Process Monitor v2.7: A New Release to Watch Processes and Threads in Windows

Process Monitor is a very complete advanced monitoring tool that shows and logs real-time activity for the file system, the Registry, the running processes and their threads in Windows. Yesterday, the Windows Sysinternals team made the new version v2.7 of Process Monitor available for download.

It is very important to understand what's going on with the hardware threads, the operating system, its kernel, the application's processes and the software threads in order to understand why multicore programming skills are so important. Process Monitor v2.7, developed by Mark Russinovich and Bryce Cogswell, will let you understand how applications spend their time in Windows. It works with both 32-bits and 64-bits Windows version. Besides, it's compatible with Windows 7 and Windows 2008 R2. For this reason, now you can run this application on most modern Windows versions. It works with both Windows 7 RC and RTM.

Process Monitor replaced two legacy utilities previously developed by Sysinternals, Filemon and Regmon. However, it also allows you to monitor processes and threads with great detail, including information about process and thread startup and exit, together with exit status codes. Each operation can register the full thread stacks and everything can be logged to a file. Process Monitor can work with the page file in order to register a huge amount of activities. Therefore, you have to be very careful with its features, running it in the background can kill your application's performance. Process Monitor is not intended to benchmark an application's performance. It's useful to monitor its activities.

Process Monitor is an advanced tool. Nonetheless, it helps you to understand all the activities related to a simple application. Sometimes, developers compile an application, run the binaries and then they wonder why the application is so slow. Process Monitor can help you to understand all the things that happen when you start its process and it creates its threads in Windows, as shown in the following picture:

Process Monitor showing all the events related to an application. In this case, you can see when many Thread Create and Thread Exit events because it is a multithreaded application.

The Event Properties window displays detailed information about the event, its parent process and the stack, as shown in the following two pictures:

The details of an operation in the Event Properties Window.

Process Monitor displaying the detailed stack for a Thread Exit event.

The tool allows you to set filters. This way, you can select the events you want to monitor. You can filter to monitor a single or multiple processes by PID (Process ID) or by Process Name with just a few clicks. The Process Monitor Filter window allows you to add many complex conditions, as shown here:

Process monitor displays the events matching the defined conditions.

You can also use this tool to detect malware and unauthorized activity. However, my focus is on monitoring processes and threads in modern Windows versions.

You can download and run Process Monitor v2.7 from its Windows Sysinternals web page

It doesn't require installation. You can run the executable file (procmon.exe) -- compressed in the downloaded zip file -- on any modern Windows version (Windows XP SP2 and higher or Windows 2003 SP1 and higher) and you'll be able to monitor your processes and threads with full detail.