Windows 10: New (possible) alternative to ProcMon uses ETW instead of kernel hooks


  1. Posts : 1,524
    WinX Pro x64 IP current
       17 Jan 2018 #1

    New (possible) alternative to ProcMon uses ETW instead of kernel hooks


    Developer Pavel Yosifovich has released an early version of a Process Monitor alternative that has the makings of a great addition to / replacement for SysInternal's Process Monitor (ProcMon). Called Process Monitor X (and dubbed ProcMonX), it is a unique take on how to view various events that occur within the operating system as we use it.

    From his blog post about the release:

    The (now classic) Process Monitor tool from Sysinternals allows watching important activities on a system: process and thread creation/termination, image loading/unloading, file system operations and registry operations (and some profiling events). This tool helped me many times in diagnosing issues or just understanding what’s going on in a particular scenario.

    Yesterday I released the first preview of a tool called Process Monitor X (ProcMonX), as a possible alternative to ProcMon. ProcMonX provides information on similar activities to ProcMon, but adds many more events, such as networking, ALPC and memory. In fact, the number of possible events is staggering, since there are many events exposed by the NT kernel provider, and the tool could be expanded to include other providers. So why doesn’t ProcMon provide the same range of events?

    ProcMon works by using a kernel driver. The upside to using a driver is the ability to get the most accurate data, since some form of hooking is involved.
    ProcMonX, on the other hand, uses Event Tracing for Windows (ETW), a diagnostics and logging mechanism that existed since Windows 2000. In ETW, providers spit out events that ETW consumers consume. These events can be logged to a file (.ETL extension) and then analyzed, or alternatively logged in real time to listening consumers.

    Windows provides many providers out of the box, each exposing a rich set of events. To get a sense of the number of providers use logman query providers in a command window.

    ProcMonX creates a real time session (no automatic logging to file) and registers for the events the user requests (the current list is small, more events will follow in subsequent versions). The event data is displayed as they come in.

    Is it better than using kernel drivers? Not generally. Hooking with a driver is always more reliable and accurate. ETW has an inherent delay of one to three seconds when reporting events, which is not a big deal for this kind of tool, since the events are still ordered correctly and have correct enough time stamps (if using the same ETW session).

    All this means is that ProcMonX sacrifices some accuracy and in some cases pieces of information to get in exchange a huge arrange of events that could not be possible with ProcMon. Additionally, I am trying to get a comfortable and powerful UI to filter, view and inspect information. This is naturally a work in progress, but it’s important to emphasize. ETW traces can be captured and analyzed with a myriad of tools, such as PerfView, Windows Performance Recorder / Analyzer, and others. With a wealth of information there is a necessity to be able to filter, find and analyze the results.
    In my opinion, this could well be a great tool to add to the large list of tools that I keep handy for all sorts of analysis when I break something on my system (mostly stuff from Nir Sofer and SysInternals).

    We shall see.

    Github: GitHub - zodiacon/ProcMonX: Extended Process Monitor-like tool based on Event Tracing for Windows
      My ComputersSystem Spec

  2.    18 Jan 2018 #2

    Thanks- this sounds interesting.. I agree there's a real need for a tool that lets you focus quickly on particular types of events related to your current issue, and ProcMon's filter is a bit of a nightmare.
      My ComputerSystem Spec


  3. Posts : 3,088
    Windows 10 Pro x64 v1803 Build 17134.81 (Branch: RS4 Release Preview)
       18 Jan 2018 #3

    Great find!

    Thanks!
      My ComputersSystem Spec


 

Related Threads
Critical Process Died Kernel Power 41 in PC Custom Builds and Overclocking
So as the past 2 months I have been getting frequent crashes with critical process died and event viewer shows Kernel power 41. Now I have searched the web but I have failed to find an issue everything points to a power supply issue but I just...
I know that in windows its possible to monitor which processes are connecting to the internet and which ip they are connecting to and which ports they are using. But is there a way to monitor the data a process downloads or uploads while connected...
Hi all, I bought a new computer a month ago, and am having BSOD each day. It's a Kernel Security Check Failure, and when i look in the event watcher, i can see a kernel-power critical error. 57819 Thanks for your help !
Solved Weird process running - "Monitor Virutal Wlan Service" in AntiVirus, Firewalls and System Security
I was checking my system configuration and happened across this weird one! 45650 Note the spelling: "Monitor Virutal Wlan Service" - "Virutal" rather than "Virtual" but either way, I can see no reference to such a process on the net. Searching...
Duplicate Epson Status Monitor Process in Performance & Maintenance
I noticed that I have two Epson Status Monitor processes running in the background. 31955 I've already tried to disable this process from startup, but they are loaded anyway. In fact, both processes are loaded. I also noticed that one...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 05:22.
Find Us