Process Monitor, or procmon, is an advanced monitoring tool for Windows that provides a way to monitor certain registry, file system, network, process, and thread activity. It combines and enhances the functionality of two legacy tools: FileMon and RegMon.
Although procmon captures a lot of data, it doesn’t capture everything. For example, it
can miss the device driver activity of a user-mode component talking to a rootkit via device I/O
controls, as well as certain GUI calls, such as
Although procmon can be a useful tool, it usually should not be used for logging network activity,
because it does not work consistently across Microsoft Windows versions.
Throughout this chapter, we will use ...