The software giant Microsoft has successfully managed to port its Process Monitor tool, also known as ProcMon, to Linux. Well, ProcMon is nothing but a free tool from Windows Sysinternals that handles real-time tracking of all file system activity on Windows and Unix-like operating systems.
Process Monitor for Linux
This development is hardly surprising since the company had previously promised to bring some of the Sysinternals tools to Linux, and ProcMon was one of them. As a result, ProcMon 1.0 preview is now available for Linux.
“Process Monitor (Procmon) is a Linux reimagining of the classic Procmon tool from the Sysinternals suite of tools for Windows. Procmon provides a convenient and efficient way for Linux developers to trace the syscall activity on the system,” Microsoft explains.
The Process Monitor or ProcMon tool is available on the Sysinternals pages of Microsoft and you can download it free of charge. The tool allows users to see the internal workings of an application or the operating system itself.
You can have an application process running that involves making calls to the registry. Then, it also makes calls to the operating systems to create and destroy processes and threats. All of those events become visible in a Process Monitor trace.
What users don’t see, however, is an application’s window events or whenever the application receives keystrokes and mouse movements, etc. None of those events are visible in a Process Monitor trace now.
This tool is particularly helpful for developers to track the behavior of certain apps and how they interact with operating system resources.
Getting started with ProcMon for Linux
Getting started with Process Monitor for Linux for Ubuntu 18.04 devices requires the following set of commands:
wget -q https://packages.microsoft.com/config/ubuntu/$(lsb_release -rs)/packages-microsoft-prod.deb -O packages-microsoft-prod.deb sudo dpkg -i packages-microsoft-prod.deb
sudo apt-get update
sudo apt-get install procmon
Upon starting ProcMon, it immediately starts recording events. Users also see some percentage of events pre-recorded. The reason being, ProcMon has some default filters, which behaves like a display filter in one of the packet sniffing tools called Wireshark.