Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
35 views4 pages

Experiment 8

The document outlines the use of Process Monitor (Procmon), a Windows utility for real-time monitoring of file system, registry, and process/thread activity. It provides a step-by-step guide on how to install and use Procmon for registry analysis and boot time logging, emphasizing its capabilities for troubleshooting and system performance improvement. Procmon is highlighted as a valuable tool for system administrators and developers due to its comprehensive logging and user-friendly interface.

Uploaded by

boggulakishtaiah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
35 views4 pages

Experiment 8

The document outlines the use of Process Monitor (Procmon), a Windows utility for real-time monitoring of file system, registry, and process/thread activity. It provides a step-by-step guide on how to install and use Procmon for registry analysis and boot time logging, emphasizing its capabilities for troubleshooting and system performance improvement. Procmon is highlighted as a valuable tool for system administrators and developers due to its comprehensive logging and user-friendly interface.

Uploaded by

boggulakishtaiah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Experiment 4:To Perform registry analysis and boot time looging using

process monitor tool.

Tool:Process monitor.

Procmon, short for Process Monitor, is a powerful Windows utility


developed by Microsoft Sysinternals. It allows users to monitor and
capture real-time file system, registry, and process/thread activity. Here
are some key points about ProcmonProcmon captures a vast array of file
system activity, including file opens, closes, reads, writes, and deletions.
This functionality covers roughly 80% of the typical monitoring needs, as
file system operations are central to many system processes and
applications. Procmon also monitors registry operations, such as key and
value creations, deletions, and modifications. While not as frequently
accessed as the file system, the registry remains critical for system
configuration and application settings, covering about 15% of monitoring
requirements. Procmon tracks process and thread creations and
terminations, along with associated activities like module loading and
unloading. This aspect, though less common, is vital for understanding
system behaviour and diagnosing issues, addressing the remaining 5% of
monitoring needs:

1. Real-Time Monitoring: Procmon captures events as they occur in real


time, providing a live feed of system activity.

2. File System Activity: It logs all file system activity, including file
open/close operations, reads/writes, and file creation/deletion.

3. Registry Activity: Procmon monitors registry operations, such as key and


value creation, deletion, modification, and registry key access.

4. Process and Thread Activity: It tracks process and thread creations and
terminations, along with their associated activities.

5. Filtering and Highlighting: Users can apply filters to focus on specific


types of activity or processes. Additionally, highlighting can be used to
visually differentiate between different types of events.

6. Comprehensive Logging: Procmon logs a wide range of system events,


providing detailed information such as process ID, operation type, result,
and timestamp.
7. Exporting Data: Captured data can be exported in various formats,
including CSV, XML, and TXT, for further analysis or sharing.

8. Troubleshooting Tool: Procmon is commonly used for troubleshooting


application compatibility issues, diagnosing system performance
problems, and investigating malware activity.

9. User-Friendly Interface: Despite its powerful capabilities, Procmon


features a relatively userfriendly interface, making it accessible to both
novice and experienced users.

10. Integration with Other Sysinternals Utilities: Procmon can be used in


conjunction with other Sysinternals utilities, such as Process Explorer and
Autoruns, to provide comprehensive system monitoring and
troubleshooting capabilities.

Overall, Procmon is an invaluable tool for system administrators, software


developers, and power users alike, offering deep insight into system
activity and facilitating the diagnosis and resolution of a wide range of
system-related issues.

Steps to perform: steps on how to perform Registry analysis and get boot
time logging using Process Monitor tool:

Here's a step-by-step guide to using Procmon:

1. Download and Install Procmon: - Visit the Microsoft Sysinternals website


to download the latest version of Procmon. - Once downloaded, run the
installer and follow the on-screen instructions to install Procmon on your
system.

2. Launch Procmon: - After installation, launch Procmon from the Start


menu or by double-clicking the executable file.

3. Start Capturing Events: - Upon launching Procmon, it immediately starts


capturing events by default. - You can pause capturing by clicking on the
magnifying glass icon in the toolbar or by pressing Ctrl+E. Click again or
press Ctrl+E to resume capturing.

4. Configure Filters (Optional): - To filter captured events, click on the filter


icon (funnel) in the toolbar or press Ctrl+L to open the Filter dialog.

- Here you can set filters based on process name, operation, result, path,
and more to

focus on specific types of events.


- Click "Add" to add a filter condition and "OK" to apply the filters.

5. Customize Columns (Optional):

- You can customize the columns displayed in the event list to include
additional

information by right-clicking on any column header and selecting "Select


Columns."

- Choose the columns you want to display and click "OK" to apply the
changes.

6. Interact with Captured Events:

- As events are captured, they are displayed in the main Procmon window.

- You can sort events by clicking on the column headers.

- Double-clicking on an event opens a detailed Properties window,


providing additional

information about the selected event.

7. Save Captured Data (Optional):

- To save the captured data, go to File > Save or press Ctrl+S.

- Choose the desired format (e.g., CSV, XML) and specify the file name
and location

to save the data.

8. Stop Capturing Events: - When you're finished monitoring, you can stop
capturing events by clicking on the

magnifying glass icon in the toolbar or by pressing Ctrl+E.

9. Exit Procmon:

- To exit Procmon, go to File > Exit or simply close the Procmon window.

By following these steps, you can effectively use Procmon to monitor and
analyze

system activity on your Windows system.

Once you have saved the Process Monitor log file, you can open it in a text
editor or a

spreadsheet program to view the details of the Registry changes that


occurred during
the boot process. This information can be helpful for troubleshooting
problems with your

computer's startup process.

By analyzing the Process Monitor log file, you can gain valuable insights
into the

behavior of your computer's startup process. This information can be


helpful for

troubleshooting problems and improving the performance of your


computer.

Process Monitor is a powerful tool that can be used for a variety of


purposes, including

Registry analysis and boot time logging. By following the steps above, you
can learn

how to use Process Monitor to troubleshoot problems with your computer's


startup

process and improve its performance.

Output:-

You might also like