top of page

Using Process Monitor (procmon) to Analyze Windows File Share Access

I listen to Tim, Tony, Chris et al talking on LMTV about networking and I realise how little I know about real networking; you know that layers 1 to 3 stuff. I'm a layer 4 to 7 type of guy, and so I'm always going to push the boundaries on this forum. Have I gone too far this time? Let's see.

I saw a post on another forum this week from a guy who had a particular problem with files on a Windows server. A user deleted a file, but when he came back in the following day it had reappeared. So he deleted it again and blow me if it didn't pop back up the next day.

In this short video we take a look at using the excellent and free Microsoft Process Monitor to investigate the problem and analyze access to a network share.

A few additional considerations if you're going to try this:

  • Test the procedure during a change management slot as usual

  • If you are going to run the capture for a long period, change the procmon Backing Files setting to point to a local directory or a share rather than to pagefile.sys

I also forgot to mention something in the video. You'll see that I refer to file operations performed by the System process. If you double-click on one of these and click on the Stack tab you'll see something like this.

Note the references to srv2.sys. This is the file server code running as a software driver in the kernel.

So that's it. See if you can spot the mention of the word "network" in the video - it'll make it all worthwhile.

Best regards....Paul (skating on the very edge of LMT)

bottom of page