Author: Rick235
Subject: I used Process Monitor to troubleshoot Procmon
Posted: 07 December 2013 at 12:37am
Here is what happened: I downloaded the latest version of
Subject: I used Process Monitor to troubleshoot Procmon
Posted: 07 December 2013 at 12:37am
Here is what happened: I downloaded the latest version of
Procmon.exe but it would not load on my XP3 machine. Kept
getting the following error message:
"Procmon was unable to allocate sufficient memory to run.
Try increasing the size of your page file."
Increasing the size of page file did nothing. I then took a trace
using my old version of process monitor but was not able to figure
out anything because I am a newbie. Here are the six events that
contained PM:
svchost.exe 1292 QueryOpen C:\Program
Files\Process_Monitor_New\Procmon.exe SUCCESS CreationTime: 12/4/2013
6:55:55 PM, LastAccessTime: 12/5/2013 1:22:13 AM, LastWriteTime:
5/31/2013 3:54:54 PM, ChangeTime: 12/5/2013 1:22:13 AM, AllocationSize:
2,490,368, EndOfFile: 2,489,024, FileAttributes: A 5101
1:22:15.2936211 AM
svchost.exe 1292 CreateFile C:\Program
Files\Process_Monitor_New\Procmon.exe SUCCESS Desired Access: Read EA,
Read Attributes, Read Control, Disposition: Open, Options: , Attributes:
n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating:
NT AUTHORITY\SYSTEM, OpenResult: Opened 5102 1:22:15.2936745 AM
svchost.exe 1292 QueryNameInformationFile C:\Program
Files\Process_Monitor_New\Procmon.exe SUCCESS Name: \Program
Files\Process_Monitor_New\Procmon.exe 5103 1:22:15.2936930 AM
svchost.exe 1292 QueryNameInformationFile C:\Program
Files\Process_Monitor_New\Procmon.exe SUCCESS Name: \Program
Files\Process_Monitor_New\Procmon.exe 5104 1:22:15.2937001 AM
svchost.exe 1292 QueryFileInternalInformationFile
C:\Program Files\Process_Monitor_New\Procmon.exe SUCCESS
IndexNumber: 0x7700000000b91e 5105 1:22:15.2937082 AM
svchost.exe 1292 CloseFile C:\Program
Files\Process_Monitor_New\Procmon.exe SUCCESS 5106 1:22:15.2937152
AM
I then started my machine in diagnostic mode and the new procmon.exe
loaded fine. I had a gut feeling that my Zone Alarm software might be
the problem but there is no way to turn it off. Autoruns and Task
Manager would not turn it off. So, I uninstalled ZA even though I have
had it for a few years and always liked it. That solved the problem!
I then installed the latest free version of ZA which was a pain. And
now, after a few adjustments, all is working well. :) It did increase
"Procmon was unable to allocate sufficient memory to run.
Try increasing the size of your page file."
Increasing the size of page file did nothing. I then took a trace
using my old version of process monitor but was not able to figure
out anything because I am a newbie. Here are the six events that
contained PM:
svchost.exe
Files\Process_Monitor_New\Procmon.exe
6:55:55 PM, LastAccessTime: 12/5/2013 1:22:13 AM, LastWriteTime:
5/31/2013 3:54:54 PM, ChangeTime: 12/5/2013 1:22:13 AM, AllocationSize:
2,490,368, EndOfFile: 2,489,024, FileAttributes: A
1:22:15.2936211 AM
svchost.exe
Files\Process_Monitor_New\Procmon.exe
Read Attributes, Read Control, Disposition: Open, Options: , Attributes:
n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating:
NT AUTHORITY\SYSTEM, OpenResult: Opened
svchost.exe
Files\Process_Monitor_New\Procmon.exe
Files\Process_Monitor_New\Procmon.exe
svchost.exe
Files\Process_Monitor_New\Procmon.exe
Files\Process_Monitor_New\Procmon.exe
svchost.exe
C:\Program Files\Process_Monitor_New\Procmon.exe
IndexNumber: 0x7700000000b91e
svchost.exe
Files\Process_Monitor_New\Procmon.exe
AM
I then started my machine in diagnostic mode and the new procmon.exe
loaded fine. I had a gut feeling that my Zone Alarm software might be
the problem but there is no way to turn it off. Autoruns and Task
Manager would not turn it off. So, I uninstalled ZA even though I have
had it for a few years and always liked it. That solved the problem!
I then installed the latest free version of ZA which was a pain. And
now, after a few adjustments, all is working well. :) It did increase
the boot time and shutoff time by 20s.
Why did I suspect ZA? Because a week earlier, I was having a problem
logging in to my box. I would enter my windows password and then, after
about 10 or 20 seconds, would get the BSOD. So, I used the boot logging
feature of Procmon and took a trace. Even though I know very little about
how to read them, I noticed that out of the 1.7 million events, approximately one million of them were about ZA. So, I messed around
Why did I suspect ZA? Because a week earlier, I was having a problem
logging in to my box. I would enter my windows password and then, after
about 10 or 20 seconds, would get the BSOD. So, I used the boot logging
feature of Procmon and took a trace. Even though I know very little about
how to read them, I noticed that out of the 1.7 million events, approximately one million of them were about ZA. So, I messed around
with ZA trying to turn off parts of it. I don't what I did but it worked. Problem solved. No more BSOD.
That is when I decided to get a new version of PM since my version was
two years old. Fortunately, I did not delete the old working one.
That is when I decided to get a new version of PM since my version was
two years old. Fortunately, I did not delete the old working one.