Embedded Files
Process Monitor (ProcMon)
Part of Sysinternals Suite
Capabilities:
Real-time monitoring of file system, registry, processes
Advanced event filtering
Deep-dive system activity analysis
Crucial for complex troubleshooting scenarios
From <https://claude.ai/chat/32155873-e13b-461c-ba7b-f4eb0c09aa09>
https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
Process Monitor (ProcMon) is a powerful real-time system monitoring tool developed by
Sysinternals (now part of Microsoft). It is used for monitoring file system, registry, and process/thread activity on Windows systems.
🔍 Key Features of Process MonitorReal-time Monitoring
Tracks all file, registry, and process activity as it happens.
Advanced Filtering
Filters events by specific processes, paths, users, or actions.
Combines Multiple Tools
Replaces older Sysinternals tools like Filemon (file monitoring) and Regmon (registry monitoring).
Detailed Event Logs
Captures details like the process name, operation type, path, result, and more.
Boot-Time Logging
Allows tracking processes and system events during Windows startup.
🛠️ How to Use Process MonitorDownload:
From Sysinternals: https://learn.microsoft.com/en-us/sysinternals/downloads/procmon.
It’s a portable tool — no installation required.
Launch ProcMon:
Run Procmon.exe as an Administrator to ensure full access to system activity.
Capture Events:
By default, ProcMon captures all file, registry, and process activities.
Apply Filters (to focus on specific events):
Go to Filter → Filter…
Example filters:
Process Name: Track specific processes like notepad.exe.
Path: Monitor activities on a particular folder or registry key.
Result: Focus only on SUCCESS or ACCESS DENIED events.
Analyze Results:
Events are shown in a timeline view with detailed columns such as:
Time of Day
Process Name
Operation (e.g., ReadFile, RegSetValue)
Path (file or registry path)
Result (e.g., SUCCESS, NAME NOT FOUND)
Save Logs:
Go to File → Save… to export logs in CSV or XML format for later analysis.
📊 Common Use Cases for Process MonitorTroubleshooting Application Errors
Example: Identify missing files or "Access Denied" errors causing application failures.
Registry Monitoring
Track changes made to the registry by software or malware.
Diagnosing Performance Issues
Find out which process is excessively reading/writing to files or the registry.
Debugging Startup Problems
Use boot-time logging to diagnose issues during Windows startup.
Malware Detection
Monitor suspicious activity (e.g., unauthorized registry changes or file writes).
⚡ Quick Shortcuts for Process MonitorCtrl + E: Toggle capturing events (Start/Stop monitoring).
Ctrl + F: Open Find to search for specific text or operations.
Ctrl + L: Open Filter window to set or modify filters.
Ctrl + X: Clear the current event log.
💡 Tips for Effective UsePause Capture: If the log becomes overwhelming, use Ctrl + E to stop capturing new events.
Filter Early: Apply filters before running extensive diagnostics to reduce noise.
Focus on Errors: Use the "Result" filter to isolate ACCESS DENIED or NAME NOT FOUND events.
Would you like a step-by-step example on how to filter for file access issues using Process Monitor? 🚀
From <https://chatgpt.com/c/675d8ec8-8190-8010-aecb-22540b992f97>
Here’s a complete, IT-focused guide to Process Monitor, including how to use it in real troubleshooting, practical examples, and tips for interviews or real-world support. This will also clarify how it differs from Process Explorer.
1️⃣ What Process Monitor is (and why ITs use it)
1️⃣ What Process Monitor is (and why ITs use it)
Process Monitor (ProcMon) is part of Microsoft Sysinternals and is a live system activity logger.
It records everything a process does in real time:
File system access (reads/writes/deletes)
Registry access (reads/writes/creates)
Network activity (TCP/UDP)
Process/thread activity
Key IT use cases:
⭐ Application crashes or hangs
⭐ Permission errors on files or folders
⭐ Debugging installer failures
⭐ Detecting malware or unauthorized activity
Tip: Think of Process Monitor as a microscope, whereas Process Explorer is a telescope.
2️⃣ How to open Process Monitor
2️⃣ How to open Process Monitor
1️⃣ Download from Sysinternals: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
2️⃣ Run Procmon.exe as Administrator
3️⃣ Accept the license
4️⃣ Optional: enable boot logging for startup troubleshooting
Productivity tip:
⭐ Use Ctrl + L to start/stop logging quickly.
⭐ Use filters immediately; otherwise, logs will overwhelm you.
