Home / server / Questions / 341043
Accepted
Ryan Michela
Asked: 2011-12-15 13:52:26 +0800 CST

Process Monitor fails to start on a 64 bit computer

  • 772

When I try to start Process Monitor from SysInternals on some 64 bit windows 7 machines,the process fails to start. There is no error message. I double click and nothing happens. Other 64 bit windows 7 computers work fine. Any ideas?

windows monitoring windows-7 64-bit

7 Answers

  1. Best Answer

    Here is what I found. The 32 bit Procmon.exe contains the 64 bit exe inside it as a binary resource. When the 32 bit exe starts, it extracts the 64 bit version out to a hidden file called Procmon64.exe and then executes that. For some reason this process fails on some Windows 7 installs.

    I managed to extract the 64 bit exe using Visual Studio 2010.

    1. Open Visual Studio and open the Procmon.exe file using the File->Open->File... menu
    2. In the resource tree, expand the "BINRES" node
    3. Right-click on the 1308 node and select Export...
    4. Name the exported resource Procmon-64.exe and save
    5. Run the extracted exe

    Don't name the extracted exe Procmon64.exe (no hyphen) because the 32 bit Procmon will try to delete it if it gets the chance.

    If you don't have Visual Studio, use a windows executable resource extractor like ResourcesExtract - http://www.nirsoft.net/utils/resources_extract.html

    • 33

  2. Let me blow your mind. procmon.exe REQUIRES Workstation service running in order to start. It uses it to enumerate something and will silently die without it.

    This is not documented anywhere and pretty bogus.

    • 5

  3. I know this thread has been a while but I just saw this problem lately and I noticed another factor that might be helpful. Administrator right. If I login as an admin and run it, it works fine. If login as a non-admin and run it, the problem happens and the extracted procmon-64 shows the same problem.

    • 2

  4. I succeed to extract ProcMon64.exe with next Perl script placed and executed in temp folder.

    use File::Copy;

if(fork()==0)
{ system "C:\\SysInternals\\ProcMon.exe"}
else
{  for($i=1;$i<1000;$i++)
    {if(-e 'ProcMon64.exe')
      { copy('ProcMon64.exe',$i.'.exe')}
    }
}

    After multiples executions it creates tens of copes which all are the same (the same CRC32)

    • 2

  5. ospy is a ProcMon ALternative. You could try troubleshooting procmon startup with that.

    • 0

  6. I fixed this problem by re-checking my Environment variables. You may check %TEMP% to see whether you ever add something inside before. Remove any other folders except for windows temp and then reboot.

    • 0

  7. I used Resource Hacker. Extract 1038 as bin. add .exe and it seems to start.

    • -2