Tools

3 Ways to Run the Best Low-Level Windows Debugging Tool

A surprising number of thorny Access performance issues can be resolved with this venerable tool. Here's how to get started with Process Monitor.

Mike Wolfe

Jul 20, 2021 • 5 min read

My favorite low-level debugging tool is Process Monitor (aka, procmon). It's a part of the Sysinternals Utilities suite written by Mark Russinovich.

Getting Started

If you've never used Process Monitor before, it can be very overwhelming at first. To get started, I recommend watching one or more videos from Mark Russinovich himself.

Mark's Webcasts are a series of 75-minute presentations from 2010 through 2015. The structure of all six talks is the same, but the examples he uses are different each time.

I scanned through the Process Monitor portion of each talk to save you from having to watch seven and a half hours of video.

To get the best bang for your buck, I recommend you watch Mark's 2015 talk. The section on Process Monitor starts at the 31:30 mark.

Running Process Monitor

One nice thing about the Sysinternals Utilities is that they do not need to be installed. Everything you need is packed into a tiny little .exe file.

There are at least three ways to install Process Monitor. All three options support downloading the entire Sysinternals suite of utilities or a standalone copy of Process Monitor.

Traditional download site

The official download site for the Sysinternals utilities is here: https://docs.microsoft.com/en-us/sysinternals/downloads/

Chocolatey

I mentioned the chocolatey Windows package manager in a previous article.

Here's the command to install the standalone Process Monitor utility:

choco install procmon

Here's the command to install the entire Sysinternals suite (this is what I use):

choco install sysinternals

Sysinternals Live

I just learned about this option while putting together this article.

Sysinternals Live is a service that enables you to execute Sysinternals tools directly from the Web without hunting for and manually downloading them. Simply enter a tool's Sysinternals Live path into Windows Explorer or a command prompt as live.sysinternals.com/<toolname> or \\live.sysinternals.com\tools\<toolname>.

You can view the entire Sysinternals Live tools directory in a browser at https://live.sysinternals.com/.

This sounded so cool I had to try it for myself.

Via File Explorer

Honestly, I was more than a little underwhelmed when I ran it from File Explorer. It amounted to little more than an easy to remember URL.

The usual web browser dialog box asking to save or run the executable popped up.

I typed the following into the File Explorer address bar:

live.sysinternals.com/procmon.exe

When I pressed enter, Windows simply downloaded the file via my default web browser (currently Firefox):

The URL is case-insensitive, but I got a 404 file not found error if I left off the ".exe" extension:

The File Explorer integration was nice, but it was nothing special.

Via Cmd Window

OK, now this really was cool. I opened a non-admin cmd window and entered several commands to open a series of Sysinternals utilities:

Process Monitor: \\live.sysinternals.com\tools\procmon
Process Explorer: \\live.sysinternals.com\tools\procexp
Autoruns: \\live.sysinternals.com\tools\autoruns
RAMMap: \\live.sysinternals.com\tools\rammap
Handle: \\live.sysinternals.com\tools\handle {locked file name}

Some quick notes about the cmd window usage:

You need the leading double backslashes (not used with File Explorer).
You need the tools folder (optional with File Explorer).
You can pass command line arguments to tools that accept them, like the Handle utility.