3️⃣ Core interface overview
3️⃣ Core interface overview
Columns
Columns
Time of Day → when each action occurred
Process Name → the process performing the action
Operation → e.g., ReadFile, WriteFile, RegOpenKey, RegQueryValue
Path → which file, folder, or registry key
Result → Success, ACCESS DENIED, NAME NOT FOUND
Detail → extra info like bytes read/written, offsets
Filters
Filters
Filter by Process Name to focus on a single application
Filter by Result to see errors like ACCESS DENIED
Filter by Operation to look at specific registry keys or file types
Keyboard tip: Ctrl + L → toggle filters, Ctrl + E → pause/resume logging
4️⃣ Step-by-step workflow for IT
4️⃣ Step-by-step workflow for IT
Step 1 – Identify the problem
Step 1 – Identify the problem
User:
“My Excel file won’t save.”
Step 2 – Filter Process Monitor
Step 2 – Filter Process Monitor
Filter: Process Name = EXCEL.EXE
Optional: Result = ACCESS DENIED
Step 3 – Watch logs in real-time
Step 3 – Watch logs in real-time
See which file or registry key Excel is trying to access
Look for repeated failures or errors
Step 4 – Analyze
Step 4 – Analyze
Example observation:
C:\Users\Jonathan\Documents\Budget.xlsx → ACCESS DENIED
Excel attempted 3 times → fails
Owner of file = another user
Step 5 – Resolution
Step 5 – Resolution
Correct file permissions
Close other processes holding the file
Test saving again
Interview tip: Always describe how you correlated errors to the root cause.
5️⃣ Another example – Application install fails
5️⃣ Another example – Application install fails
User:
“Office setup fails with error 0x80070005.”
Steps:
1️⃣ Launch ProcMon → Filter Process Name = setup.exe
2️⃣ Observe registry access failures → ACCESS DENIED at HKLM\Software\Microsoft\Office
3️⃣ Identify missing admin rights
Resolution:
Run setup as Administrator
Correct registry permissions if needed
6️⃣ Security-focused example
6️⃣ Security-focused example
Scenario: User suspects malware.
Steps:
1️⃣ Run ProcMon → Filter unknown processes
2️⃣ Observe network access, registry writes, temp folder creation
3️⃣ Look for repeated access to suspicious domains
Observation:
x9svc.exe writes repeatedly to AppData\Temp
Connects to unknown IPs
Action:
Isolate system
Escalate to security team
7️⃣ Key tips for IT & interviews
7️⃣ Key tips for IT & interviews
1️⃣ Always filter first – unfiltered logs are overwhelming
2️⃣ Pause logging when analyzing (Ctrl + E)
3️⃣ Correlate with Process Explorer – see who is causing the actions
4️⃣ Check results column – ACCESS DENIED or FILE NOT FOUND are root-cause gold
5️⃣ Document findings – timestamp, process, operation, and result
6️⃣ Explain your reasoning aloud in interviews – shows methodical thinking
8️⃣ Process Monitor vs Process Explorer
8️⃣ Process Monitor vs Process Explorer
9️⃣ Interview-ready explanation (20-second answer)
9️⃣ Interview-ready explanation (20-second answer)
“I use Process Monitor to troubleshoot application errors by monitoring real-time file, registry, and network activity. For example, if a user cannot save an Excel file, I filter ProcMon for EXCEL.EXE and look for ACCESS DENIED results, which point directly to file or permission issues. I would then correlate with Process Explorer to see which processes might be interfering.”
Here is the expanded ;psmon template—clean, technical, and IT-helpdesk-ready.
Process Monitor (ProcMon) — Practical IT Explanation
Process Monitor (ProcMon) — Practical IT Explanation
Process Monitor is a Sysinternals diagnostic tool that captures real-time system activity at a very low level. It shows exactly what Windows is doing, not what it claims it’s doing.
1️⃣ What ProcMon Monitors
1️⃣ What ProcMon Monitors
⭐ File System
• File read/write/delete operations
• DLL loading failures
• Permission issues (Access Denied)
⭐ Registry
• Key creation, modification, deletion
• Failed registry lookups (NAME NOT FOUND)
• Policy and application configuration tracing
⭐ Processes & Threads
• Process creation/termination
• Thread activity
• Parent/child process relationships
⭐ Network (limited)
• TCP/IP stack calls (not packet capture)
• Useful for confirming app network attempts
2️⃣ Typical IT Helpdesk Use Cases
2️⃣ Typical IT Helpdesk Use Cases
Application fails to start
→ Check for missing DLLs or registry access denialSoftware installs but doesn’t launch
→ Trace file/registry access failures“Works on my machine” problem
→ Compare traces between systemsGroup Policy or permission issues
→ Identify blocked registry paths or foldersMalware or suspicious behavior
→ Spot unexpected process activity
3️⃣ Core Workflow (Step-by-Step)
3️⃣ Core Workflow (Step-by-Step)
Launch ProcMon as Administrator
Immediately pause capture
⭐ Ctrl + EClear existing events
⭐ Ctrl + XConfigure filters
⭐ Ctrl + L
Example filters:
• Process Name → app.exe → Include
• Result → ACCESS DENIED → IncludeResume capture
⭐ Ctrl + EReproduce the issue
Stop capture and analyze
4️⃣ Reading ProcMon Like a Pro
4️⃣ Reading ProcMon Like a Pro
⭐ Result column
• SUCCESS → Operation allowed
• NAME NOT FOUND → Missing file/key
• ACCESS DENIED → Permission issue
⭐ Operation column
• CreateFile ≠ file creation
→ It means attempt to open a file
⭐ Path column
• Look for unusual paths (Temp, AppData, ProgramData)
5️⃣ Essential Keyboard Shortcuts
5️⃣ Essential Keyboard Shortcuts
⭐ Ctrl + E → Start/Stop capture
⭐ Ctrl + X → Clear events
⭐ Ctrl + L → Filter
⭐ Ctrl + F → Find text
⭐ Ctrl + H → Highlight
⭐ Ctrl + T → Process Tree
⭐ Ctrl + S → Save capture (.PML)
6️⃣ ProcMon vs Task Manager vs Resource Monitor
6️⃣ ProcMon vs Task Manager vs Resource Monitor
• Task Manager → High-level performance & processes
• Resource Monitor → Resource usage over time
• Process Monitor → Ground truth forensic evidence
Think of ProcMon as Wireshark for Windows internals.
