A: In July 2006, Microsoft acquired a small, successful software company called Winternals. Even more important, Microsoft kept that company’s talent, retaining Winternals’s founders, Mark Russinovich and Bryce Cogswell, as Microsoft developers. Winternals’s former website, Sysinternals, and the related product line are now part of Microsoft’s TechNet resources. Microsoft revamped and consolidated the former Winternals tools and continues to offer them for free, either individually or as part of the Sysinternals Suite (http://technet.microsoft.com/en-us/sysinternals/bb842062). One of the most useful Windows Sysinternals tools is Process Monitor (http://technet.microsoft.com/en-us/sysinternals/bb896645).

Process Monitor returns real-time information about processes running on your Windows workstation or server. Process Monitor also captures computer processes’ registry access. A formerly independent Sysinternals tool called Registry Monitor (regmon.exe) was integrated into Process Monitor, making Process Monitor ideal for identifying a variety of activities, including what applications are accessing the registry and whether an unwanted process is operating on a machine. I use Process Monitor a lot, including with Microsoft Outlook. Process Monitor helps uncover actions that Outlook takes while it’s running.

Many of the settings in Outlook reside directly in the Windows registry. When it starts up, Outlook accesses the registry for configuration information. For many settings, especially those that affect Outlook as a whole (e.g., profile changes and enabling or disabling add-ons) and that aren’t expected to change frequently, Outlook doesn’t register those changes while it’s running. Outlook won’t incorporate those settings until the next time it starts. Of course, this is why you must restart Outlook for certain changes to take effect.

Process Monitor doesn’t need to be installed on your workstation; it runs as the standalone executable procmon.exe. You need administrative rights to run Process Monitor; if Windows User Account Control (UAC) is enabled, it will ask you to confirm that you want to run the application.

When it launches, Process Monitor starts collecting data by default, without intervention. Process Monitor captures a lot of information and displays much of it with the default configuration. Figure 1 shows an activity capture on a workstation running Outlook 2010.

135859 Figure 1

Figure 1: Process Monitor activity capture


The Time of Day and Process Name columns show the “what and when” information for each process activity. The rest of the columns describe what the processes are doing. (Of course, you can also see which processes are running on your workstation by selecting the Processes tab in Task Manager.) Process Monitor has many more columns that aren’t included in the default view, as well as filters that can be applied to isolate the type of output that can help you troubleshoot problems. Process Monitor’s default automatic capturing can be toggled on or off: Select Capture Events from the File menu, or press Ctrl+E. Alternatively, you can use the capture button that Figure 2 shows.

135859 Figure 2

Figure 2: Toggling Process Monitor’s logging on or off

A capture contains a lot of superfluous information if you’re just looking for a specific attribute of a process. In less than a minute, my sample captures returned more than 350,000 activities on an active workstation. If you’re trying to determine which registry keys Outlook is accessing, for example, you can apply filters to present a more specific view. Filters can be very granular. The first filter to apply might expose only the Outlook.exe process in Process Monitor, as Figure 3 shows.

135859 Figure 3

Figure 3: Applying Process Monitor filters


You can access this filter by selecting Filter from the Filter menu. In this example, I included only processes for Outlook.exe. Additional filters can be applied to present specific operations. You can isolate several different registry access operations, such as loading keys, enumerating keys, changing keys, and creating keys. Figure 4 shows a list of the registry-specific operations in the filter interface.

135859 Figure 4

Figure 4: Registry-specific filters


Filtering Process Monitor’s output to include only activities for the process Outlook.exe and the operation RegCreateKey returns about 2,000 events out of more than 350,000, as Figure 5 shows.

 

135859 Figure 5

Figure 5: Process Monitor filtered output

Outlook reads a lot of properties from the registry—even more so if add-ons are installed and running within the Outlook.exe process. You can confirm that Outlook is successfully accessing those registry settings, and you can verify that Outlook profile data is being read from the registry. If permission issues in the registry are preventing access where it’s needed, the Results column will show ACCESS DENIED.

You might never need to use Process Monitor to troubleshoot Outlook—and in fact, the tool might provide too much information for your purposes. Rather than troubleshoot every detail of an Outlook problem, an administrator might just re-create the Outlook profile. This solution can be much easier in some cases. But if you want to see what the Outlook.exe process is doing, especially if you have add-ons installed, Process Monitor is a great tool.