Environment
- All Products
- Microsoft Windows: All Supported Versions
Objective
How to collect a Proccess Monitor (ProcMon) capture to troubleshoot performance issues.
Resolution
- Download Process Monitor from Microsoft and extract the files to the desktop of the endpoint.
- Temporarily disable Tamper Protection (EDR Sensors / App Control Agents) in order to properly access stack information.
- Launch ProcMon and configure the capture as follows:
- Press CTRL+E to stop the current capture.
- Press CTRL+X to clear the current results.
- Filter > Filter > Click Reset and uncheck Process Name > is System > OK
- Options > Profiling Events > Generate thread profiling events > Every 100 milliseconds > OK
- Start the capture (CTRL+E) when ready to reproduce
- After reproduction, stop the capture (Ctrl+E).
- Use File > Save and use the following options:
- Events to save: All events
- Format: Native Process Monitor Format (PML)
- Compress the resulting PML file as a zip, and upload it to the Vault.
Additional Notes
- Do not put any additional filters in place.
- Specific diagnostics will need to be captured along with the ProcMon capture (Related Content).
- Boot/Log in performance issues will require a ProcMon with Boot Logging enabled (Related Content).
Related Content