24

When I try to start Process Monitor from SysInternals on some 64 bit windows 7 machines,the process fails to start. There is no error message. I double click and nothing happens. Other 64 bit windows 7 computers work fine. Any ideas?

Ryan Michela
  • 1,137
  • 3
  • 16
  • 23
  • In have the same problem, and I can run Process Monitor in 32bit mode with command line option `procmon.exe /Run32`. However, it does not support capturing in this mode. – jirkamat Dec 30 '11 at 14:36
  • @jirkamat Does not work here :( – Zero3 Apr 06 '16 at 12:29

7 Answers7

33

Here is what I found. The 32 bit Procmon.exe contains the 64 bit exe inside it as a binary resource. When the 32 bit exe starts, it extracts the 64 bit version out to a hidden file called Procmon64.exe and then executes that. For some reason this process fails on some Windows 7 installs.

I managed to extract the 64 bit exe using Visual Studio 2010.

  1. Open Visual Studio and open the Procmon.exe file using the File->Open->File... menu
  2. In the resource tree, expand the "BINRES" node
  3. Right-click on the 1308 node and select Export...
  4. Name the exported resource Procmon-64.exe and save
  5. Run the extracted exe

Don't name the extracted exe Procmon64.exe (no hyphen) because the 32 bit Procmon will try to delete it if it gets the chance.

If you don't have Visual Studio, use a windows executable resource extractor like ResourcesExtract - http://www.nirsoft.net/utils/resources_extract.html

Ryan Michela
  • 1,137
  • 3
  • 16
  • 23
  • 2
    It is interesting that you found a work-around, but I would be far more interested in why you would even need to do that. – Zoredache Dec 14 '11 at 22:30
  • I'd like to find the root cause too, but debugging a native process without symbols is just not worth the effort. Especially one as integrated with the OS as Process Monitor. – Ryan Michela Dec 15 '11 at 04:13
  • Extracting the 64bit exe of ProcMon to standalone EXE and running this exe solves this problem for me! ProcMon is running fine. – jirkamat Dec 30 '11 at 15:30
  • Good lord. How did you even know to do this? Worked for me, too. – anon Oct 03 '12 at 18:50
  • 5
    One time while idly double-clicking Procmon.exe over and over in frustration, I saw the hidden Procmon64.exe flash in Windows Explorer. This gave me the clue that the 64 bit version was being extracted by the 32 bit version. Following this hunch lead me to crack open the 32 bit exe to examine its resources and I found one that was orders of magnitude larger than the others. I extracted the resource and saved it as an .exe. Lo and behold, it was the missing 64 bit Process Monitor. – Ryan Michela Oct 04 '12 at 04:19
  • If you have a lot of background process' running, you may also be able to rename the Procmon64.exe file before Procmon.exe deletes it. Perhaps best with a cmd.exe rename command already prepped. – user66001 Mar 13 '13 at 08:39
  • 1
    Since i'm having this problem with a lot of Sysinternal's programs, specifically all of the ones that extract a 64 bit version (this suddenly happened very recently, can't run any of them cause it says the directory is not writable), but if you run the resource extractor and click 'binary assets' or whatever on any of the sysinternal's applications you can basically sort by size, and the biggest one will be the app. Just rename it to exe and off you go~ – mgrandi Mar 25 '14 at 23:33
  • I had a weird error: when starting procmon 7-zip would start instead. I guess it is related to the fact that procmon tried extracting the resource and 7-zip hooks up deep into windows extracting events. But the solution offered worked for me as well – Dimitry K Dec 12 '15 at 16:00
  • Still an important answer after all these years! Procmon would not run, but using Visual Studio 2017, I followed these steps to extract the 64-bit version and it runs very nicely! – Glen Little Jan 09 '18 at 04:47
  • "For some reason this process fails on some Windows 7 installs".. I am on Windows 10, your solution worked. – John Donn Nov 16 '18 at 09:11
5

Let me blow your mind. procmon.exe REQUIRES Workstation service running in order to start. It uses it to enumerate something and will silently die without it.

This is not documented anywhere and pretty bogus.

Rasz_pl
  • 51
  • 1
  • 2
  • 1
    Yes! This was it! This answer needs to go to the top. – himself Apr 28 '16 at 09:18
  • Yup, that did it for me. Version 3.10 does not require it, but version 3.20 does. You have succeeded; mind blown. Saying “pretty bogus” is a huge understatement. I have no desire to run that service, so I am sorely disappointed in Mark. – Synetech May 07 '16 at 03:13
2

I know this thread has been a while but I just saw this problem lately and I noticed another factor that might be helpful. Administrator right. If I login as an admin and run it, it works fine. If login as a non-admin and run it, the problem happens and the extracted procmon-64 shows the same problem.

Cloud Guy
  • 21
  • 2
2

I succeed to extract ProcMon64.exe with next Perl script placed and executed in temp folder.

use File::Copy;

if(fork()==0)
{ system "C:\\SysInternals\\ProcMon.exe"}
else
{  for($i=1;$i<1000;$i++)
    {if(-e 'ProcMon64.exe')
      { copy('ProcMon64.exe',$i.'.exe')}
    }
}

After multiples executions it creates tens of copes which all are the same (the same CRC32)

Dmitry Pi
  • 21
  • 1
0

ospy is a ProcMon ALternative. You could try troubleshooting procmon startup with that.

Justin Dearing
  • 1,017
  • 10
  • 33
0

I fixed this problem by re-checking my Environment variables. You may check %TEMP% to see whether you ever add something inside before. Remove any other folders except for windows temp and then reboot.

Frederik
  • 3,293
  • 3
  • 30
  • 46
user365886
  • 1
-2

I used Resource Hacker. Extract 1038 as bin. add .exe and it seems to start.

Erixx Haxx
  • 1