7️⃣ Common Beginner Mistakes
7️⃣ Common Beginner Mistakes
Forgetting to pause capture
No filters → millions of useless events
Misreading CreateFile
Running without admin rights
Capturing too long
8️⃣ English Micro-Correction
8️⃣ English Micro-Correction
❌ “Explain me how ProcMon works”
✅ “Explain how ProcMon works”
Rule:
Explain + what/how/why
Never: explain + person without to.
9️⃣ Automation Tip
9️⃣ Automation Tip
Save a default filter set for common IT cases:
• ACCESS DENIED
• NAME NOT FOUND
• Specific executable
This turns ProcMon into a 30-second diagnosis tool instead of a time sink.
Do you want a real-world troubleshooting scenario (app won’t launch, permissions, or malware suspicion) walked through step-by-step using ProcMon (Yes/No)?
Expand on What ProcMon Monitors: ⭐ File System • File read/write/delete operations • DLL loading failures • Permission issues (Access Denied) ⭐ Registry • Key creation, modification, deletion • Failed registry lookups (NAME NOT FOUND) • Policy and application configuration tracing ⭐ Processes & Threads • Process creation/termination • Thread activity • Parent/child process relationships ⭐ Network (limited) • TCP/IP stack calls (not packet capture) • Useful for confirming app network attempts
Below is a deep, practical expansion of what Process Monitor actually captures, with interpretation logic, real IT scenarios, and analysis cues. This is how you turn raw noise into evidence.
⭐ File System (NTFS / ReFS layer)
⭐ File System (NTFS / ReFS layer)
ProcMon intercepts kernel-level file I/O requests, not “files” in the Explorer sense.
1️⃣ File read / write / delete operations
1️⃣ File read / write / delete operations
Common operations you’ll see:
CreateFile → Open or create a file (most misunderstood)
ReadFile → Application reading content
WriteFile → Application writing content
SetDispositionInformationFile → Delete request
QueryInformationFile → File metadata lookup
Interpretation
Repeated NAME NOT FOUND before a SUCCESS
→ App is probing fallback paths (normal behavior)Repeated WriteFile to Temp or AppData
→ Logging, caching, or updater activityWrites to Program Files without admin rights
→ Design flaw or installer issue
Real IT case
App crashes on launch
→ Filter Result = ACCESS DENIED
→ Path shows blocked DLL in System32
2️⃣ DLL loading failures
2️⃣ DLL loading failures
Windows loads DLLs dynamically during runtime.
ProcMon shows:
Load Image
CreateFile on .dll
Interpretation
NAME NOT FOUND on DLL paths
→ Missing dependencyBAD IMAGE
→ Corrupt or wrong architecture (x86 vs x64)DLL searched in unexpected folders
→ PATH environment misconfiguration
Real IT case
“The application was unable to start correctly (0xc000007b)”
→ ProcMon reveals a 32-bit app loading a 64-bit DLL
3️⃣ Permission issues (Access Denied)
3️⃣ Permission issues (Access Denied)
ProcMon shows where security enforcement actually happens.
Common causes:
NTFS ACL restrictions
UAC virtualization disabled
Controlled Folder Access (Defender)
AppLocker / WDAC rules
Interpretation
ACCESS DENIED on HKLM or Program Files
→ App requires elevationACCESS DENIED in user profile
→ Corrupt permissions or roaming profile issue
⭐ Registry (Configuration backbone of Windows)
⭐ Registry (Configuration backbone of Windows)
Registry activity explains why software behaves the way it does.
