Process Monitor (procmon) does not show some UDP / TCP network activity events, shown in Network Monitor
7,927
Solution 1
System is deactivated by the default filter (exclude system events). Delete the filter and these events will show up.
Solution 2
Shot in the dark: Use psexec to run Process Monitor as localsystem.
Related videos on Youtube
10 : 10
How to monitor your network devices ( PC , Server , Router , Printer , ... ) | NETVN
03 : 33
How To Use: Process Monitor - Activity Monitor
05 : 14
TCPView - Monitor the Network Activity on your local computer.
06 : 17
Process Monitor: TCP/IP tracing, Process ID and Thread ID
02 : 08
Process Monitor (procmon) does not show some UDP / TCP network activity events, shown in Network...
11 : 51
How to display TCP/UDP connections?
14 : 22
Process Monitor: Matching Wireshark and Procmon Traces
Comments
-
marsh-wiggle almost 2 years
I observe sometimes a difference between Process Monitor and Network Monitor. Process Monitor does not show some UDP / TCP network events.
Here is an example:
net use * \\test12345.domain.local\test
shows in Netmon as:
shows in Process Monitor:
Why is the NetBIOS nameservice (:137) communication is missing in Process Monitor?
(I've tested it on several virtual and physical Windows PCs, like Windows Server 2008 R2, Windows 7, and Windows Server 2008.)
-
Justin Dearing over 9 yearsI would ask on the sysinternals forum and for more clues, there is a fork of Wireshark that associates packets with process, if netmon doesn't. It might be that the 137 network traffic happens at the kernel level from a Localsystem level access.
-
-
Peter Mortensen over 5 yearsWhat is "localsystem"? A Windows user account? Or something else? Can you add a reference?
