Process Monitor works by inserting a filter into the “stack” of file system filters on the system. The stack can be thought of as list of filters that are ordered by a numerical value referred to as an “altitude.” File system filters are called in order of their altitude, from the highest filter (the one with the numerically highest altitude value) to the lowest, whenever an Application asks for a file system operation to be performed. FESF (which has an altitude of 144700) can generally be thought of as being located in a middle altitude in the stack, and thus sits between the very top and the very bottom of the stack.
The relative location of the Process Monitor filter in the stack controls what information ProcMon records. If Process Monitor is “above” FESF (that is, if Process Monitor is assigned a numerically higher altitude than FESF) then Process Monitor records those requests that the Application sends to FESF. If Process Monitor is “below” FESF then Process Monitor records those requests which FESF sends to the file system.
It is typically useful for the OSR engineering team to analyze both the requests that are sent to FESF and the requests that FESF sends to the file system, so getting a log of the activity with Process Monitor above and below FESF will be most helpful. The default altitude of Process Monitor is 385200 and FESF has an altitude of 144700, so by default Process Monitor is above FESF.
Once you have captured the activity with Process Monitor above FESF, it may be necessary to capture the activity with Process Monitor below FESF, which will require that you change ProcMon’s altitude. Please note that in earlier versions of ProcMon the revised altitude gets reverted after system reboot. If you experience this issue, see Modifying Permissions on ProcMon\Instances to learn about changing the permissions on the ProcMon\Instances registry key to ensure your revised altitude is not lost.