1️⃣ Key creation / modification / deletion
1️⃣ Key creation / modification / deletion
Operations:
RegCreateKey
RegSetValue
RegDeleteValue
Interpretation
Writes under HKCU → User-specific settings
Writes under HKLM → System-wide config (admin required)
Real IT case
Settings reset after reboot
→ App fails to write to HKLM
2️⃣ Failed registry lookups (NAME NOT FOUND)
2️⃣ Failed registry lookups (NAME NOT FOUND)
This is not always an error.
Interpretation
Multiple NAME NOT FOUND followed by SUCCESS
→ Normal probing logicNAME NOT FOUND on policy keys
→ GPO not appliedNAME NOT FOUND on licensing keys
→ Activation failure
3️⃣ Policy & application configuration tracing
3️⃣ Policy & application configuration tracing
ProcMon exposes:
GPO enforcement paths
App behavior under restricted environments
Key paths:
HKLM\Software\Policies
HKCU\Software\Policies
Real IT case
App feature disabled mysteriously
→ ProcMon shows enforced policy key
⭐ Processes & Threads (Execution anatomy)
⭐ Processes & Threads (Execution anatomy)
This shows who launched what, and why.
1️⃣ Process creation / termination
1️⃣ Process creation / termination
Operation:
Process Create
Process Exit
Interpretation
Unexpected child process
→ Updater, helper, or malwareProcess exits immediately after launch
→ Missing dependency or blocked resource
2️⃣ Thread activity
2️⃣ Thread activity
Threads are execution units inside a process.
ProcMon shows:
Thread start/stop
Stack traces (if enabled)
Interpretation
Thread spike before crash
→ Race condition or deadlock
3️⃣ Parent / child process relationships
3️⃣ Parent / child process relationships
Visible in:
⭐ Ctrl + T (Process Tree)
Interpretation
Browser spawning PowerShell
→ Red flagInstaller spawning MSIExec
→ Normal behavior
⭐ Network (limited but decisive)
⭐ Network (limited but decisive)
ProcMon is not Wireshark, but it confirms intent.
1️⃣ TCP/IP stack calls
1️⃣ TCP/IP stack calls
Operations:
TCP Connect
TCP Send
TCP Receive
Interpretation
TCP Connect without Send
→ Firewall or DNS blockRepeated failed connections
→ Endpoint unreachable
2️⃣ Confirming application network behavior
2️⃣ Confirming application network behavior
Use ProcMon to answer:
Did the app attempt network access?
Which process made the call?
When did it happen?
Real IT case
App says “offline”
→ ProcMon proves it never attempted a connection
🔑 Analysis Rule (Memorize This)
🔑 Analysis Rule (Memorize This)
ProcMon does not tell you what the app thinks.
It tells you what the OS allowed or denied.
That makes it court-grade evidence in troubleshooting.
English micro-upgrade
English micro-upgrade
❌ “ProcMon monitor the system”
✅ “ProcMon monitors system activity”
Rule:
Third-person singular → verb ends in -s.
Do you want a forensic-style troubleshooting walkthrough (permissions issue vs malware vs broken install) using real ProcMon filters and screenshots logic (Yes/No)?
Expand on Typical IT Helpdesk Use Cases: Application fails to start → Check for missing DLLs or registry access denial Software installs but doesn’t launch → Trace file/registry access failures “Works on my machine” problem → Compare traces between systems Group Policy or permission issues → Identify blocked registry paths or folders Malware or suspicious behavior → Spot unexpected process activity 3️⃣ Core Workflow (Step-by-Step) Launch ProcMon as Administrator Immediately pause capture ⭐ Ctrl + E Clear existing events ⭐ Ctrl + X Configure filters ⭐ Ctrl + L Example filters: • Process Name → app.exe → Include • Result → ACCESS DENIED → Include Resume capture ⭐ Ctrl + E Reproduce the issue Stop capture and analyze 4️⃣ Reading ProcMon Like a Pro ⭐ Result column • SUCCESS → Operation allowed • NAME NOT FOUND → Missing file/key • ACCESS DENIED → Permission issue ⭐ Operation column • CreateFile ≠ file creation → It means attempt to open a file ⭐ Path column • Look for unusual paths (Temp, AppData, ProgramData) 5️⃣ Essential Keyboard Shortcuts ⭐ Ctrl + E → Start/Stop capture ⭐ Ctrl + X → Clear events ⭐ Ctrl + L → Filter ⭐ Ctrl + F → Find text ⭐ Ctrl + H → Highlight ⭐ Ctrl + T → Process Tree ⭐ Ctrl + S → Save capture (.PML) 6️⃣ ProcMon vs Task Manager vs Resource Monitor • Task Manager → High-level performance & processes • Resource Monitor → Resource usage over time • Process Monitor → Ground truth forensic evidence Think of ProcMon as Wireshark for Windows internals.
