Process Monitor Problem

Topic

New Reply

I recently downloaded the latest Sysinternals Suite, basically to update Autoruns.exe, for use on both Win7 & Win10.
Autoruns opens OK on both , but I can’t get Procmon.exe to open on either, although as I recall it worked fine in the past.
I’m a bit stumped as to how to troubleshoot this, anyone got ideas?

Alex

Reply | Quote

Replies

Right-click on the procmon.exe file and check its properties… is it v3.20.0.0?

Have you tried running Procmon directly from the Sysinternals web page? If so, what result?

Have you tried temporarily disabling any AV you are using?

Hope this helps…

Reply | Quote

lastly you can download it separately and see if it still won’t run.

Reply | Quote

It is v3.20.0.0, and I’ve tried running it with AV and Anti Malware off, still no result.
I get the usual ‘Do you want to run this file’ message, then nothing.
I don’t even get this if I run as Administrator, which is to be expected.
Other Sysinternals apps work OK, such as Autoruns and Perfmon.
Like I said, I’m stumped.

Alex

Reply | Quote

1. Where are you running procmon.exe from, i.e. what’s the filepath?

2. What version of Windows are you running? x32 or x64? (My understanding of procmon.exe is that when run on an x64 version of Windows it spawns a procmon64.exe file and runs that in the background.)

3. With Task Manager open to the Processes tab, do you see the procmon process appear at all when you run it?

4. Have you checked Event Viewer (eventvwr.msc) for any relevant entries in Application or System (under Windows Logs)?

5. Have you checked Reliability Monitor for any relevant entries? (Enter perfmon /rel in a Run dialog or commandline window – Win 7 onwards)

Hope this helps…

Reply | Quote

If you do not see the “Do you want to run” message when you run it as administrator, that suggests a security issue. Using Windows Explorer or similar, navigate to the executable file (I would guess C:Program FilesProcess MonitorProcmon.exe), right-click on it, then Properties, then Security. The user (or group) that you are running under needs to have “Full control”. If you do not see your own user name in the list, add it in and give it “Full control”. Could also be the dreaded UAC getting in the way, so check your settings. I can run Process Monitor under Windows 7 x64 with no problems, and as suggested it does spawn a procmon64.exe process.

Do you also have Process Explorer? Does it work? If not then Task Manager will do, but try splitting your screen so that you can run Process Explorer (or Task Manager) in one part, and have the command where you try to launch Process Monitor in the other part. Launch Process Monitor while carefully watching the other part of the screen. Do you see procmon.exe appear briefly, then go red and/or disappear? If so, then “something” is preventing it from running and is killing it. An entry in one of your event logs should indicate what the problem is.

(Interesting catch-22 situation. For any other program which will not start, I would suggest to run it under Process Monitor …… )

Reply | Quote

Thanks guys. I followed Bundaburra’s suggestion and ran Process Explorer in half a screen while starting Procmon in the other half. Process Monitor does start briefly then red lines, and if I try starting as Administrator, a second prog I couldn’t identify also tries to start but is red lined.

I’ve examined logs with Event Viewer after these tests, but no mention appears anywhere. Further advice on where I might expect an appropriate message to appear would be helpful. Running perfmon /rel yielded nothing.
I should also mention that I dual boot Win7 and Win10, both x64, and I get exactly the same pattern in both.
Regarding the security issue, procmon.exe has full control allowed for Everybody, and is in a separate partition to the operating systems.

I remain stumped.

Alex

Reply | Quote

When it crashes in W7, you’ll get a popup window with a dropdown option that shows you some details:

Problem signature:
Problem Event Name: APPCRASH
Application Name: Procmon.exe
Application Version: 3.20.0.0
Application Timestamp: 5563c057
Fault Module Name: Procmon.exe
Fault Module Version: 3.20.0.0
Fault Module Timestamp: 5563c057
Exception Code: c0000005
Exception Offset: 0005d889
OS Version: 6.1.7601.2.1.0.256.48
Locale ID: 2057
Additional Information 1: 0a9e
Additional Information 2: 0a9e372d3b4ad19135b953a78882e789
Additional Information 3: 0a9e
Additional Information 4: 0a9e372d3b4ad19135b953a78882e789

Read our privacy statement online:
http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
C:Windowssystem32en-USerofflps.txt

What do you get?

Reply | Quote

It doesn’t crash, it just doesn’t start, consequently I get no response at all.

Alex

Reply | Quote

Have you tried running it in Safe Mode or in a clean boot ?

I don’t have the suite and just run Process Explorer from my Downloads folder, having installed it from https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx

Event Viewer may have an Event ID 1001 for it.

Reply | Quote

I tried safe mode and got exactly the same response – nothing. This is in both W10 and W7.
Your link is to Process Explorer, I have no problem with that, it runs perfectly, in fact I’ve been using it to help troubleshoot Procmon.

When I tried in safe mode I got no response in Process Explorer, not even a red bar!

I have downloaded the Procmon.zip file from Sysinternals but got exactly the same result.

Reply | Quote

I tried safe mode and got exactly the same response – nothing. This is in both W10 and W7.
Your link is to Process Explorer, I have no problem with that, it runs perfectly, in fact I’ve been using it to help troubleshoot Procmon.

When I tried in safe mode I got no response in Process Explorer, not even a red bar!

I have downloaded the Procmon.zip file from Sysinternals but got exactly the same result.

