When OSR Support requests a ProcMon log to help us analyze a customer reported issue, these are the setting/steps we’d like customers to use:
1. Before starting the test under investigation, start ProcMon. You can leave the altitude as is (385200) to log requests the Application sends to FESF.
2. When presented with the Process Monitor Filter dialog, first remove the following 4 exclusions, as described in Removing Filter Events:
•Process Name is System
•Operation begins with IRP_MJ_
•Operation begins with FASTIO_
•Result begins with FAST IO
3. Add any filter events that will narrow down the problem, such as a file name or an executable name. See Adding Filter Events for an example of how to do this.
4. Click OK to save Filter changes. Note that these changes will be remembered on your next invocation of ProcMon.
5. Stop capturing events (File/Capture Events) and clear the display (Edit/Clear Display) until you’re ready to start the test.
6. For most OSR customer support situations, the registry, process, and network operations don’t need to be monitored. See Controlling ProcMon Monitoring and Applying Filters for details on how to turn these off.
7. Now that ProcMon is properly set up, start capturing events (File/Capture Events) and run the test under investigation.
8. Once the failure/error has occurred, stop capturing events and save the log file (<log name.PML) and send it to OSR.
Note that there are times (frequently) when we also need a ProcMon trace of requests FESF sends to the file system. In this case, see Changing ProcMon’s “Altitude” to learn how to change ProcMon’s altitude to be below FESF (144600 can be used since it is < 144700) and then follow steps 2-8 above.