The Ultimate Guide to Procmon: Everything You Need to Know

Knowledge is power when it comes to maintaining a proactive cybersecurity posture. Knowing what’s going on within your systems and monitoring networks for potential issues, hacks, or malware is critical…
David Harrington
4 min read
Last updated November 3, 2021

Knowledge is power when it comes to maintaining a proactive cybersecurity posture. Knowing what’s going on within your systems and monitoring networks for potential issues, hacks, or malware is critical to ensuring maximum uptime. And one of the best tools for doing so is the Microsoft Process Monitor application — also known as Procmon.

Procmon is a fairly simple to install and use application that provides insight and information into system activity. In this article, we’ll cover the basics of Procmon, what it does, and how to successfully install it. We’ll also show you how to run Procmon on a secure basis and answer some of the most frequently asked questions about Procmon to help get you started.

What is Procmon?

procmon definition

Procmon is a downloadable utility for Microsoft Windows OS that captures and displays system and network activity. This includes file system activity, registry key activity, network, and threat activities. Procmon also profiles processes and events so users can see precisely what’s going on in their systems and view the previous history of activities.

One of the biggest benefits of Procmon is that it doesn’t actually need to be downloaded and installed natively on your devices, machines, or networks, enhancing its portability. Procmon functions as a single executable application, meaning you simply open the Procmon .ZIP file from Microsoft and run it immediately.

The Procmon interface allows you to view and classify data and system activities by various filters such as date, time, and nature of the process.

What is it Used For?

On a more strategic cybersecurity level, Procmon is known for its ability to pinpoint things like rogue software installers making unknown changes to registry keys, or tracing the origins of malware or virus that infected the system. Procmon’s main functionality is known as event capture, where system admins can view and monitor everything that’s happening, in addition to past event logs, to spot malware, viruses, and other forms of malicious activity.

Procmon functions in tandem with data alert tools to help trigger the right processes and responses should malware enter your system. It’s also similar to open source tools such as Process Hacker that are designed to detect and ferret out malware.

What’s Required to Use Procmon?

procmon requirements

As Procmon is a Microsoft application, you’ll need to be running Windows as your primary operating system. All you really need is a Windows Vista or Windows Server 2008 or higher machine, which most businesses and organizations should be using by this point. As long as your Windows OS isn’t in the Stone Age, you’ve fulfilled the minimum requirements to use Procmon.

Running Procmon on Your Systems

As mentioned, one of the major benefits of Procmon is that you won’t have to directly install it natively on your machines. Obtaining Procmon and running it is a fairly straightforward process that can be accomplished in a few easy steps.

Step 1: Download the Procmon ZIP File

The first step is heading over to Microsoft’s Procmon documentation webpage and clicking the “Download Process Monitor” link to obtain the ZIP file. You can also review Procmon’s capabilities in further detail and view some screenshots of the applications.

Step 2: Unpack the Script from ZIP File

Next, you’ll want to extract the ZIP file with whatever extraction tool that you typically use. Inside the folder, you’ll find a code snippet that you’ll use to create a Procmon folder within your home folder.

It’ll show up as the ~/ProcessMonitor folder with the following items inside:

  • Eula.txt – The license agreement you’ll have to accept before running Procmon.
  • procmon.chm – The help file which contains all of the provided documentation.
  • Procmon.exe – The main EXE that will launch the correct procmon instance (x86 or x64).
  • Procmon64.exe – The x64 procmon binary.
  • Procmon64a.exe – The alpha 64 procmon binary.

To run procmon, simply launch the main Procmon.exe command in PowerShell.

Step 3: Access Systernals Live Folder (Optional)

In the event you’d rather not download an .exe file, your other option is to access Procmon via the Systernals Live folder. All you need to do is open File Explorer and paste \\live.sysinternals.com\tool. That will take you directly to a folder containing all Systernals files, including Procmon. Simply scroll down, double click on Procmon, and the application will begin running.

