitors them. All file system paths are displayed relative to the user session in which a file system operation executes. For example, if user A has mounted a share as drive letter Z:, any accesses they make to that share will display in Process Monitor as being relative to drive Z:.
To remove file system operations from the display de-select the file system push-button in the Process Monitor toolbar and to add back file system operations depress the button.Registry
Process Monitor logs all Registry operations and displays Registry paths using conventional abbreviations for Registry root keys (e.g. HKEY_LOCAL_MACHINE is represented as HKLM).
To remove Registry operations from the display de-select the Registry push-button in the Process Monitor toolbar and to add back Registry operations depress the button.Process
In its process/thread monitoring subsystem Process Monitor tracks all process and thread creation and exit operations as well as DLL and device driver load operations.
To remove Process operations from the display de-select the process push-button in the Process Monitor toolbar and to add back process operations depress the button.Network
Process Monitor uses Event Tracing for Windows (ETW) to trace and record TCP and UDP activity. Each network operation includes the source and destination addresses, as well as the amount of data sent or received, but does not include the actual data.
To remove Network operations from the display de-select the network push-button in the Process Monitor toolbar and to add back network operations depress the button.Profiling
This event class can be enabled from the Options menu. When active, Process Monitor scans all the active threads in the system and generates a profiling even for each one that records the kernel and user CPU time consumed, as well as the number of context switches executed, by the thread since its previous profiling event. Note: the System process is not included in profiling.
There are a number of basic options that control basic Process Monitor operation:
Capture: Use the Capture Events menu item in the File menu, capture toolbar button or Ctrl+E hotkey to toggle Process Monitor's monitoring.
Autoscroll: Select Autoscroll entry in the Edit menu, the autoscroll toolbar button or Ctrl+A hotkey to toggle Process Monitor's autoscroll behavior, which causes it to ensure that the most recent operation is visible in the display.
Clear: To clear the display of all items choose Clear Display from the Edit menu or use the Ctrl+X hotkey.