Author: pinscomputer
Subject: not understanding process monitor filters or bug?
Posted: 14 March 2014 at 8:21pm
Edited by pinscomputer - 6 hours 31 minutes ago at 8:29pm
Subject: not understanding process monitor filters or bug?
Posted: 14 March 2014 at 8:21pm
I am a novice user of process monitor. Have seen several of the cases of unexplained videos produced by Mark R. and guess I have been looking for a reason to try the tools.
the other day, I noticed that when I plug a SD card into my computer, I heard the normal default windows sound for "Device Connect". Then I also heard the default windows sound for "device failed to connect".
EDIT.. just for clarity, even though the "device failed to connect" sound occurs, there is still full read/write access to the SD card...
so I thought I would try and look with process monitor to see if anything was immediately detectible.
I had previously downloaded process monitor version 3.05. However, when I encountered the problem I am about to describe, I downloaded the latest version 3.10 and repeated the same filter/test getting the same questionable results.
some background,
1. when I insert an SD card, my pc sets the drive letter to "e:"
2. the default windows wave file that is played for "device failed to connect" is "windows hardware fail".wav (which is located in the 'c:\windows\media' directory)
3. the default windows wave file that is played for "device disconnect" is "windows hardware remove".wav
EDIT 4. windows 7 computer & process explorer is run in "administrator" mode
initially, ZERO filters were set. The card was inserted, device connect sound, device failed sound was heard and then the sd card was removed which was followed by the device disconnect sound.
"tools", "count occurrences" was selected then "column: result" was selected.
In this summary I noticed a substantial number of "fast IO disallowed" occurrences.
So this occurrence was double-clicked to create a filter.
then to narrow things down a little more, I tried to manually set a couple of additional filters.
I'd like to put a screen shot of the filter window; however, the system will not allow JPEG images greater than 10K......
so here is the filters in text form:
a. Result contains FAST IO DISALLOWED Include
b. Path is e: Include
c. Path contains windows hardware failure Include
d. Path contains windows hardware remove Include
here's the problem....
when all 4 filters are enabled, process monitor only shows 27 events... NONE OF WHICH include the "windows hardware failure" OR "windows hardware remove" events.
if I uncheck the FAST IO DISALLOWED filter, there are 119 events produced INCLUDING the "windows hardware failure" AND "windows hardware remove" events.
I thought when multiple filters are specified, they create a logical OR function. In other words, the filters should show ALL the events specified by each individual filter.
Should the filters produce an OR function and is this a user error or is this possibly a bug in process monitor?
It would be MUCH easier to show screen shots of process explorer output if someone can describe how to insert JPEG screen captures greater than 10K bytes.
thanks....
Edited by pinscomputer - 6 hours 31 minutes ago at 8:29pm