Description
ProcDOT takes output from Process Monitor (procmon) and a packet capture, and graphs the activity based on the selected process. It shows every file and registry key the process touched, every child process or thread spawned, and every file and registry key touched by the children. It also allows the activity to be played back sequentially.
| Platform | Windows and Linux |
| Author | Christian Wojner |
| License | ISC |
| URL | https://www.procdot.com/ |
Usage
In Procmon
- Configure the displayed columns in procmon to show TID and Sequence number.
- Under Filter, make sure “Enable Advanced Output” is disabled.
- Save the output as a CSV and make sure to save all events, not just filtered ones.
In ProcDOT
- Load the procmon CSV into procdot (and optionally the packet capture).
- Click the “…” next to Launcher and select the starting process you want to analyze.
- Click Refresh to update the graph.
Examples
In the following example, powershell was used to launch an executable while Procmon was recording. The output was then fed into ProcDOT so the file and registry interactions could be displayed visually.
Blog Posts