Process Monitor (Procmon) is a Linux reimagining of the classic Procmon tool from the Sysinternals suite of tools for Windows. Procmon provides a convenient and efficient way for Linux developers to trace the syscall activity on the system.
cmake>= 3.14 (build-time only)
libsqlite3-dev>= 3.22 (build-time only)
Checkout our install instructions for distribution specific steps to install Procmon.
sudo apt-get -y install bison build-essential flex git libedit-dev \ libllvm6.0 llvm-6.0-dev libclang-6.0-dev python zlib1g-dev libelf-dev
git clone --branch tag_v0.10.0 https://github.com/iovisor/bcc.git mkdir bcc/build cd bcc/build cmake .. -DCMAKE_INSTALL_PREFIX=/usr make sudo make install
git clone https://github.com/Microsoft/Procmon-for-Linux cd Procmon-for-Linux mkdir build cd build cmake .. make
The distribution packages for Procmon for Linux are constructed utilizing
To build a
deb package of Procmon on Ubuntu simply run:
cd build cpack ..
Usage: procmon [OPTIONS] OPTIONS -h/--help Prints this help screen -p/--pids Comma separated list of process ids to monitor -e/--events Comma separated list of system calls to monitor -c/--collect [FILEPATH] Option to start Procmon in a headless mode -f/--file FILEPATH Open a Procmon trace file
The following traces all processes and syscalls on the system
The following traces processes with process id 10 and 20
sudo procmon -p 10,20
The following traces process 20 only syscalls read, write and openat
sudo procmon -p 20 -e read,write,openat
The following traces process 35 and opens Procmon in headless mode to output all captured events to file procmon.db
sudo procmon -p 35 -c procmon.db
The following opens a Procmon tracefile, procmon.db, within the Procmon TUI
sudo procmon -f procmon.db
If you are interested in fixing issues and contributing directly to the code base, please see the document How to Contribute, which covers the following:
Please see also our Code of Conduct.
Copyright (c) Microsoft Corporation. All rights reserved.
Licensed under the MIT License.