Skip to main content

How to gather Process Monitor (Procmon) logs during OS boot

David Hayes

Overview:

This article explains how to collect a Process Monitor (Procmon) boot logging trace to capture system activity during the early stages of Windows startup.

 

Action:

This method is useful for diagnosing issues that occur before user logon or early in the boot sequence.

Steps to Enable Boot Logging

1. Launch Procmon

  • Download the latest Procmon package from the Microsoft Sysinternals website.
  • Run procmon.exe as Administrator.

2. Enable Boot Logging

  • From the Options menu, select Enable Boot Logging…

  • A dialog will appear with the message:

    “Process Monitor will log all file system, registry and process activity during the boot process.”

  • Click OK to enable boot logging.

When the “Enable Boot Logging” dialog appears

After enabling Boot Logging, Procmon will display a dialog asking whether to generate thread profiling events:

Please leave “Generate thread profiling events” unchecked and click “OK.”

 

 

Procmon will now begin collecting early boot events on the next restart.

 

3. Reboot the System

Restart the machine normally.

Procmon logs all activity from kernel initialization until the system reaches the desktop.

 

4. Save the Boot Log After Restart

After the reboot and user logon, launch Procmon.exe manually.

When Procmon starts after the reboot, you will see a message like this:

Click Yes.

Choose a save location and specify a file name.

Save the file as a PML file (default format).

 

5. You can verify that the service startup sequence is progressing correctly by checking for Load Image events in Procmon.

During normal Windows service initialization, services.exe (the Service Control Manager) launches the service process, and control is then passed to csrss.exe (Client/Server Runtime Subsystem), which handles essential user-mode process creation tasks.

If you can see a Load Image event for the service executable, originating from services.exe and subsequently handled by csrss.exe, it indicates that:

The Service Control Manager successfully initiated the process, and

The service binary has been loaded into memory and is attempting to start.

This confirms that the service startup path is functioning up to the image load stage.

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk