4

When filtering events in Process Monitor, does it store the filtered events in memory or on disk, or does it just give you a filtered count?

The reason I'm asking is, we're trying to figure out what process / machine is writing to a a directory on a server, and I'm afraid of maxing out the memory on a server. I may even be going about this the wrong way, but I'd like to find out what is writing to the directory.

Improve this question
0

1 Answer 1

Reset to default
7

By default, Process Monitor stores everything, including both visible and invisible events (hidden by filters) in virtual memory. This is also clearly indicated in the status bar: “Backed by virtual memory”.

To drop invisible events completely, you can activate the “Drop Filtered Events” option in the “Filter” menu. Depending on how strict your filters are, this will greatly reduce the amount of data.

To store data on disk instead of memory, you can use the “Backing Files” dialog, available in the “File” menu. Naturally, this will reduce performance of Process Monitor.

Improve this answer
5
  • wanna ask a little bit more, is there anyway to directly generate of csv file ?
    – user218473
    Commented Oct 18, 2015 at 1:58
  • 1
    @AntonyLee No. Process Monitor stores a lot more than what appears in a file when saved as CSV. Also, by default, none of the files Process Monitor uses are persistent. They are deleted/emptied when you close the program/clear the log.
    – Daniel B
    Commented Oct 18, 2015 at 11:58
  • 1
    I would argue that "backed by virtual memory" does not "clearly" indicate that filtered events are not filtered in the log. That's quite unintuitive, actually, and I believe that dropping filtered events, i.e. the things one sets out to ignore in the first place, should be ignored as well. Or at least communicated more clearly.
    – Scott DePouw
    Commented Sep 20, 2016 at 12:37
  • The "drop filtered events" option doesn't appear to reduce the memory requirements. I have it switched on, no events displayed in Process Monitor (all filtered out), but still it's using 5 GB of RAM. Choosing Clear Display brings it back down to 170 MB (but of course it then starts rising again).
    – qris
    Commented Jan 9, 2018 at 9:29
  • It seems the drop filtered events option only works if you run the program as administrator. At least, it was the case for me.
    – Gerardo Marset
    Commented Dec 16, 2019 at 0:16

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .