Using Microsoft Process Monitor to trace file-, rights- or registry related problems
Introduction
Microsoft Process Monitor (MPM) can be used to trace problems related to file or registry access, or to show which process may be the last to execute before an error occurred. Please note that MPM is not an Exact tool and not supported as such.
Description
Installation
MPM can be downloaded here: http://technet.microsoft.com/en-us/sysinternals/bb896645. Just copy the contents of the archive file to a new folder on the PC or server where you want to trace the problem, for example to C:\Program Files (x86)\Microsoft Process Monitor. The tool does not have to be installed, just run it from the new location. On first run, you will have to confirm to a license agreement.
Filter
When started, MPM will automatically start showing all processes currently running, with registry, file, network and process activity. In most trouble shooting scenarios, file tracing is enough. Disable registry, network and process trace by pressing these buttons:
Now you have to minimize the output of the trace by only showing the processes you want to see. You can filter out unwanted processes by right-clicking on a 'process name' and choosing Exclude:
Repeat this until you only see the process you are interested in (like Exact Globe processes). You can save a filter for later use.
Tips
- just play with it and find out what the other buttons and functions in MPM do
- the column 'result' may give error messages which do not mean anything at all, in some cases Windows will just try to access files in different paths
- you can add the column 'User name' by right-clicking on the column headers. That way, you can see what credentials are used to start a specific process
- when an application error message is added to the Windows Event logs, the Windows process name csrss.exe accesses the path c:\windows\system32\WerFault.exe. So you may want to include csrss.exe, to trace at what moment an error occurs which was written to the Windows event log - the step just before starting 'Werfault.exe' would be the application creating the error.
- You may be able to identify a process by right-clicking on it, and choosing "Properties", tab "Process"
- General processes which normally can be excluded: svchost.exe, procexp(64).exe, office applications, services.exe, explorer.exe, wmpnetwk.exe, taskhost.exe, lsass.exe, wmiprvse.exe. dllhost.exe
Main Category: |
Support Product Know How |
Document Type: |
Support - On-line help |
Category: |
On-line help files |
Security level: |
All - 0 |
Sub category: |
temporary |
Document ID: |
21.649.845 |
Assortment: |
E-WMS
|
Date: |
15-07-2011 |
Release: |
|
Attachment: |
|
Disclaimer |