In Post #7 you said that Process Explorer red lines which is why I linked it, but have had no need to run Procmon.

Safe Mode with Networking would bypass a 3rd party AV program but Windows Firewall would be active in Safe Mode etc.

Which AV program are you using ?

If for some reason you are getting a bad download and either firewall is trying to read them as you are opening them, then you may get a Sharing Violation error, but that doesn’t seem to be happening.

A possible workaround could be if you could download/save it onto another machine and then copy it across to run its .exe.

Reply | Quote

Uninstall your security software from one of the OS’s and test, disabling them is sometimes not enough.

Reply | Quote

Uninstall your security software from one of the OS’s and test, disabling them is sometimes not enough.

Surely starting in safe mode is just as good a test.

Reply | Quote

What AV program are you using and do you have access to another machine to download it onto ?

I’ve noticed it is downloading to drive E: – which drive is that ?

Reply | Quote

Surely starting in safe mode is just as good a test.

It should be but it depends on how the security software installs, disabling it doesn’t always fully disable all components (heck, sometimes uninstalling it doesn’t remove all components, that’s why there are specific uninstallers/routines for most AV/3rd party firewalls).

Reply | Quote

And don’t call me Surely!

Reply | Quote

I examined Event Viewer – Administrative Events and found several entries relating to my attempts at starting Procmon marked as Errors.
This is the output on the General Tab;-

Faulting application name: Procmon.exe, version: 3.20.0.0, time stamp: 0x5563c057
Faulting module name: Procmon.exe, version: 3.20.0.0, time stamp: 0x5563c057
Exception code: 0xc0000005
Fault offset: 0x0005d889
Faulting process id: 0x610
Faulting application start time: 0x01d1493213ff7757
Faulting application path: E:DownloadsSysinternalsSuiteProcmon.exe
Faulting module path: E:DownloadsSysinternalsSuiteProcmon.exe
Report Id: 5a9b8c9e-b525-11e5-b666-da7798bbe150

And this the Detail Tab;-

Procmon.exe
3.20.0.0
5563c057
Procmon.exe
3.20.0.0
5563c057
c0000005
0005d889
610
01d1493213ff7757
E:DownloadsSysinternalsSuiteProcmon.exe
E:DownloadsSysinternalsSuiteProcmon.exe
5a9b8c9e-b525-11e5-b666-da7798bbe150

None of this means anything to me, perhaps you wiser guys can make something of it.

Alex

Reply | Quote

Drive E: is just a separate HDD, I keep Operating systems on SSD’s and data on separate HDD’s.

My wife’s name is Shirley, by pure coincidence!

I don’t see the relevance of AV software, since no other progs, including the other Sysinternals Apps have any problem, However I’m willing to try after a complete uninstall of 360TS, the AV I use at present.

To be honest, because the problem repeats itself in both W7 and W10, which are themselves on separate ssd’s, I expected hardware to be at the root of the problem, I also have 3 separate HDD’s for data so I think I’ll try detailed virus scans on these first, just in case.

Reply | Quote

If you have the same AV on each SSD then it could be blocking it because of what Procmon does.

I would think it is unlikely because of an infection as that would probably block all downloads.

The other day AdwCleaner was blocked on mine but downloading JRT from the same website downloaded okay.

Have you been able to download it onto another machine to ensure you have a complete download ?

Reply | Quote

I had no problem downloading the Sysinternals zip file, and everything else is OK.

I took your point about another PC, put the suite on a thumb drive and ran it in a totally different PC – and got the same result!
Perhaps there’s a fault in the prog itself.

Reply | Quote

It could be if it’s in a suite – what about just downloading it on its own onto the thumb drive –

https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx

I downloaded this the other day just to test it and it worked okay for me.

Reply | Quote

Thanks jwoods. Did all that, needed to create the C:dumps folder first.
Tried to start Procmon, then ran procdump, which proceeded ok, but no files appeared in C:dumps.

Perhaps we’re confusing ‘failed to start’ with ‘crashed’ here, they are two different scenarios.

Reply | Quote

Hi, Alex.

It might sound a little out of the left field but this ‘fixed’ it for me (that’s my W7 error listed in #5, looks very much like yours): download Windows Repair, run it, do the suggested Registry Backup and create a System Restore point (Step 5).

From the Repairs tab, select Open Repairs bottom right, select only 03, 26 and 27 (I think that 27 alone might be enough), hit the Start Repairs button, when the ‘completed’ popup comes up, click Close and it will reboot automatically in a minute or so.

Test.

Reply | Quote

As the same problem occurs on another computer, then it seems like the corruption is in the suite’s download rather than the machines.

Still waiting to see if a singular download has the same no start problem – have you tried that yet ?

Reply | Quote

Well, if you have time (I’m bushed, ~20 hours uptime), try working through these search results: DDG and Google.

Or I could upload you all, or part of, 543MB of compressed ProcMon dumps 😉

Reply | Quote

Thanks satrow, I ran System Repair ( looks a useful prog ) as you suggested. It cleaned up a few things but the same problem remained.
I mentioned I put the suite on a thumb drive and it failed on my second PC. I’ve now tried it on a third, running W10 and it worked perfectly, so there’s nothing wrong with the prog.
I also trawled through your search links, but they didn’t seem to provide any useful info.

I remain stumped, thankfully it’s not a prog that’s essential.

Reply | Quote