from: Windows Sysinternals
Real-time display of all local file and registry activity, some network activity, by process
Filter on any element of captured activity, ex: by process, file path, registry key name
Save any captured output
Combination of previous tools File Monitor and Registry Monitor
How to use Process monitor
You can activate the following traces:
Registry: Logs all Registry operations and displays Registry paths using conventional abbreviations for Registry root keys (e.g. HKEY_LOCAL_MACHINE is represented as HKLM).
File system: Displays file system activity for all Windows file systems, including local storage and remote file systems.
Process: Tracks all process and thread creation and exit operations as well as DLL and device driver load operations.
Network: Traces and records TCP and UDP activity using Event Tracing for Windows (ETW). Each network operation includes the source and destination addresses, as well as the amount of data sent or received, but does not include the actual data.
Note: the System process is not included in profiling.Profiling: Scans all the active threads in the system and generates a profiling even for each one that records the kernel and user CPU time consumed, as well as the number of context switches executed, by the thread since its previous profiling event.
Requirements / Dependencies
Windows XP, SP2 and higher.
Windows Server 2003, SP1 and higher.