Troubleshoot Apps failing to start using Process Monitor

Article
<time class="" data-article-date="" aria-label="Article review date" datetime="2023-05-24T02:01:00.000Z" data-article-date-source="calculated" style="box-sizing: inherit; outline-color: inherit;">05/24/2023</time>
4 contributors

Feedback

Capture events

In order to capture a Process Monitor trace, run it with elevated permissions (run as administrator).

Note

Make sure you're running the version of Process Monitor that matches the platform (Procmon.exe for x86 systems, Procmon64.exe for X64 systems, and Procmon64a.exe for ARM).

Once started, reset any previously saved filters to default to ensure that no potential events are filtered out by the previously set filters. If it's the first time you run Process Monitor or if there are no filters set, you can start recording without the pop-up window.

[图片上传失败...(image-be9ec1-1702365353781)]

By default, the recording should start automatically. However, you can make sure it's running by selecting the following icon:

[图片上传失败...(image-37b187-1702365353781)]

Alternatively, you can start the recording by pressing <kbd style="box-sizing: inherit; outline-color: inherit; font-family: SFMono-Regular, Consolas, "Liberation Mono", Menlo, Courier, monospace !important; font-size: 0.75rem; -webkit-font-smoothing: auto; color: var(--theme-text); vertical-align: middle; background-color: var(--theme-body-background); border-top-color: ; border-top-style: ; border-top-width: ; border-right-color: ; border-right-style: ; border-right-width: ; border-bottom-style: ; border-bottom-width: ; border-left-color: ; border-left-style: ; border-left-width: ; border-image-source: ; border-image-slice: ; border-image-width: ; border-image-outset: ; border-image-repeat: ; border-bottom-color: var(--theme-secondary-base); box-shadow: inset 0 -1px 0 var(--theme-secondary-box-shadow); border-radius: 0.25rem; padding: 0.25rem; line-height: 10px; display: inline-block;">Ctrl</kbd> + <kbd style="box-sizing: inherit; outline-color: inherit; font-family: SFMono-Regular, Consolas, "Liberation Mono", Menlo, Courier, monospace !important; font-size: 0.75rem; -webkit-font-smoothing: auto; color: var(--theme-text); vertical-align: middle; background-color: var(--theme-body-background); border-top-color: ; border-top-style: ; border-top-width: ; border-right-color: ; border-right-style: ; border-right-width: ; border-bottom-style: ; border-bottom-width: ; border-left-color: ; border-left-style: ; border-left-width: ; border-image-source: ; border-image-slice: ; border-image-width: ; border-image-outset: ; border-image-repeat: ; border-bottom-color: var(--theme-secondary-base); box-shadow: inset 0 -1px 0 var(--theme-secondary-box-shadow); border-radius: 0.25rem; padding: 0.25rem; line-height: 10px; display: inline-block;">E</kbd> or by selecting Capture Events from the File menu. You see the events recorded in the status bar as follows:

[图片上传失败...(image-4d3c5-1702365353781)]

Alternatively, if a graphical user interface (GUI) isn't an option or the system is accessible remotely only with console access, you can trace the issue using Windows PowerShell or a command prompt. For example:

ConsoleCopy

C:\ProcessMonitor>procmon64.exe -accepteula -backingfile C:\ProcessMonitor\Recording.pml -quiet -minimized

Other options are available, including filtering and setting the maximum file size. For more information, see Process Monitor.

[图片上传失败...(image-c97ea1-1702365353781)]

To terminate and save the trace, you can use the following command:

ConsoleCopy

C:\ProcessMonitor>procmon64.exe -terminate -quiet

Additionally, you can remotely run Process Monitor using PowerShell or the PsExec tool. For example:

ConsoleCopy

C:\PSTools>psexec.exe -sd \\<Computer Name> C:\ProcessMonitor\procmon64.exe -accepteula -backingfile C:\ProcessMonitor\Recording.pml -quiet -minimized

To stop the recording, you can use the following command:

ConsoleCopy

C:\PSTools>psexec.exe -sd \\<Computer Name> C:\ProcessMonitor\procmon64.exe -terminate -quiet

Store and save events

There are several methods available to store and save the events. You can select Backing files from the File menu. Then, you can see two methods to store events:

Use virtual memory
Use file named

[图片上传失败...(image-764c5b-1702365353781)]

Use virtual memory

This method uses the system's memory to store the file until it gets saved by the user manually.

Note

Running the Process Monitor for too long, backed by virtual memory, might cause the Process Monitor to consume all the available system virtual memory, which could lead to the system stopping responding.

