How to collect Process Monitor (Procmon) logs on Windows

The Dropbox support team may request Process Monitor (Procmon) logs to help diagnose and address the issue you’re experiencing. This article provides instructions for generating two types of Procmon logs: 

• System event logs
• Boot logs

What are Procmon logs?

Process Monitor (Procmon) is a Sysinternals tool provided by Microsoft to monitor the Windows environment. Procmon logs track real-time system activity related to file system, registry, and process operations on your computer. 

There are two types of Procmon logs that our support team may request from you. Each type focuses on different areas of system activity:

• System event logs record system, registry, and process activity while your machine is running. 
• Boot logs record activity that happens during system startup. 

How to collect a system event log

System event logs can troubleshoot a wide variety of issues related to system performance and application behavior, such as high CPU usage or issues with configuration files.

To collect a system event log:

1. Close all unused applications.
2. Open File Explorer and search for “ProcessMonitor”.
   • Note: If you don’t know where the “ProcessMonitor” folder was saved, try checking the Downloads folder. 
3. Open the “ProcessMonitor” folder.
4. Click Extract All…
5. Click Extract.
6. Double-click Procmon to run Process Monitor. 
7. Click Agree when Sysinternals Software License Terms window opens. 
8. If prompted, click Yes to allow User Account Control (UAC) to make changes.
9. Click the Capture icon.
10. Perform the actions necessary to replicate the issue you’re experiencing. 
11. After reproducing the issue, return to the Process Monitor window.
12. Click the Capture icon to stop recording.
13. Click Save icon. 
14. Select All events.
15. Select Native Process Monitor Format (PML).
16. Click Path to specify where to save your log file. We suggest 

    C:\Users\<YourUserName>\Downloads\ProcessMonitor\Logfile.PML
    

17. Click Ok.

When responding to your support agent, attach the Logfile.PML file.

To collect a boot log:

1. Close all unused applications.
2. Navigate to the location where Process Monitor is saved. 
3. Open the “ProcessMonitor” folder.
4. Double-click “Procmon.exe” to run Process Monitor. 
5. Click Options in the menu bar.
6. Check the box next to Enable Boot Logging.
7. Click OK. 
8. Restart your computer.
   • Note: It may take up to 15 minutes for your computer to restart.
9. Run Process Monitor.
   • Note: You’ll be asked if you want to save the data collected from the boot log.
10. Click Yes. 

You can now attach the boot log file when responding to your support agent.

How to create a dump file for explorer.exe

Creating a dump file is typically necessary for troubleshooting purposes, especially when dealing with a crash or unexpected behavior. A core dump file can capture the memory contents of a process at a specific point in time, which is valuable for analyzing the state of the application and identifying the cause of the behavior.

To create a dump file for explorer.exe:

1. Open Windows Task Manager.
2. Select the Details tab.
3. Right-click the explorer.exe process.
4. Select Create memory dump file.
5. Wait for the success notification.
6. A notification with the file location will appear.
7. Go to the specified folder in Windows Explorer to access the .dmp file.
8. Compress the .dmp file.

Attach the .dmp file when responding to your agent.