Below is a full operational expansion of those ProcMon sections, written exactly how a Level-1 / Level-2 IT Helpdesk analyst should reason during live troubleshooting. This is diagnostic thinking, not button-clicking.
⭐ Typical IT Helpdesk Use Cases (Expanded)
⭐ Typical IT Helpdesk Use Cases (Expanded)
1️⃣ Application fails to start
1️⃣ Application fails to start
Symptom
• Double-click → nothing happens
• Splash screen flashes then closes
• Error 0xc000007b / missing DLL message
ProcMon strategy
Filter by Process Name → app.exe
Filter Result → NAME NOT FOUND
Filter Result → ACCESS DENIED
What you’re looking for
Load Image → DLL not found
DLL searched in System32 but exists only in app folder
ACCESS DENIED on Program Files or HKLM
Root causes
Missing Visual C++ Redistributable
Wrong x86/x64 dependency
App requires admin rights
Fix logic
Install runtime
Correct PATH
Elevate or adjust ACLs
2️⃣ Software installs but doesn’t launch
2️⃣ Software installs but doesn’t launch
Symptom
• Installer completes successfully
• No errors during install
• App never opens
ProcMon strategy
Capture only during launch
Filter Process Name → app.exe
Filter Result → ACCESS DENIED
What you’re looking for
Registry writes blocked post-install
App writing config on first launch
Missing licensing key
Classic finding
Installer runs elevated
App runs as standard user
→ App can’t write where installer wrote
Helpdesk conclusion
“Install succeeded, but runtime permissions are broken.”
3️⃣ “Works on my machine” problem
3️⃣ “Works on my machine” problem
Symptom
• App works for User A
• Same version fails for User B
ProcMon strategy
Capture same scenario on both machines
Save both .PML files
Compare:
Missing files
Registry differences
Permissions
What usually differs
User profile permissions
Antivirus exclusions
GPO enforcement
Missing runtime
Key insight
ProcMon turns subjective blame into objective delta analysis.
4️⃣ Group Policy or permission issues
4️⃣ Group Policy or permission issues
Symptom
• Feature disabled “for no reason”
• Settings revert after reboot
• App behaves differently on domain PCs
ProcMon strategy
Filter registry paths:
HKLM\Software\Policies
HKCU\Software\Policies
Look for RegQueryValue → SUCCESS
What you’re looking for
Policy keys forcing behavior
ACCESS DENIED on protected folders
Controlled Folder Access blocks
Helpdesk phrasing
“Behavior is policy-driven, not user error.”
5️⃣ Malware or suspicious behavior
5️⃣ Malware or suspicious behavior
Symptom
• Random CPU spikes
• PowerShell opens unexpectedly
• Browser launches cmd.exe
ProcMon strategy
Enable Process Tree
⭐ Ctrl + TLook for:
Unexpected parent processes
Network calls from non-network apps
Filter:
Process Create
TCP Connect
Red flags
Word → PowerShell
Browser → cmd.exe
Writes to AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Outcome
ProcMon provides incident-response evidence, not suspicion.
3️⃣ Core Workflow — Why Each Step Matters
3️⃣ Core Workflow — Why Each Step Matters
1️⃣ Launch as Administrator
Without admin rights, kernel activity is invisible.
2️⃣ Pause capture immediately (Ctrl + E)
Prevents drowning in irrelevant boot noise.
3️⃣ Clear events (Ctrl + X)
Your capture must start at the problem moment.
4️⃣ Configure filters (Ctrl + L)
Noise reduction = faster diagnosis.
5️⃣ Resume capture (Ctrl + E)
Now ProcMon becomes a microscope.
6️⃣ Reproduce issue
This is the experiment.
7️⃣ Stop and analyze
Never analyze while capturing unless necessary.
4️⃣ Reading ProcMon Like a Pro (Expanded)
4️⃣ Reading ProcMon Like a Pro (Expanded)
⭐ Result column
⭐ Result column
SUCCESS → OS allowed the action
NAME NOT FOUND → App expected something
ACCESS DENIED → Security boundary enforced
Rule
NAME NOT FOUND is information.
ACCESS DENIED is a wall.
⭐ Operation column
⭐ Operation column
CreateFile ≠ create
It means open request.
Why this matters:
Misreading this leads to false conclusions.
⭐ Path column
⭐ Path column
Look for:
Temp folders → normal
AppData → user scope
ProgramData → shared config
System32 → dependency issues
Unusual paths = clues.
