Skip to main content
Waters Employee Login
 
Waters

Methods for analyzing a Process Monitor log (PML) file - WKB124616

  1. Last updated
  2. Save as PDF
Article number: 124616

OBJECTIVE or GOAL

Explore various methods for analyzing a Process Monitor trace log file.

ENVIRONMENT

  • NuGenesis 9
  • NuGenesis 8
  • Empower
  • MassLynx
  • UNIFI

PROCEDURE

  1. First, filter the log file to the processes of interest for the problem. Refer to the following articles for process names associated with Waters software components:
  2. Control-End method:
    • If the problem is reproducible, and the procmon trace was stopped shortly after the issue was reproduced, press control-End to go to the last visible event in the log file. In many cases, such as normal or abnormal program exits, there will be a Process Exit event. Before that event there will be a series of "Thread Exit" events and/or events where the process queries for DLL files. These events can be ignored; they are evidence of normal program cleanup by Windows. The last event before these events is the most likely suspect for the problem. It would most likely be an attempt to access a file, a reg key, or send/receive data on the network.
  3. Comparison method:
    • If possible, get a procmon trace of the problem, and of the same action on another machine where it's successful. Open both log files on a machine and apply the same filters in both files (refer again to the process lists for Waters products). Step through the known-good and problem log files. The two logs should be similar in their workflow, with some slight differences in paths expected for usernames, machine names, and the like. The point at which the "Problem" log diverges from the known-good log is the likely source of the problem.
  4. The Count Occurrences method:
    • With a problem log open and filtered appropriately, click the Tools menu > Count Occurrences. Select the Result column in the list and click Count.  Procmon lists all of the distinct values in the Result column and the number of each result. Some events, such as ACCESS DENIED, are almost always of interest. Double-click on an entry in the table to have procmon filter the entries to that result type. The paths for those entries, the process and usernames involved, and the stack traces in each event are useful in determining whether those entries are relevant to the problem or the cause of the problem.
  5. The time-box method:
    • In some cases, the problem is not with the Waters software processes themselves but with the OS or anti-malware processes. In such cases the problem won't be apparent if only the Waters processes are visible. Press Control-R to reset the filters, then find events some ways before and after the problem occurrence. Use the Exclude Events Before and Exclude Events After options on the right-click menu to filter out the majority of the events. This way, events from other processes will be visible in the trace. One common suspect is anti-malware software; it often opens/locks files or registry keys when Waters processes try to access those objects; such interference often leads to problems in Waters software products.

ADDITIONAL INFORMATION

 

id124616, EMP2LIC, EMP2OPT, EMP2SW, EMP3GC, EMP3LIC, EMP3OPT, EMP3SW, EMPGC, EMPGPC, EMPLIC, EMPOWER2, EMPOWER3, EMPSW, MLYNX, MLYNXV41, SUP, SUPMM, SUPNG

Not able to find a solution? Click here to request help.