Tools: Procmon

Back to developer tools.

In the platform-specific category, Procmon is my favorite on Windows. It captures registry, file system, and process events for any process. You can use it to debug your own programs and just about anyone else’s, too. It’s originally from Sysinternals, now provided by Microsoft directly.

For example, I once used it to debug some custom build steps in Visual Studio that weren’t behaving. Using Procmon, I was able to determine which files Visual Studio was checking timestamps on. It turned out an incorrectly entered output list was causing Visual Studio to look for files that didn’t exist and causing the step to run every time. Sure, maybe I’d have seen that if I stared at the output list long enough. But it was easy to spot in Procmon.

A few features I’ve found most useful:

Filtering by process name. You can filter events in about a zillion ways, but the most useful is to exclude based on process name. Find an event from a process you don’t care about, right-click, and select Exclude. Procmon remembers these settings between invocations, so it’s easy to reduce clutter by excluding Explorer.exe, etc.

Filtering by event type. In the toolbar you’ll find three buttons to show/hide file events, registry events, and process events. Again, eliminates a lot of clutter if you know which type of event you’re looking for.

Saving log files. You can save your captured event logs. I encourage our QE team to use this feature and attach the log files to bug reports. I can open the logs back up in Procmon and get a good idea of what happened.

You’ll also be surprised at all the stuff that Procmon captures going on under the covers. For example, you can see all of the work your application does before it starts executing your code. Sometimes I’m amazed applications ever finish starting!