Search notes:

Sysinternals tool: Procmon / Procmon64

Procmon.exe (or its 64-bit version Procmon64.exe allow to record and display events. Such events are

Reading or modification of registry values
Reading/writing from/to files
Creating threads
etc…

Interesting keyobard shortcuts

`ctrl-T`	show process tree
`ctrl-L`	manage filters
`ctrl-X`	remove events
`ctrl-E`	Enable/disable event gathering
`ctrl-K`	Shows call stack at the time of the event

Filter rules

The filter rules are stored in the registry under the key HKEY_CURRENT_USER\Software\Sysinternals\Process Monitor

Different filters can be given a name and stored and retrieve. If given such a name, the ilter rules can be ex- and imported into/from a *.PMF file.

Display call stack of an event

Procmon is even able to show the the call stack that lead to an event. This functionality is opened with ctrl-K.

The dialog must be read bottom up.

Sysinternals tool: Procmon / Procmon64

Interesting keyobard shortcuts

Filter rules

Display call stack of an event

See also