filtersysinternalsprocmonprocess-monitor

Can't find a filter of a program in Procmon

I was given a task to put 2 filters in Procmon. 1) Process name is "test.exe" (a WinAPI createFile, readFile, closeHandle project written in Visual Studio in C) 2)Operation is read file. When I look for the filters I can't find either. I thought maybe I need to run the project for it to show, but even then, it doesn't. Do I need to do something extra? The file the project is reading is a simple text file with "Hello World!" written in it. I have a photo of what the filters are supposed to look like (the "barakgonen.exe" is the "test.exe"): example photo If it helps the code that reads the file is

#include <windows.h>
#include <stdio.h>

int main() {
    // Specify the relative path to the file
    LPCSTR fileName = "C:\\TestFolder\\test.txt";

    // Attempt to open the file
    HANDLE fileHandle = CreateFileA(
        fileName,                // File name
        GENERIC_READ,            // Desired access
        0,                       // Share mode
        NULL,                    // Security attributes
        OPEN_EXISTING,           // Creation disposition
        FILE_ATTRIBUTE_NORMAL,   // Flags and attributes
        NULL                     // Template file handle
    );

    if (fileHandle == INVALID_HANDLE_VALUE) {
        printf("Could not open file (error %d)\n", GetLastError());
        return 1;
    }

    // Buffer to store the data read
    char buffer[1024];
    DWORD bytesRead;

    // Read data from the file
    BOOL readResult = ReadFile(
        fileHandle,              // File handle
        buffer,                  // Buffer to store data
        sizeof(buffer) - 1,      // Number of bytes to read
        &bytesRead,              // Number of bytes read
        NULL                     // Overlapped
    );

    if (!readResult) {
        printf("Could not read from file (error %d)\n", GetLastError());
        CloseHandle(fileHandle);
        return 1;
    }

    // Null-terminate the buffer to make it a valid string
    buffer[bytesRead] = '\0';

    // Print the contents of the buffer
    printf("File contents:\n%s\n", buffer);

    // Close the file handle
    CloseHandle(fileHandle);

    return 0;
}
Solution

  • Step 1: click the filter button

    Click the filter button

    Step 2. click the "Reset" button to make sure you have the default filters.

    Click the reset button

    Step 3: Choose "Process name" from the drop down list

    Choose "Process name"

    Step 4: Choose "is" from the drop down list

    Choose "is"

    Step 5: Enter the name of the executable

    Enter name of executable

    Step 6: Choose "Include" from the drop down list

    Choose "Include"

    Step 7: Click "Add"

    Click "Add"

    Result:

    Result of adding a filter to Procmon

    Step 8 to 12: Do it similarly for the other filter, starting from Step 3.

    Step 13: Click "Ok" to apply the filters

    Apply the filters