Text content
1. What is the use of processmonitor
2. How to use processmonitor
3. Summary
1. What is the use of processmonitor
processmonitor is a process monitoring tool under the windows system, which can capture various operation events of the process on the registry, files, threads, network and other resources, so that users can spy on the bottom layer of the program from a higher perspective to the system Resource usage. From the perspective of application, it is very necessary to master the use of tools.
As we all know, the registry plays a pivotal role in the windows system, which stores the basic configuration information of the operating system and applications. Because of this, mastering the monitoring means of the registry, let us analyze and obtain the configuration information of the software in another way. The same is true for file and network monitoring. The startup and execution of a process is inseparable from the reading and writing of files. I believe that many people have encountered the problem that the DLL file cannot be found but they do not know which path the DLL is placed in. This tool can capture all file read and write information of the process, which just solves this kind of problem.
2. How to use processmonitor
processmonitor package
The program package is divided into 32-bit and 64-bit, which are consistent with the number of operating systems, and the processes corresponding to the number of bits are monitored respectively.
How to check the number of digits of the process, you can check the "detailed information" column of the task manager, taking win10 as an example, the "platform" column can see the number of digits of the process
Use filter to filter processes
ProcessMonitor is best started with administrator privileges, because some processes are started with administrator privileges. Generally, we can use processName and PID to monitor the specified process. Taking Google Chrome as an example, its process name is chrome.exe, then we can monitor all chrome.exe processes according to "processName is chrome.exe", because chrome .exe is generally a multi-process mode. If you locate a single process, you need to specify the PID.
Monitoring Event Type
The toolbar buttons correspond to registry, file, network, thread process activity, and performance analysis. These buttons can be used in combination to monitor one or more events at the same time.
Taking threads as an example, events such as thread creation, thread exit, and image loading are listed in the figure below
The list contains columns such as timestamp, process ID, operation, operation result, etc.
Select an event right-click menu to view properties, the property bar contains Event, Process, Stack panel information
This panel contains information and operations such as thread ID and persistent events.
The Process panel contains detailed information such as the process executable file path, command line, platform architecture, etc.
The list below the panel includes detailed information about all dynamic link libraries loaded by the process
The Stack panel contains the stack call details of the event and lists the function address and module called by each stack frame
Looking at file monitoring again, the Operation column includes operations such as CloseFile, ReaddFile, and WriteFile. The PATH column lists the full path information of the files associated with these API functions, and the details column also contains the parameter information of the API function call.
ProcessMonitor also includes summary statistics for various events , such as
Process Activity Summary
File Summary
Registry Summary、
Stack Summary
Network Summary
Cross References Summary
Taking File Summary as an example, the file path is used as the grouping condition to count the times of opening, closing, reading and writing of the file path and the amount of data in groups, which provides data support for analyzing program behavior.
process tree
Visually display the inheritance relationship of the process in a tree structure
3. Summary
If a worker wants to do a good job , he must first sharpen his tools. In the face of relatively complex problems, only with the help of suitable tools can we have a good start. On windows, processmonitor can be used to monitor the process, and there should be better tools, which requires us to continuously discover and accumulate. In addition, good tools are also worthy of our usual reference and learning in their design and presentation.