Immediately stop data collection with the magnifying glass button.Clear the data from the screen using the eraser button.If needed, prepare to reproduce the issue (such as getting the application ready, closing unneeded windows, etc.).
Start the data capture using the magnifying glass button.Immediately stop capturing data using the magnifying glass buttonīy following these steps, the amount of data collected will be as small as possible.Detail - Various details about the operation such as the specific registry data read/written or information on the file operation.Path - The path to the file or registry key that was requested.Operation - The type of operation that was performed.PID - The PID of the process that triggered the event.Process name - The name of the process that triggered the event.Time of Day - The exact time of the event.Once the data is collected, you'll see the following columns in the data table by default: That helps making parsing through the data a little easier. Image Path - The full path to the process.Event Class - What type of operation it was (File System or Registry).There are a few particularly helpful ones to choose: In addition, you can add more columns by going to Options > Select Columns. Command Line - The command line the process was launched with, including parameters.With the data collected, the next step is to review the events to find what you're looking for. Here are some general guidelines for filtering: Even a short sample can record tens of thousands of events so it's important to filter the data effectively, allowing you to focus on what's important. There is a default set of filters that exclude Procmon itself, as well as some other system-level events.You can restore the default filter with the Filter > Reset Filter option. You can filter right within the result set by right clicking a row/column, and choosing "Include '_'" or " Exclude '_'".
0 kommentar(er)
