Process Monitor (a.k.a. Procmon) is a free Microsoft utility as a part of their Sysinternal Suite, created by the famous Mark Russinovich. The suite has a large amount of incredibly useful tools for Microsoft IT Pros and Developers, but can be overwhelming to start with and look at.
Procmon is a great one to start with, as it’s useful in a huge amount of troubleshooting scenarios and isn’t hard to use. It shows a real-time live feed of what’s being read and written on your computer for files, the registry, network, and processes/threads. This means you can do something like such as toggle an option in a program, then go through the logs to work out how that program is actually saving the setting. Usually a standard Win32/64 app will be writing to the registry (but not always!) when a setting is changed, but finding the exact setting can be a tricky process.
Let’s have a look at how to use Procmon to see where a Windows 10 setting is being saved.
- Run Procmon. If you’re on Windows 10 you should already have this under Windows\System32 and can find it by just typing ‘procmon’ in the Start menu, otherwise download it from Microsoft.
- Learn which buttons To Press. When you first load it, there’ll be a list of buttons that are worth learning:The important ones to start with here are the third button – Capture (the magnifying glass), which starts/stops monitoring (it’ll have the cross over it when stopped),and the fifth button (paper with eraser) which is clear, to wipe the logs and start again. Stop capturing if it’s running and clear anything on screen.
- Get your option ready. We want the least amount of logs possible, so get whatever option you want to capture ready. You’ll want to quickly go and change the option between starting and stopping logging. For me, I’m going to turn off informational notifications for Windows Defender:
- Start logging, make change, stop logging. Pretty straight forward here, click the Capture button in Procmon, do your setting change and click the Capture button again. You’ll end up with a huge list of events to filter through.
- Find your needle in the haystack. This is where Procmon shines. It can be overwhelming to see a huge amount of events in Procmon, but narrowing down the events can help. If you see a process name that would have nothing to do with your setting Like Explorer.EXE, you can right click on one of those processes and choose ‘Exclude Explorer.EXE’. This will hide all those events. You can also choose to only show registry entries rather than all entires captured. The last 5 buttons in the interface are toggles for registry, files, network, process/thread and profiling. Since it’s probably registry, you can click the other 4 options and turn them off.You can also hide certain Operation types. You’ll see this in the default column view/ For the registry, there’s values such as RegQueryKey and RegQueryValue – you can hide all of those too, since we’re looking for a registry key value being set. Once you get more comfortable with using Procmon, you can instead choose the Operation ‘SetRegValue’ and Include it rather than Exclude, and it’ll only show those types of records.There’s also of course a standard search function, so you could also search for the word ‘Defender’ in this example. Once you think you’ve found a record that might be what you’re looking for, you can double click it to see exactly what it did:
Thankfully this one is named rather clearly based on the setting we’re checking. It’s also saying that the Data is 1, which is the value the registry value was set to. You can double check this via RegEdit and see for yourself.
- Test the setting. Now that we’ve found a setting that changed during the capture that appears to be correct, we can change it and see if it actually toggles the option back and forth. Most registry settings for an on or off value are 1 or 0 respectively. Because it’s a ‘DisableEnhancedNotifications’ setting being set to 1, that means we’re turning on a setting that’s turning off an option – sometimes that can get confusing. In this case, changing the value and going back into Windows Defender settings does appear to toggle the option, so this looks like the right setting for what we wanted!
Once you’ve done this a couple of times, it gets easier and more familiar to use. If you’re trying to dig out a setting (which is especially useful if you want to script/deploy certain settings as part of a SOE), play with Procmon. It’s not always as easy as the above example, but more often than not it’s not that difficult to find what you’re after.