Understanding Process Monitor

Buffer Overflows

While yes, many hackers and malware creators exploit a buffer overflow weakness to remotely or locally hack into a component and gain extra access, this error message is actually built into the Windows API and means the complete opposite.

Note: Imagine a buffer like a box of candy bars near the register in a grocery store. People keep buying them, and when the box gets low, the store fills the box again.

Ideally they won’t wait for the box to be empty, because that would be frustrating for customers, and they also will ideally not go running to the back every single time a customer buys a single candy bar, because that would be a waste of time. This is a buffer, and they are meant to prevent delays.

What the BUFFER OVERFLOW message in the Windows API, and specifically in Process Monitor, actually mean is that the client application requested data but didn’t have a large enough bucket to hold all of the data. So the server is responding to tell the client that they need a bigger bucket.

In the example for the screenshot above, the application queried the registry for a specific value, but told the Windows API to put the result into a place in memory that was too small to fit all that data. So Windows returned back the message to let the application know that they need a bigger spot to put all the data. That’s all it was.

Jumping to an Event Data Path

All of this information is really great, but nobody wants to investigate by manually browsing to each and every location in the list. Luckily you can right-click on the Path field for an item and use the Jump To option to quickly access that data to see what it contains and try to figure out why the application is requesting that data in the first place.

Note: you can also use the Search Online feature to quickly search for the name of the process, the registry path, or any other field, which can be really useful when you don’t understand what something is used for.

In the example above, you can see that the application we were monitoring was trying to look at a registry value, so we used the Jump To feature, and Process Monitor immediately opened the Registry Editor already focused to that exact key.

So now we know, the application is trying to figure out where my appdata folder is, and we know which folder that was… which helps explain what is going on.

In this case, the application was the Conduit search malware, and it was looking for my user folder by querying the regisry so that it could start messing around with files and folders inside of my Google Chrome profile.

Filtering the Data that Process Monitor Captures

As we’ve mentioned a couple of times already, the filters that Process Monitor provides allow you fine-grained control over what events you are going to be capturing, which translates into much easier work for you to figure out what is important in the list. If you know that you don’t care about all of the events generated by explorer.exe, for example, then you would be wise to just filter them out.

You can very quickly filter by any column using the context menu and using the Include or Exclude features — if you Include an item, the list will only contain events that match that particular item, or any others that you specifically include, but will not contain anything else. If you Exclude an item, everything will show up except for events that match the very specific item that you excluded.

In this case we decided to Include the cltmng.exe process, and now every single thing that we see in the list is related to that process.

You can alternatively use the Edit Filter option from the menu, or access the Filters section of the menu to display the list of filters and edit them. You can choose from the drop-down dialogs and match by any of the available fields, choose whether the value you type into the box will be matched exactly, or just “starts with”, or a number of other options. Then you can choose whether to Include or Exclude events that match those criteria.

Just don’t forget to click the Add button once you’ve defined your filter and before you click OK or Apply, because otherwise your new filter won’t actually be activated. Trust us, this is a common mistake!

You can also remove or edit filters by selecting them in the list and then modifying or removing them.

Way Too Much Data? Try Dropping Filtered Events

If you know for sure that you have the right filters to look at just the things you really want to see, you might want to consider using the Filter -> Drop Filtered Events feature.

What’s actually going on here is that the instance of Process Monitor is showing only the items that match the filter, but everything else is still being captured in the background, which can be a TON of data after a very short time — note the status bar in the example below that we had running for just a few minutes. If we had the Drop Filtered Events option turned on, it would have only captured just the events we wanted.

There is a big drawback to using this feature though, and that is that you can’t get back those filtered events if you realized you filtered the list by too much, and wanted to examine events from another process. You’d have to redo your entire scenario, which might be too late. So make sure to use this option with caution.

Saving Dumps for Later Analysis

There’s one last thing for today’s lesson, and that is the Open / Save feature that we normally wouldn’t highlight on any other application, but in this case it is really important.

Imagine you are working on somebody’s really old and lousy computer, and you want to diagnose a particular problem, but the computer is just running way too slow to sit there and deal with it the entire time. You can simply run a Process Monitor scan on their computer, save the data over to a flash drive, and then load up Process Monitor on your blazing fast personal laptop and get to work analyzing what might have happened. You can even go to the coffee shop and analyze from there.

And of course, you could also just remotely talk somebody through running Process Monitor, doing a scan, saving the file, and then sending it to you for analysis. That way you don’t even have to show up and see them in person.

Next Lesson

Stay tuned for tomorrow’s lesson, where we will put together all of the knowledge that we’ve gained and show how to use Process Monitor in the real world to accomplish some fun and interesting things.

Lowell Heddings is the founder and Editor-in-Chief of How-To Geek. He spends all his free time making sure this site can bring you fresh geekery on a daily basis, and has been doing so for over eleven years.