Monitoring a Single Process - Quickie Q

net helpmsg 4006

   Yes, the precise filter will often depend on the details one is looking to explore...  Not sure why your filter that simply included the processes by name didn't work - I'm able to include several processes by name, and have only activity attributable to those processes appear in Process Monitor...

Author	Message Share Topic Printable Version Delicious Digg Facebook Furl Google MySpace Newsvine reddit StumbleUpon Translate Twitter Windows Live Yahoo Bookmarks Topic Search Topic Options Post Reply Create New Topic
molotov Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Moderator Group Joined: 04 October 2006 Online Status: Offline Posts: 17492	Post Options Post Reply Quote molotov Report Post Quote Reply Topic: Monitoring a Single Process - Quickie Q Posted: 02 July 2009 at 6:43pm
	Yes, the precise filter will often depend on the details one is looking to explore... Not sure why your filter that simply included the processes by name didn't work - I'm able to include several processes by name, and have only activity attributable to those processes appear in Process Monitor...
	Daily affirmation: net helpmsg 4006

mjgravina Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 01 July 2009 Online Status: Offline Posts: 4	Post Options Post Reply Quote mjgravina Report Post Quote Reply Posted: 02 July 2009 at 6:28pm
	Here's what I found out. I started with the default filter settings, and let the monitor run while my pc was idle. Several processes started showing up in the monitor "wmplayer", "antivirus", etc. So what I did, is I intuitively right clicked on them, went to Filter, and then exclude. Suddenly, the monitor would no longer log any event or activity for that particular program (I selected Exclude > Process Name). In the end, I only had services, lsass, and one or two more logging. I ran my application, and I was able to capture 40k events in those few seconds, but they were 80% all relevant. So I guess that's what worked in the end. A process you don't want monitored, then right click, exclude, and -in my case at least- choose process name. Thanks so much for keeping an eye on this thread, molotov. Appreciate it.

molotov Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Moderator Group Joined: 04 October 2006 Online Status: Offline Posts: 17492	Post Options Post Reply Quote molotov Report Post Quote Reply Posted: 01 July 2009 at 10:24pm
	"Process name contains appIwant then Include"?
	Daily affirmation: net helpmsg 4006

mjgravina Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 01 July 2009 Online Status: Offline Posts: 4	Post Options Post Reply Quote mjgravina Report Post Quote Reply Posted: 01 July 2009 at 10:07pm
	Ok, working on this right now. How can I monitor three specific processes and not the rest? I did Process name appIwant.exe then Include Process name appIwant2.exe then Include Process name appIwant3.exe then Include You see, either everything gets monitored (I mean ALL), or nothing at all. What am I doing wrong, aside from meddling with a tool I know very little about?...

mjgravina Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 01 July 2009 Online Status: Offline Posts: 4	Post Options Post Reply Quote mjgravina Report Post Quote Reply Posted: 01 July 2009 at 5:05pm
	Thanks for your response. I will be giving this a try this afternoon, and will report on anything else I learn related to the monitor.

molotov Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Moderator Group Joined: 04 October 2006 Online Status: Offline Posts: 17492	Post Options Post Reply Quote molotov Report Post Quote Reply Posted: 01 July 2009 at 4:10pm
	Hi mjgravina, It sounds like you might want to try not choosing to drop filtered events. Perform the operations you are interested in, capturing all of the data. Then go back and apply filters to show you what you are interested in - seem like for starters, "Process name contains app.exe then Include" would be one... Since the filtered data was not dropped, the events are still available if you wish to slice and dice the events a different way.
	Daily affirmation: net helpmsg 4006

mjgravina Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 01 July 2009 Online Status: Offline Posts: 4	Post Options Post Reply Quote mjgravina Report Post Quote Reply Posted: 01 July 2009 at 4:04pm
	How can I run Process Monitor so that it logs (displays on screen) only all activities pertaining to a single executable?... I have an APP.EXE which runs through a list of items that are run in steps: Read registry and disk, look for prog1 or prog2 entries, then if prog1 install prog1.msi, and if prog2 install prog2.msi, end. This APP, is invoking a 16-bit NTVDM instance at some point. With Process Monitor, I am trying to log all of the system activities during a mockup installation (Objective? To have detailed information as to the order of triggers and events that make the sys window pop up). I have not been able to queue the monitor first, and then run the executable. I did manage to start the monitor, then the app, and once done, stop logging. But that yielded over 200k entries, all in the space of 1 to 2 mins approx. Any ideas on how to maximize the process monitor? Thanks in advance, I look forward to keep browsing this forums and learn from everyone. :)