Using Process Monitor

Get and extract Process Monitor from Microsoft:

Run procmon.exe and immediately stop procmon capturing events (Ctrl-E). Sometimes you’ll need to give procmon some time to startup as it hooks itself into system calls and starts capturing events.

Press Ctrl-L or select Filter->Filter… from the main menu to setup a new filter. From the dropdown list on the left (which starts architecture) select “Process Name”, leave the next dropdown selected as “is” and then type the process you’re interested in analysing in the combo box next to it, for example gimp-2.8.exe, kicad.exe or pcbnew.exe, etc.

Click the Add button to add the filter to the list and then click OK to confirm and close the filter dialog.

The filter will be applied to the current set of events in the list. Clear the log (Ctrl-X) and start capturing again (Ctrl-E).

Start the process you just added the filter for. The event list will be populated by entries specific to the process you’re interested in.

Perform any activity on the process you are interested in to duplicate a bug and then stop capturing events again in process monitor (Ctrl-E)

Save the events to file (Ctrl-S). Generally make sure you save “Events displayed using current filter” and “Extensible Markup Language (XML)” because these are the options that allow to further work with the data once it’s saved. You generally don’t have to include stack traces, but it depends what you’re trying to fix or glean from the data.


Process monitor is great for checking dependency loading to see where dependencies are being resolved from and what search order Windows is using. Sometimes it will surprise you what search path Windows uses to find dependencies!!

It’s particularly useful at finding out what python modules are being searched for and where too.




Leave a Reply