File Monitor and Registry Monitor

  • Article

Applies To: Windows Server 2003, Windows Server 2003 with SP1

When troubleshooting IIS 6.0, you can use File Monitor and Registry Monitor to obtain two specific types of information:

  • Verification that a specific file (File Monitor) or registry key (Registry Monitor) is being accessed by a given process.

  • Information about whether that access results in an Access Denied error.

Both File Monitor and Registry Monitor can be downloaded from the System Internals Web site.

To install File Monitor and Registry Monitor, unzip and copy each .exe file to a desired location. To use one of these tools, double-click the appropriate executable file (FileMon.exe or RegMon.exe). Both utilities start in capture mode, which means that they display all file system (File Monitor) or registry (Registry Monitor) activity from all processes as it happens. Before you begin troubleshooting a problem, stop the capture and clear the entries that have been written.

To stop or start a capture in FileMon.exe or RegMon.exe

  • On the Options menu, click Capture Events.

To clear the current capture in FileMon.exe or RegMon.exe

  • On the Edit menu, click Clear Display.

Tips for Using File Monitor and Registry Monitor for Troubleshooting

Use the following tips to streamline the troubleshooting process when using File Monitor and Registry Monitor:

  • Isolate your task as much as possible. The output from a capture comes very quickly and at a high volume. The larger the capture, the harder it is to find the information that you want. When you are ready, perform only the tasks that will produce the file or registry access that you are trying to verify.

  • Avoid unnecessary clicking or activity. Performing extraneous operations while File Monitor or Registry Monitor is running will produce unrelated and unnecessary data in the output.

  • Start a capture as closely as possible to when you perform the task. Separate your utility window from the workspace that contains the process that you are using to troubleshoot so that you can easily switch between programs. If possible, press ALT+TAB to quickly switch programs.

  • Create a capture filter for the process name that you are working with. Registry Monitor and File Monitor both have capture filter functionality, which you can use to remove extraneous activity from the capture. You can filter on any string in an entry. For example, a common filter is the IIS 6.0 worker process name, W3wp.exe.

To set a capture filter for W3wp.exe

  1. On the Edit menu of the appropriate tool, click Filter/Highlight.

  2. In the Include box, type W3wp.exe and then click Apply.

When you have finished the task, stop the capture and scan the results for specific output. Usually, your objective will be to verify whether the problem is being caused by or is related to an access denial. In either tool, you can see whether this is the case by looking for the text ACCESS DENIED in the Result column.

If you need to compare the time that an event occurred with some other activity on your network, change the time format of the capture from the elapsed time, which is the default, to the literal time of day.