Tech Line

Capture the Config

Process Monitor -- the Sherlock Holmes of Windows configuration mysteries.

How many times has a Windows OS behavior completely baffled you? When faced with an unusual problem, if you're like most you probably try and Google your way out of it. When Google doesn't solve the problem, it's often back to the drawing board. Today, instead of talking about the fix for a particular problem, I'll discuss technique.

When I run into an unusual Windows configuration problem, like most I first try and find the answer online via a Google or newsgroup search. When that fails, I then look to manually locate the configuration files or Windows registry values that are the source of the problem. To do this, I use the free tool, Process Monitor. Process Monitor displays both file system and registry access in real time, allowing you to easily spot the configuration files and registry settings associated with a particular process. Since it runs as a stand-alone executable file, no installation is required.

Once I download and run Process Monitor, I then duplicate the problem that is causing the error. For example, I've been working with a fellow administrator on identifying the registry values that determine the contents of Windows Explorer's "New" power menu option (right-click in Windows Explorer, select New). To locate the Registry settings that define the power menu, I start Process Monitor, right-click on the desktop, and select New. Once all of the "New" options are displayed in the power menu, I then stop the Process Monitor capture and examine the results.

Here's a summary of the steps I use to locate Registry configuration settings:

  1. Start Process Monitor.
  2. When Process Monitor starts, click Agree to accept the software license terms.
  3. Process Monitor then opens and immediately starts capturing real-time file and registry access for every system process. To limit the settings to the process you are trying to troubleshoot (Explorer.exe in my example), click the Filter menu and select Filter.
  4. In the Process Monitor Filter dialog box, click the leftmost drop-down menu (see Figure 1) and select Process Name. Next, click on the third drop-down menu and select Explorer.exe. Finally, click the Add button.
  5. Click OK to close the Process Monitor Filter dialog. Now you will only see Explorer.exe's file and registry access displayed in the Process Monitor window.
  6. At this point, you're ready to repeat whatever task is generating the error. In my case, I just need to right-click on the desktop and move my mouse pointer to the New power menu option. Once the New menu populates, I can then return to the Process Monitor window and examine the results. Note that you can stop Process Explorer capture by clicking the File menu and then selecting Capture Events.
Process Monitor
Figure 1. Adding a Process Monitor Filter in Process Monitor.

Of course, once you've located the configuration files, the next step is correcting the problem. If you believe that the problem is related to a captured registry value, try an Internet search of the registry value and see what comes back. Odds are that you will find detailed information on the value, including information on the correct data for the value in question. When a search returns little information, I then work to compare the configuration settings and files in question between the faulty system and a known good system. For resolving problems related to process or application configuration, I have been very successful using this approach.

Tech Help -- Just An
E-Mail Away

Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the editors at [email protected]; the best questions get answered in this column and garner the questioner with a nifty Redmond T-shirt.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message, but submit the requested information for verification purposes.)

Process Monitor is great for locating the configuration files and settings that are related to a particular process and, in turn, identifying configuration settings and problems. But it has many more uses as well. What's your favorite use for Process Monitor? If you have time, please post your Process Monitor tips and tales as a comment to this article.

About the Author

Chris Wolf is a Microsoft MVP for Windows --Virtual Machine and is a MCSE, MCT, and CCNA. He's a Senior Analyst for Burton Group who specializes in the areas of virtualization solutions, high availability, storage and enterprise management. Chris is the author of Virtualization: From the Desktop to the Enterprise (Apress), Troubleshooting Microsoft Technologies (Addison Wesley), and a contributor to the Windows Server 2003 Deployment Kit (Microsoft Press).learningstore-20/">Troubleshooting Microsoft Technologies (Addison Wesley) and a contributor to the Windows Server 2003 Deployment Kit (Microsoft Press).

comments powered by Disqus