| By Ryan Russell |
I continue today the coverage of Process Monitor (PM) that I started in my Jan. 17, 2008, column.
Last time, I just introduced the basics. This time, I cover more advanced uses and a “case study.”
Watch out, Process Monitor can crash Win 2000
Reader Richard Bellin brought a rather alarming problem with PM to my attention. The utility can potentially crash Windows 2000, instantly and thoroughly. This was news to me, as I’ve used the program on Win2K at least a couple of times. But even though I haven’t seen this behavior myself, he indicated that there’s a Sysinternals forum thread where several users have reported the same problem. So I believe it exists.
What isn’t completely clear is under what circumstances you might experience the problem, because not all users do. Furthermore, some users who have experienced the problem have been able to get it to stop by (1) disabling their antivirus software while using PM or (2) going back to PM version 1.0. Even if you take these steps, Windows 2000 users should exercise caution with this tool. Thanks to Richard for the warning.
If I had to guess, I’d say the problem is a conflict with some combinations of kernel drivers or other things that poke around in the kernel. Remember Microsoft indicating that it will lock some software out of the kernel in newer version of Windows? One presumes that this kind of problem with PM is one of the reasons why.
At the time of this writing, the problem has been under discussion for several weeks, and is still isn’t out of the research phase for a possible fix.
How to monitor a busy Windows process
Launching PM, I tend to let it log Windows activity for a period of time. I then glance through the events the utility has picked up.