Step 4: Customize Procmon Start Behavior

After you have Procmon up and running via either the main .exe script or Systernals, you’ll want to customize how Procmon looks and feels when it launches. You can do so by simply using the command line. For instance, if you want Procomon to launch in minimized format, simply use the /Minimized command:

Once you’ve completed those four steps, congratulations, you’re ready to begin using Procmon!

How to Ensure Secure Procmon Use

secure procmon use

After you have Procmon up and running on your network, you’ll want to take a few basic steps to ensure you’re using the application safely. Since Procmon functions with administrator access and privileges, you should take basic security measures in terms of safeguarding admin passwords and security controls.

Physical Access Controls

The first step towards making sure that unauthorized users don’t gain access to your Procmon instance is to implement strong physical security controls. Administrator machines and terminals should be in areas where only authorized personnel can physically enter. Whether you use keycards, passcodes, or biometrics, putting physical controls in place will ensure that only administrators access and utilize Procmon on your networks.

Use AppLocker for Powershell

Because Procmon runs via Powershell, you’ll want to install Microsoft AppLocker as an extra protection measure. Before an app is run, PowerShell will invoke AppLocker to verify the script to make sure the user is authorized to modify file properties. Once AppLocker evaluates the script against user permissions, the application is then allowed to run.

Strong Admin Password Protection

Finally, you want to ensure that all admin users and accounts that will be using Procmon have strong passwords. A tool like Microsoft LAPS, for example, can automatically scramble passwords on a periodic basis and ensure duplicates are never used. Whether or not you use a tool like LAPS, having a strong password policy in place for admins at the bare minimum can ensure secure, ongoing use of Procmon.

Microsoft Procmon FAQs

How do I access Procmon?

Microsoft Procmon can be accessed by downloading the script and running it through Windows Powershell. Alternatively, you can access Procmon via the Systernals Live folder once you’ve downloaded and installed the script.

How do I install Procmon?

You can go to the Microsoft Procmon webpage and download a .ZIP folder containing the Procmon script. Once you’ve unzipped the folder, simply run the procmon.exe script on Powershell. There is no need to natively install any software to use Procmon.

What does Procmon Do?

Microsoft Process Monitor logs and tracks all system events within your network so that system administrators can monitor overall network health and spot potentially malicious activity. All system processes — current and past — can be viewed in Procmon.

How much does Procmon Cost?

Nothing. Microsoft provides Procmon as a free tool to Widows admins via their website. As there is no native software to install, the Procmon script is a simple application for users to download, unzip, and install for free.

Closing Thoughts

Knowing what activity is taking place within a system or network is critical to identifying problems either on a proactive basis or in real-time. Using Procmon should be part of any comprehensive data security platform and approach. By combining Procmon with other malware analysis technology tools, you’ll be able to spot malicious actors as soon as possible and mitigate the damage they can cause.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

process-hacker:-advanced-task-manager-overview
Process Hacker: Advanced Task Manager Overview
This article is an overview of the tool Process Hacker. This is a popular tool amongst security professionals when analyzing malware as it will display real-time activity of processes and provide a wealth of technical information on how a particular process is behaving.
11-best-malware-analysis-tools-and-their-features
11 Best Malware Analysis Tools and Their Features
An overview of 11 notable malware analysis tools and what they are used for, including PeStudio, Process Hacker, ProcMon, ProcDot, Autoruns, and others.
how-to-analyze-malware-with-x64dbg
How to Analyze Malware with x64dbg
This is the fourth and final article in a series of blog posts that serve as an x64dbg tutorial. In this article, we will be taking all the knowledge we…
cuckoo-sandbox-overview
Cuckoo Sandbox Overview
A Cuckoo Sandbox is an open-source tool that can be used to automatically analyze malware. Imagine, it’s 2 am in the Security Operations Center (SOC) and an alert has triggered…