As seen below, you can select from several event attributes combined with attribute values to be included or excluded. Note that filters can be saved, loaded, or changed using options that appear under ProcMon’s Filter menu item.
To capture all Explorer activity, select the event attribute “Process Name”, the comparison operator “is”, enter the attribute value “Explorer.exe”, and then “Include”. Select “Add” to add this filter to the list.
