Determining the Process Accessing a File

This article describes Process Monitor (ProcMon) - one of the publicly available tools for MS Windows.

Sometimes it is necessary to determine which process accesses, alters, or deletes a specific file. Various auditing tools can be employed for this purpose. 


Running this tool can cause extensive load. Also the output file can be quite large, so it is important to run the tool only for a necessary time frame, not much longer.

To capture details about access to specific file proceed as follows:

  1. Download process monitor utility at:
  2. Run "procmon.exe"
    • In case the window "Process Monitor Filter" occurs, click "OK"
  3. Choose the destination of trace file
    • Go to File Backing Files
    • Select option "Use file named:"
    • Fill in preferred path for the temporary logging file, for example "C:\test\procmonlog.PML"
    • Click OK twice
    • Close "procmon.exe" and start it again for the changes to take effect
    • From now on, events related to operations with files (but also registry etc.) are recorded

      Setting up destination of a trace file is optional. However it may help to prevent exhausting the virtual memory in a long running captures.

  4. Set up a filter
    • If you know exactly what you are looking for, you may set up the filter
    • Go to Filter Filter... > press Reset > specify the filter > press Add > press OK
    • Example:
      Path Contains locations.config
    • Go to Filter > click Drop Filtered Events
  5. Clear the capture file
    • Go to Edit > click Clear Display
  6. Reproduce the issue and save the output
    1. The first option - when issue can be reproduced on demand at any time
      1. Reproduce the issue
      2. Stop the capturing
        • Go to File > click Capture Events
      3. Store the output
        • Go to File Save
          select "Events displayed using current filter"
          choose format "Native Process Monitor Format (PML)"
          choose Path
        • click OK
    2. The second option - when the issue occurs only just after the computer restart
      1. Enable logging on restart
        • Go to Options > Click Enable Boot logging > click OK
      2. Close Procmon
      3. Restart the computer and wait for issue to occur
        • Imagine that you were trying to catch the situation where FlexiSpooler service fails to start. For that purpose you could repeatedly review the Windows System Event logs via PowerShell command as this one and wait for the error:
          Get-WinEvent -FilterHashtable @{logname='system';StartTime=(Get-Date).AddHours(-1)} | Where-Object {( $_.Id -match "60\d\d" -or $_.Message -like '*YSoftSQ-FSP*' -or $_.Message -like '*YSoft SafeQ FlexiSpooler*' )} | Sort-Object TimeCreated -Descending | Format-Table -Property TimeCreated, Id, LevelDisplayName, Message -AutoSize
      4. Once the issue occurs
        • run Procmon again
        • Confirm the filters by OK (make no changes)
        • Click YES to save data captured on server start > save the PML file
          Note: The PML file generated this way will contain events from the server startup till the point when you started the Procmon.exe.

The example below demonstrates a situation where FlexiSpoolerService.exe was unable to locate file locations.config. Later the file was manually created via notepad.exe and since then the file detection and its reading was a success.