Process Monitor fails to start on a 64 bit computer
Solution 1:
Here is what I found. The 32 bit Procmon.exe contains the 64 bit exe inside it as a binary resource. When the 32 bit exe starts, it extracts the 64 bit version out to a hidden file called Procmon64.exe and then executes that. For some reason this process fails on some Windows 7 installs.
I managed to extract the 64 bit exe using Visual Studio 2010.
- Open Visual Studio and open the Procmon.exe file using the File->Open->File... menu
- In the resource tree, expand the "BINRES" node
- Right-click on the 1308 node and select Export...
- Name the exported resource Procmon-64.exe and save
- Run the extracted exe
Don't name the extracted exe Procmon64.exe (no hyphen) because the 32 bit Procmon will try to delete it if it gets the chance.
If you don't have Visual Studio, use a windows executable resource extractor like ResourcesExtract - http://www.nirsoft.net/utils/resources_extract.html
Solution 2:
Let me blow your mind. procmon.exe REQUIRES Workstation service running in order to start. It uses it to enumerate something and will silently die without it.
This is not documented anywhere and pretty bogus.
Solution 3:
I know this thread has been a while but I just saw this problem lately and I noticed another factor that might be helpful. Administrator right. If I login as an admin and run it, it works fine. If login as a non-admin and run it, the problem happens and the extracted procmon-64 shows the same problem.
Solution 4:
I succeed to extract ProcMon64.exe with next Perl script placed and executed in temp folder.
use File::Copy;
if(fork()==0)
{ system "C:\\SysInternals\\ProcMon.exe"}
else
{ for($i=1;$i<1000;$i++)
{if(-e 'ProcMon64.exe')
{ copy('ProcMon64.exe',$i.'.exe')}
}
}
After multiples executions it creates tens of copes which all are the same (the same CRC32)