Recently, I found myself trying to debug an issue where a program would make a single request on start-up and I needed to find out what endpoint it was calling. The trouble was, every time it would start-up, it had a different PID, and then the request was made soon thereafter.
My first thought was using Wireshark, except it's difficult to find a way to filter traffic by PID (at least I'm not sure how, reinforced by my Google Foo).
After that, I thought about writing a script that would watch for the process by name, collect PIDs and then watch network traffic for the processes. This could potentially work, but would also be hit and miss.
Finally, I found a program available by Microsoft called Process Monitor which provides a very in depth look at what a program is doing. At first glance, I found that it can tell you which DLLs are being loaded, which files on the system are being queried / read / written / removed, registry interactions, and network interactions.
In addition, the filters are great and use include and exclude to help narrow things down. You can also generate summaries on various general activities.
Fat-Crush (fat-client crush) End
No comments:
Post a Comment