Procmon v3.82 does not load saved filters - please fix this!

SysHoly 11 Reputation points
2021-06-16T14:02:52.087+00:00

Saved filters cannot be loaded in 3.82 with menu Filter -> Load Filter
No saved filters are loaded.
My very old version 3.04 works.

Tested with Procmon 3.82 under Win Build 20H2 and Server 2012 R2.

btw: Is there an archive with old versions of Sysinternals tools?

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,082 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. MB 11 Reputation points
    2022-02-20T16:42:41.863+00:00

    Procmon v3.89 had the same issue. But I found a workaround. Get an old Version of Procmon - I used v3.61 start it and load your filter, then exit and open the new Procmon Application and it will be started with your filters.

    Not nice but better than using the old one or cannot using saved filters.

    2 people found this answer helpful.
    0 comments
  2. Brad Kozell 6 Reputation points
    2022-03-31T12:01:07.307+00:00

    You don't have to look any further for the resolution to this issue than the registry itself. The "Me too" and "I can confirm" posts do absolutely nothing to resolve the matter.

    Here's a solution that is a viable work-around that simply works:

    Open the registry on the machine where you have Process Monitor installed, and have a look/export the following registry key:

    HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Monitor

    You'll quickly learn that Process Monitor stores all of your filters here. The filters you have created have names that begin with "Filter#". The name you used for the filter in Process Monitor is appended to "Filter#". The currently loaded filter has a name of "FilterRules" and will have binary data that will match one of your defined filters. Even if you reset the filters, your Filter# entries will remain, and the FilterRules value is reset to the default. An important note, Process Monitor reads & loads the "FilterRules" entry when it is launched.

    Armed with this knowledge, you can come to a quick work-around in a number of ways. You can even get creative and write your own script to handle the filter changes. In the spirit of keeping it simple, do the following:

    1. Run regedit, navigate to the "HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Monitor" key and export it. Keep this exported file as a master copy and don't edit it directly. You will need to use this if you have multiple filters.
    2. Make a copy of the above exported file, and rename the copy to something meaningful to you to reflect what the filter does. For example, my file is named "Process Monitor - Load 'Monitor Outlook Settings' Rule.reg"
    3. Edit the file you created in Step 2. You want to remove all names & values in this file that appear below "[HKEY_CURRENT_USER\SOFTWARE\Sysinternals\Process Monitor]" EXCEPT for the filter you wish to use. In my example, my filter is "Filter#Monitor Outlook Settings".
    4. After removing everything and leaving just your filter with it's data, edit the filter name and change it to "FilterRules". In my instance, "Filter#Monitor Outlook Settings"=hex:{tons of binary data} was changed to "FilterRules"=hex:{tons of binary data}
    5. Save your reg file.
    6. Make certain Process Monitor is closed, double-click your reg file from Step 5 to import it (I'm assuming you have Admin privileges here), say yes/ok to everything that pops up, and launch Process Monitor.
    7. Just like magic, you are now able to "load" your custom filters without having to do silly things such as obtaining older versions just to change the filter.
    8. Repeat each step from #2 onwards for any other filters you wish to use.

    The only caveat is you can't switch filters while Process Monitor is running. It only reads the FilterRules registry setting at start-up. The Load function within the application once upon a time use to read your filter registry setting, write it to "FilterRules" and force a reload of this key. Clearly, this is where something is broken.

    Eight simple steps. I know it seems like a lot, but it can be done very quickly if you're accustomed to the registry and making your own registry files to import. In the end, you will have your library of separate reg files to load as the current filter. You could even make a habit of double-clicking the desired registry file just prior to launching Process Monitor. Slight inconvenience, but well worth it to get your filters to work again.

    You could write your own batch file to import your filter & launch Process Monitor to go back to the simplicity of only double-clicking one item to get into Process Monitor. This is where you can get creative - you could write a batch file to scan the registry for your filters, ask which filter you wish to load, import the selected filter, and launch Process Monitor. Not worth it for me - the quick & dirty manual import is good enough.

    Hope this helps everyone, and ends the madness of endless searching on the 'net only to be met with problems without solutuons.

    1 person found this answer helpful.
    0 comments
  3. Medlin Karsten 1 Reputation point
    2022-02-11T10:17:29.25+00:00

    I used the version 3.88 and had the same problem to load filters.

    0 comments