Process Monitor is a good tool. Be sure you have
the latest version (3.05 as of today). Also, to control file size and location:
- Filter for the process(es) you care about, assuming you know what they are. E.g. create filters like PROCESS NAME IS _mprosrv.exe, PROCESS NAME IS _mprshut.exe, etc. If you're not sure that you know a comprehensive list of processes then you can use a different relation operator, like PATH BEGINS WITH C:\myDLCdir. You can use multiple filters if you want. But understand the rules; they are documented in the help. Basically, if you have multiple filters with the same value on the left side of the relation they are ORed together. Multiple filters with different values on the left side of the relation are ANDed together. For example if you used the filters above, it would filter for events where (( process name is _mprosrv.exe OR process name is _mprshut.exe ) AND ( path begins C:\myDLCdir )). Let me know if I didn't explain that well.
- Select "Drop filtered events" from the Filter menu. That will keep stuff you don't care about out of the log and make it much smaller. Understand though that if you're new to the tool you may not yet know what you want and what you don't. So try without it at first.
- Don't use the paging file; that will limit you. Before you start your capture, select File | Backing files and redirect the output to a .pml file somewhere on your file system (not the DB storage obviously, if you can help it).
I guess you know that you need administrative privilege to run Process Monitor. Also, it can be a bit more challenging on older OSes. On Vista/Server 2008 and later, PM ties into the ETW subsystem and is pretty responsive. On prior OSes (XP, Server 2003/2003 R2) it can take a little while to do things like stop a capture and save a file. That's a pain as it starts capture immediately when you run it. You can get around this by launching it from an elevated command prompt with "procmon -noconnect". You will notice that by default some activity is filtered out by default, including paging file I/O and activity in the System "process".
I'm no expert with PM but I've used it a bit. Let me know if you need any help. Also, these videos (
PM part I,
PM part II) on Channel9 might help you as well. Good luck.