5️⃣ Essential Keyboard Shortcuts (Mental Muscle Memory)
5️⃣ Essential Keyboard Shortcuts (Mental Muscle Memory)
Ctrl + E → Start/Stop capture
Ctrl + X → Clear
Ctrl + L → Filter
Ctrl + F → Find
Ctrl + H → Highlight patterns
Ctrl + T → Process Tree
Ctrl + S → Save evidence
6️⃣ ProcMon vs Other Tools (Decision Logic)
6️⃣ ProcMon vs Other Tools (Decision Logic)
Task Manager
→ “Something is slow.”Resource Monitor
→ “Which resource is saturated?”Process Monitor
→ “Why is this failing?”
That’s why ProcMon is post-symptom truth, not monitoring.
English micro-upgrade
English micro-upgrade
❌ “The application don’t start”
✅ “The application doesn’t start”
Rule:
Singular subject → doesn’t, not don’t.
Do you want a mock helpdesk ticket where you must choose ProcMon filters and explain your diagnosis like in a real interview (Yes/No)?
Expand on: Common Beginner Mistakes Forgetting to pause capture No filters → millions of useless events Misreading CreateFile Running without admin rights Capturing too long ---- Also, explain when to use Process Monitor and when to use Wireshark
Below is a forensic-grade expansion of Common Beginner Mistakes, followed by a clear decision framework: Process Monitor vs Wireshark. This is the mental model interviewers silently test.
⭐ Common Beginner Mistakes (Expanded & Corrected)
⭐ Common Beginner Mistakes (Expanded & Corrected)
1️⃣ Forgetting to pause capture
1️⃣ Forgetting to pause capture
What happens
ProcMon starts logging everything immediately
Boot noise, background services, Defender, Windows Update
Why this breaks analysis
Signal-to-noise ratio collapses
Relevant events are buried
Correct behavior
Launch ProcMon
Immediately pause
⭐ Ctrl + EClear events
⭐ Ctrl + XFilter
Capture only the problem moment
Rule
Capture the symptom, not the system.
2️⃣ No filters → millions of useless events
2️⃣ No filters → millions of useless events
What beginners do
“I’ll scroll and look for errors”
That never works.
Why filters are non-optional
Windows generates thousands of events per second
Without filters, ProcMon becomes unusable
Minimum viable filters
Process Name → Include
Result → ACCESS DENIED
Result → NAME NOT FOUND
Advanced logic
Exclude SUCCESS temporarily
Add path filters only after initial pass
Rule
If you scroll, you already failed.
3️⃣ Misreading CreateFile
3️⃣ Misreading CreateFile
Most common conceptual error
Wrong assumption
CreateFile = file creation
Reality
CreateFile = attempt to open a handle
(read, write, execute, probe)
Why this matters
Apps probe paths deliberately
NAME NOT FOUND ≠ bug
Correct interpretation
Repeated NAME NOT FOUND → fallback logic
ACCESS DENIED → real problem
Interview trap
Misinterpreting CreateFile exposes shallow understanding instantly.
4️⃣ Running without admin rights
4️⃣ Running without admin rights
What breaks
Kernel operations hidden
Driver activity invisible
Security decisions masked
Symptoms
“ProcMon shows nothing useful”
Missing critical ACCESS DENIED events
Correct behavior
Always Run as Administrator
Rule
No admin = partial truth.
5️⃣ Capturing too long
5️⃣ Capturing too long
What beginners do
Capture minutes or hours “just in case”
Why this fails
Analysis fatigue
Irrelevant noise
Misses causal sequence
Correct approach
Capture 10–30 seconds
Only during reproduction
Stop immediately
Rule
Short captures reveal causality.
Long captures hide it.
🧠 Mental Summary (Memorize This)
🧠 Mental Summary (Memorize This)
ProcMon is not a recorder.
It is a microscope.
🔬 Process Monitor vs Wireshark — When to Use Which
🔬 Process Monitor vs Wireshark — When to Use Which
This distinction is critical in IT interviews.
⭐ Use Process Monitor when you need to know:
⭐ Use Process Monitor when you need to know:
1️⃣ Why an application fails
2️⃣ Which file or registry key is blocked
3️⃣ Which process launched another process
4️⃣ Whether the OS allowed or denied an action
5️⃣ If a program attempted network access
Scope
Local machine
Kernel + user-mode activity
Cause-and-effect logic
ProcMon answers
“What did Windows allow or deny?”
⭐ Use Wireshark when you need to know:
⭐ Use Wireshark when you need to know:
1️⃣ Why network communication fails
2️⃣ What data is actually sent
3️⃣ Which protocol is misbehaving
4️⃣ TLS handshake issues
5️⃣ DNS, TCP, UDP, HTTP problems
Scope
Network traffic
Packet-level visibility
Protocol correctness
Wireshark answers
“What happened on the wire?”
🔁 Practical Comparison Table (in words)
🔁 Practical Comparison Table (in words)
App says “cannot connect”
ProcMon → Did it try?
Wireshark → Did it succeed?
Firewall suspected
ProcMon → Blocked locally?
Wireshark → Packet dropped externally?
