Sysinternals/Process-monitor-procmon
Description
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.
Installation
- Download it at: http://download.sysinternals.com/files/ProcessMonitor.zip
- Uncompress
Usage
Capture
- To stop or begin a capture, go to File > Capture Events.
- Before you analyze a malware, clear current events (Edit > Clear Display).
- After a few minutes, stop the capture (File > Capture Events)
Filter
You could find that there are too many entries; this is where filters could be useful.
To create a new filter, go to Filter > Filter...
These filters will be particularly usefull to analyze malware behaviors:
- CreateFile
- WriteFile
- RegSetValue
Display
