Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > Process Monitor
  New Posts New Posts RSS Feed - How ProcMon Works
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

How ProcMon Works

 Post Reply Post Reply
Author
Message
WinLoader View Drop Down
Newbie
Newbie
Avatar

Joined: 16 July 2017
Location: California, USA
Status: Offline
Points: 5
Post Options Post Options   Thanks (0) Thanks(0)   Quote WinLoader Quote  Post ReplyReply Direct Link To This Post Topic: How ProcMon Works
    Posted: 09 August 2017 at 11:15pm
What exactly is ProcMon watching when it is observing all of the filesystem/registry/other activity? Is there a central location where it can view everything the kernel does? Is it using hooking or is there some other faster (more efficient) way to monitor all the system calls besides hooking? Thanks.
Thanks,
WinLoader
Discuss Malware Reversing at https://malwareanalysisforums.com
Back to Top
sredna View Drop Down
Groupie
Groupie


Joined: 24 November 2016
Status: Offline
Points: 42
Post Options Post Options   Thanks (0) Thanks(0)   Quote sredna Quote  Post ReplyReply Direct Link To This Post Posted: 10 August 2017 at 12:06am
Maybe do a little bit of research first? Dependency Walker? Hex Editor?
 
 
I assume it uses the RegMon/FileMon stuff on NT5 and CmRegisterCallbackEx etc. on Vista+ because of patchguard. In specific instances you can see that RegMon is superior to ProcMon because ProcMon sometimes uses the wrong key name (When you create a new key in RegEdit ProcMon will often refer to it as New Key #1 even after you have named it etc.).


Edited by sredna - 10 August 2017 at 12:07am
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 11.06
Copyright ©2001-2016 Web Wiz Ltd.