Malware investigation
ProcMon → Suspicious process creation
Wireshark → Data exfiltration
🔑 Golden Rule (Interview-Grade)
🔑 Golden Rule (Interview-Grade)
ProcMon proves intent and OS enforcement.
Wireshark proves network reality.
Use both when:
App attempts connection (ProcMon)
Connection fails or behaves oddly (Wireshark)
🎫 Mock Ticket — Choose the Right Tool Under Pressure
Ticket summary
“Internal accounting application does not sync with the server on some computers.”
Environment
Windows 10 / 11
Domain-joined PCs
App works on IT admin machine
Fails on standard user machines
Error shown: “Unable to connect to backend service”
🧠 Step 1 — Clarify the Question You’re Actually Answering
🧠 Step 1 — Clarify the Question You’re Actually Answering
There are two different problems hiding here:
1️⃣ Did the application attempt to connect?
2️⃣ If yes, what happened on the network?
Different questions → different tools.
🔬 Step 2 — First Tool: Process Monitor
🔬 Step 2 — First Tool: Process Monitor
Why ProcMon first?
Why ProcMon first?
Because network tools are useless if the app never tried.
ProcMon setup
ProcMon setup
Run as Administrator
Pause capture
⭐ Ctrl + EClear events
⭐ Ctrl + XFilters
Process Name → accounting.exe → Include
Operation → TCP Connect → Include
Result → ACCESS DENIED → Include
Resume capture
⭐ Ctrl + E
What you observe
What you observe
TCP Connect → ACCESS DENIED
Path references System32\drivers\etc
No packets ever leave the machine
Interpretation
Interpretation
This is not a network problem.
Windows blocked the connection attempt locally.
🧠 Diagnosis #1 (ProcMon conclusion)
🧠 Diagnosis #1 (ProcMon conclusion)
Cause
Firewall rule
AppLocker / WDAC
Controlled Folder Access
Missing permissions
Action
Fix policy or permissions
Wireshark not needed yet
Interview phrasing
“ProcMon shows the application never reached the network stack.”
🔁 Alternate Branch — ProcMon Shows SUCCESS
🔁 Alternate Branch — ProcMon Shows SUCCESS
Let’s change one variable.
New ProcMon result
New ProcMon result
TCP Connect → SUCCESS
App clearly attempts outbound connection
Now ProcMon’s job is done.
🌐 Step 3 — Second Tool: Wireshark
🌐 Step 3 — Second Tool: Wireshark
Why Wireshark now?
Why Wireshark now?
Because the problem has moved off the local machine.
Wireshark focus
Wireshark focus
DNS resolution
TCP handshake
TLS negotiation
What you observe
What you observe
DNS resolves correctly
SYN sent
No SYN-ACK received
Interpretation
Interpretation
Firewall upstream
Server down
Network segmentation issue
🧠 Diagnosis #2 (Wireshark conclusion)
🧠 Diagnosis #2 (Wireshark conclusion)
Cause
Network device blocking traffic
Server unreachable
Action
Escalate to network or server team
Interview phrasing
“ProcMon confirmed intent; Wireshark confirmed packet loss.”
🧠 Decision Tree (Memorize This)
🧠 Decision Tree (Memorize This)
1️⃣ App fails
→ ProcMon
2️⃣ App never attempts connection
→ OS / permissions / policy issue
3️⃣ App attempts connection
→ Wireshark
4️⃣ Packets fail
→ Network or server issue
🚩 Bonus Scenario — Malware Suspicion
🚩 Bonus Scenario — Malware Suspicion
Symptom
User reports PowerShell opening randomly
Tool choice
Tool choice
ProcMon first
Process Tree
Parent/child relationships
If needed
If needed
Wireshark only if data exfiltration suspected
Rule
Behavior before traffic.
⚖️ One-Sentence Rule (Interview-Safe)
⚖️ One-Sentence Rule (Interview-Safe)
Process Monitor answers “Did Windows allow it?”
Wireshark answers “Did the network carry it?”
English micro-upgrade
English micro-upgrade
❌ “The app try to connect but it fail”
✅ “The app tries to connect, but it fails.”
Rule:
Present simple → third person adds -s.
Do you want a live interview simulation where I act as the recruiter and interrupt you while you explain your tool choice (Yes/No)?
yes, but make the questions about all this conversation and answer them with details, tips, keyboard shortcuts, short sentenses for notes
Below is a structured interview-style Q&A, covering everything from this conversation, with detailed answers, practical tips, keyboard shortcuts, and short sentences you can memorize as notes.
This is optimized for IT Helpdesk Level 1–2 interviews.
1️⃣ Interview Question
1️⃣ Interview Question
What is Process Monitor and why would you use it in IT support?
Answer (detailed, interview-safe)
Answer (detailed, interview-safe)
Process Monitor is a Sysinternals tool that records real-time file system, registry, process, thread, and limited network activity at the Windows kernel level.
