Executing Process Monitor requires local Administrative group membership. When you launch Process Monitor it immediately starts monitoring three classes of operation: file system, Registry and process.
File System
Process Monitor displays file system activity for all Windows file
systems, including local storage and remote file systems. Process Monitor
automatically detects the arrival of new file system devices and monitors
them. All file system paths are displayed relative to the user session
in which a file system operation executes. For example, if user A has
mounted a share as drive letter Z:, any accesses they make to that share
will display in Process Monitor as being relative to drive Z:.
To remove file system operations from the display de-select the file
system push-button in the Process Monitor toolbar and to add back file
system operations depress the button.
Registry
Process Monitor logs all Registry operations and displays Registry
paths using conventional abbreviations for Registry root keys (e.g. HKEY_LOCAL_MACHINE
is represented as HKLM).
To remove Registry operations from the display de-select the Registry
push-button in the Process Monitor toolbar and to add back Registry operations
depress the button.
Process
In its process/thread monitoring subsystem Process Monitor tracks all
process and thread creation and exit operations as well as DLL and device
driver load operations.
To remove Process operations from the display de-select the process
push-button in the Process Monitor toolbar and to add back process operations
depress the button.
Profiling
This event class can be enabled from the Options menu. When active,
Process Monitor scans all the active threads in the system and generates
a profiling even for each one that records the kernel and user CPU time
consumed, as well as the number of context switches executed, by the thread
since its previous profiling event.
There are a number of basic options that control basic Process Monitor operation:
Capture: Use the Capture Events menu item in the File menu, capture toolbar button or Ctrl+E hotkey to toggle Process Monitor's monitoring.
Autoscroll: Select Autoscroll entry in the Edit menu, the autoscroll toolbar button or Ctrl+A hotkey to toggle Process Monitor's autoscroll behavior, which causes it to ensure that the most recent operation is visible in the display.
Clear: To clear the display of all items choose Clear Display from the Edit menu or use the Ctrl+X hotkey.