Systinternals Process Monitor Utilization


Using sysinternals process monitor is there a way to filter the log records so when a process e.g. 'asdf.exe' accesses a specific folder or file it captures just that data.

Thank you.
ZackGeneral IT Goto GuyAsked:
Who is Participating?
CSI-Windows_comConnect With a Mentor Commented:
First, you should be aware that procmon does not do *capture* filters - filters that capture only certain data.

It always captures all records and then allows *display* filters - you can configure a display filter before starting capture, but it is still only filtering what displays on the screen - the maximum data is still being captured as can be verified by the increasing record count in the lower left of the screen.

You will want to create a filter as follows:

Column = Path
Relation = Contains
Value = <path or subpath you wish to monitor>
Action = Include

One secret to procmon filters is that filter records that act on the same Column are ORed together and records that act on different columns are ANDed.
netballiConnect With a Mentor Commented:
Below link explains how to use the sysinternals process monitor the area you should be looking is how to set filters.
ZackGeneral IT Goto GuyAuthor Commented:
Thanks you for your help.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.