[图片上传失败...(image-427fab-1702365353781)]

If you start recording as Backed by virtual memory, you need to save the recording prior to exiting Process Monitor.

[图片上传失败...(image-fa17e0-1702365353781)]

Make sure you select All events and the format is set as Native Process Monitor Format (PML). If the recording doesn't contain all the events, you only have the displayed or highlighted events available for analysis, which might be insufficient.

Backed by file

This method uses a file to store the recording and doesn't require saving the file manually before exiting Process Monitor.

Note

If the maximum file size isn't defined, running the Process Monitor for too long, backed by a file, might cause the Process Monitor to consume all the available system disk space, which could lead to the system stopping responding.

[图片上传失败...(image-99bc0-1702365353781)]

Once the Process Monitor is set and the recording is started, you need to reproduce the problem.

Troubleshooting example

Take this issue as an example; you have the Calculator application that isn't working. First, start the Process Monitor recording with any of the methods described above. Then reproduce the problem by trying to start the application. Once the issue is reproduced, stop the Process Monitor recording and save the data.

To analyze the recorded Process Monitor trace, open it with Process Monitor. Select Process Tree under Tools on the Menu to see if your application starts during the recording.

Select the Calculator process:

[图片上传失败...(image-e7f747-1702365353781)]

To focus on the process, right-click the application name and select Add process to Include filter.

[图片上传失败...(image-8e19e9-1702365353781)]

Similarly, you can add a filter manually for your process ID.

[图片上传失败...(image-812d52-1702365353781)]

Exit the Process Tree view or select OK on the Process Monitor Filter window to see the filtered captured lines containing your process. In this example, the Calculator.exe process is starting.

[图片上传失败...(image-cb8272-1702365353781)]

Then go towards the end of the process capture, and look for a group of the Thread Exit events right before the Process Exit event.

[图片上传失败...(image-35d606-1702365353781)]

You can also see the Process Create event for WerFault.exe. At that point, the application has already reached an unrecoverable condition and has called the default error handler.

You should also notice that some event logs related to application crashes are recorded as well.

[图片上传失败...(image-ec89ec-1702365353781)]

[图片上传失败...(image-7a7042-1702365353781)]

You can start from this line to see if you can spot any Access Denied Results events.

[图片上传失败...(image-a1dcb7-1702365353781)]

In this situation, you should check the permissions of the following registry key against those from a working machine to see if there are some differences.

\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

In this example, ALL APPLICATION PACKAGES is missing "read" permissions from User Shell Folders.

[图片上传失败...(image-fbcb83-1702365353781)]

This operation can also be done by using PowerShell or a command prompt.

For the working system:

[图片上传失败...(image-9e0111-1702365353781)]

For the nonworking system:

[图片上传失败...(image-a3b929-1702365353781)]

If you don't spot any nearby permission issues that could be suspicious, you can always check the entire trace for any suspect permission blocks. First, remove the filter for the Calculator process by selecting Reset Filter under the Filter menu. Then, select the Count Occurrences option from the Tools menu. You can choose the result Result from the drop-down menu, then select Count.

Once the filtering is done, you can double-click the "Access Denied" line to view the filtered events:

[图片上传失败...(image-b35d15-1702365353781)]

[图片上传失败...(image-522ec-1702365353781)]

If you work through the list, not all "Access Denied" results cause the code to fail.

Generally, anything asking for "All Access" is often refused, so you can exclude them from your investigations. You can do it automatically by filtering the events containing Desired Access: All Access as follows:

[图片上传失败...(image-d78a76-1702365353781)]

In this example, the result looks like the following:

[图片上传失败...(image-319e2b-1702365353781)]

[图片上传失败...(image-2f5059-1702365353781)]

Adding the appropriate permission for "All Application Packages" resolves both issues at the same time for both applications.

Sometimes it isn't possible to work out what permission change is stopping the application from starting. Process Monitor only captures some parts of the process activities.

If many machines are affected by the same problem, work out the troubleshooting by starting from a new, freshly installed machine and slowly adding your policies until the application fails to start again.

If only one machine is affected, recover or reset the machine. If only one user is affected, recreate the user's profile.

2023-12-12 Troubleshoot Apps failing to start using Process Monitor

2023-12-12 Troubleshoot Apps failing to start using Process Monitor

Troubleshoot Apps failing to start using Process Monitor

In this article

Capture events

Store and save events

Use virtual memory

Backed by file

Troubleshooting example

推荐阅读更多精彩内容