I use it to understand why an application fails, not just that it fails.
It shows what Windows allowed, denied, or could not find.
Notes (short sentences)
Notes (short sentences)
Kernel-level visibility
Shows cause, not symptoms
Forensic troubleshooting tool
Keyboard shortcuts
Keyboard shortcuts
⭐ Ctrl + E → Start/Stop capture
⭐ Ctrl + X → Clear events
2️⃣ Interview Question
2️⃣ Interview Question
What does Process Monitor actually monitor?
Answer
Answer
Process Monitor monitors:
File system operations like reads, writes, deletes, and DLL loads
Registry access including configuration and policy keys
Process and thread creation with parent-child relationships
Limited network activity such as TCP connect attempts
It does not capture packets. It captures intent and OS enforcement.
Notes
Notes
Files, registry, processes, network intent
No packet inspection
OS decision layer
3️⃣ Interview Question
3️⃣ Interview Question
How do you troubleshoot an application that fails to start?
Answer
Answer
I launch Process Monitor as Administrator, pause capture, clear events, and filter on the application executable.
I focus on ACCESS DENIED, NAME NOT FOUND, and Load Image events.
This helps identify missing DLLs, permission issues, or blocked registry access.
Notes
Notes
Filter by process name
Look for missing DLLs
Permissions first
Keyboard shortcuts
Keyboard shortcuts
⭐ Ctrl + L → Filter
⭐ Ctrl + F → Find text
4️⃣ Interview Question
4️⃣ Interview Question
An application installs but doesn’t launch. What do you check?
Answer
Answer
I check whether the installer ran elevated and the application runs as a standard user.
Using Process Monitor, I look for blocked writes to Program Files or HKLM during first launch.
This usually indicates a permission mismatch.
Notes
Notes
Installer vs runtime permissions
HKLM write failures
First-launch configuration
5️⃣ Interview Question
5️⃣ Interview Question
What does “Works on my machine” mean technically?
Answer
Answer
It usually means environmental differences.
I capture Process Monitor traces on both machines and compare missing files, registry keys, policies, and permissions.
Process Monitor turns opinion into evidence.
Notes
Notes
Compare traces
Same app, different environment
Evidence-based troubleshooting
6️⃣ Interview Question
6️⃣ Interview Question
How do you detect Group Policy or permission issues with ProcMon?
Answer
Answer
I monitor registry paths under Software\Policies and watch for successful reads or access denied results.
If a policy key exists and is enforced, ProcMon will show it clearly.
This confirms behavior is policy-driven.
Notes
Notes
Policies explain “mysterious” behavior
HKLM vs HKCU matters
Access denied = enforced
7️⃣ Interview Question
7️⃣ Interview Question
What are common beginner mistakes with Process Monitor?
Answer
Answer
Common mistakes include:
Forgetting to pause capture
Running without filters
Misinterpreting CreateFile
Not running as administrator
Capturing for too long
These mistakes bury the root cause in noise.
Notes
Notes
Pause immediately
Filters are mandatory
Short captures only
8️⃣ Interview Question
8️⃣ Interview Question
What does CreateFile mean in Process Monitor?
Answer
Answer
CreateFile does not mean file creation.
It means an attempt to open a file handle for reading, writing, executing, or probing.
Repeated NAME NOT FOUND is often normal fallback logic.
Notes
Notes
CreateFile ≠ create
Probing is normal
ACCESS DENIED matters
9️⃣ Interview Question
9️⃣ Interview Question
When do you use Process Monitor vs Wireshark?
Answer
Answer
I use Process Monitor to confirm whether an application attempted an action and whether Windows allowed it.
I use Wireshark only after ProcMon confirms the attempt succeeded locally.
ProcMon answers intent. Wireshark answers network reality.
Notes
Notes
ProcMon first
Wireshark second
Intent vs packets
🔁 Quick Decision Notes (Memorize)
🔁 Quick Decision Notes (Memorize)
App fails → ProcMon
No network attempt → OS issue
Network attempt succeeds → Wireshark
Packets fail → Network or server
1️⃣0️⃣ Interview Question
1️⃣0️⃣ Interview Question
Give a one-sentence explanation of Process Monitor.
Answer
Answer
Process Monitor shows what Windows actually does when an application runs, including what it allows, blocks, or cannot find.
Notes
Notes
One sentence
Clear
Confident
English micro-correction (from your style)
English micro-correction (from your style)
❌ “Explain me when to use ProcMon”
✅ “Explain when to use ProcMon”
Rule:
Explain + what/when/how (no object person).
Final Interview Tip
Final Interview Tip
Speak slowly.
Short sentences.
Name the tool.
Explain the decision.
State the conclusion.
Page updated
Google Sites
Report abuse