Analyzing (sub-)processes started by other processes

Last edited on

Synopsis

Sometimes it is required to know exactly which process starts which other processes.

On Windows

On Windows one can use Microsoft’s Process Monitor for tracing newly created processes.

Process Monitor requires Administrator rights/elevation, so starting it may result in the Windows UAC (User Account Control) dialog to ask whether to start this applicaiton.

Step 1: Start Process Monitor (procmon.exe)

Step 2: Add “Process Create” filter

In the dialog shown after first start or opened via Ctrl+L add a filter for “Operation is Process Create” (choose “Reset” to clear/restore the default filters):

After adding it:

Step 3: Check “Drop Filtered Events"

Step 4: Check “Capture Events"

Step 5: Choose “Clear Display"

Step 6: Start application

Launch the desired application and perform the steps that result in the suspected sub-processes to be started.

Step 7: Uncheck “Capture Events"

Step 8: Open process tree

Step 9: Locate desired application/process

Step 10: Add desired process and its sub-processes to filter

Step 11: Export the collected information

Step 12: - Verifying the exported information

Load the export file into Process Explorer via File > Open… and browse the events and the process tree to ensure that it contains the expected entries. (If no entries are shown, clear the filters via Ctrl+L, Reset.)

Step 13: - Send the export file to Squish technical support, if requested.