How many times have you faced issues with slow or longer boot time in your PC? Does it happen only on your computer? There could be many reasons for this. It could be too many Startup process, Run Keys, and sometimes even malware executables as well.
It would make your troubleshooting job easy, if you get to know what really happens when your PC boots. Process Monitor tool from SysInternals will exactly help you in doing the same. This tool can also be used for other process snapshot and access informations. however, in this post we will look at its Boot Logging capabilities.
Step 1: Execute the procmon.exe; Goto Options menu, and Click Enable Boot Logging.
Step 2: This will further give you this below Boot logging options. You can choose to Enable the Profiling Events, if you need.
Step 3: You can now reboot your PC. When the machine restarts, the process monitor will start monitoring all the processes and applications which gets invoked during the system boot and generates a dump file.
Step 4: Execute procmon.exe again. You will see this below dialog which tells you that, a log of the boot-time activity was created by the previous instance of process monitor. To save the collected Data, press the Yes Button.
Step 5: The file will initially be saved as a dump file in C:\Windows, you will need to convert it to Process Monitor Log (pml) log files. Save the Log file using this below dialog. This will start converting the dump file to pml file.
Once the Log is converted, it will open in the Process Monitor tool.
Here you can get an idea on all the applications and processes which was executed during the system boot. This report will help you identify, which process was invoked by whom and how much time did it take to for its complete execution. You can also identify if any malwares are running in your PC, which is affecting your system boot.
Step 6: You can choose to filter these reports; when you click on any entry you will get the below dialog which will give you a complete snapshot on the process attributes, Who invoked it, its architecture, the Parent Process Id, along with information on when did the process transition from User mode to a Kernel mode through the Stack.
Also read about the other SysInternals Tools here -