Process Monitor

Ultimate System Activity Surveillance Tool

Essential ToolIntermediate

Real-time monitoring of file system, registry, and process/thread activity. Essential for live forensics, behavior analysis, and understanding how malware operates on Windows systems.

Comprehensive Monitoring Capabilities

File System

  • Real-time file access tracking
  • Write, read, delete operations
  • Permission denied events
  • File creation timestamps

Registry

  • Registry key modifications
  • Value creation and deletion
  • Permission changes
  • Real-time registry access

Process/Thread

  • Process creation events
  • Thread activity tracking
  • Stack traces for analysis
  • Process tree relationships

Advanced Filtering Techniques

Malware Analysis Filters

# Track malware file drops and data exfiltration
Path begins with 'C:\Users\' AND Operation is 'WriteFile'
# Detect malware persistence mechanisms
Path contains 'Run' AND Operation is 'RegSetValue'
# Monitor process spawning and injection
Process Name contains 'suspicious_process.exe'

Common Filter Examples

# Monitor specific file extensions
Path ends with '.exe' OR Path ends with '.dll'
# Track registry autorun locations
Path contains 'CurrentVersion\Run'
# Monitor temp directory activity
Path begins with 'C:\Temp\' OR Path contains '\AppData\Local\Temp\'

Investigation Workflow

1. Launch Process Monitor as Administrator
2. Set up filters before starting capture
3. Start monitoring (Ctrl+E to capture/pause)
4. Execute suspicious process or trigger event
5. Stop capture and analyze results
6. Export to CSV for further analysis
7. Use Tools → Process Tree for relationship mapping

Cybersecurity Applications

Live Forensics

Monitor system activity in real-time during incident response to understand attack progression and collect forensic evidence.

Use Cases: File modification tracking, registry persistence analysis, process injection detection, data exfiltration monitoring

Behavior Analysis

Understand how malware operates by monitoring its interactions with the file system, registry, and other processes.

Techniques: Sandbox analysis, IOC generation, attack technique identification, persistence mechanism discovery

Performance Investigation

Identify performance bottlenecks and unusual system activity that might indicate compromise or system issues.

Indicators: Excessive file I/O, unusual registry access patterns, unauthorized network activity, resource consumption spikes

Quick Info

File Name:procmon.exe
Size:~3.2 MB
Requires Admin:Yes
Real-time:Yes
Export Format:CSV, XML

Download

Official DownloadSysinternals Live

Filter Operators

isExact match
is notExclude match
containsPartial match
begins withPrefix match
ends withSuffix match

Related Tools

→ Process Explorer→ Autoruns→ Sysmon→ Handle (Soon)

Pro Tips

  • 💡 Use Ctrl+E to pause/resume capture during analysis
  • 💡 Set up filters before starting capture
  • 💡 Use Include filters to focus on specific activity
  • 💡 Export results to CSV for offline analysis
  • 💡 Clear display between investigations