Two Windows Monitoring Tools that Make Seeing, Believing

During the past few years, Microsoft Corp.'s systems have often been chastised for modifying registry and system files when updates were made because registry corruption can sometimes leave a server dead in the water. Have you ever wondered what exactly was changed during these operations?

Winternals Software LP's Filemon file monitor and Regmon registry monitor do just that. As their names imply, you can watch, in real time, files as they’re modified and the registry. If you put these two products on screen, side by side, you may be astonished to see what goes on during normal operations of a Windows-based server.


Our test platform was an Intel-based Pentium-166 MHz basic server running 96Mb of memory, and a small 8Gb UDMA disk drive. The act of running these two products takes up so few resources we decided to try it on one of our department servers instead of our primary dual processor P-2 test servers. After testing both products on both servers, we concluded that both products could run on just about any server imaginable.

Both products comes together on one high density floppy, attesting that products of diminutive size still exist that perform stellar jobs. It took less than 10 minutes to install the product, and even less to configure it. This is because you just run the product, and configure the event capture log for where you want to save it, and what is the maximum size for the file.

If you want to explore the server from another location you can install the client side of the product on the other server, but you have to physically visit the server to do so. Also, you have to run the client software on that server so it can be observed. We’d prefer to see the product run as a service so it can start, stop, and be restarted upon server reboot instead of being dependent upon manually starting or stopping the client.


Just run the FileMon program from its installed program group, and you’re off to the races. In this race, however, you’re already ahead of the rats because you can see which files are being modified. What’s more, by double clicking in the file listed shown in the screen below, Windows Explorer will start and take you directly to that file as it resides on the disk drive. This is truly an amazing product.

From this screen, we observed that the user profile for the administrator was being updated from a change in how Windows NT Explorer was resized. In a separate test, we used Microsoft Internet Explorer 4.01 SP1 to go to the Web and research some information with the Yahoo search engine. While watching both the FileMon and RegMon outputs, we noticed a significant amount of activity in not just the registry, but with the user profile as well. In all of our years of working with NT Server, this boisterous activity surprised us, and brought to light some user complaints we’ve heard in the past.

Namely, some users were unwisely using a server to pull double-duty as a workstation. When an application froze up, or didn’t work correctly, they would reboot the server. Aside from other users losing connectivity to this server, it became readily apparent that registry corruption is very likely.

We watched in awe as the system registry was accessed, modified, and rewritten as server activity occurred. Armed with that information, we double-clicked on one of the changes, and it showed us exactly where in the registry the change was taking place.


This is the first product we have seen that divulges critical information about the server -- when, how, and what got accessed or altered. We can’t judge it against the competition since we know of no equal competitor. But, if I had to make a decision on its merits for an enterprise, I would give it a complete thumbs-up for its simplicity in design and use as well as simple server resource needs. The product is a clear winner, and worthy of being installed on every MIS server known to man or Microsoft.

Product Specifications

Requires Windows NT Server 4.0, Windows 2000 Server, and the client runs on Windows NT, and the Win9x clients. Memory requirements are slightly more than 2 Mb when running, nothing else is required since it isn’t running as a service.

Winternals Software
Austin, Texas

Price & Licensing Info
Filemon and Regmon are licensed by User. You purchase one User license for each person who will use the software, and that person can use the software to connect to and monitor any number of systems. The software enables you to connect to any system within your network that is accessible via TCP/IP, and you may connect to any number of client systems simultaneously.


+ Small size uses minimal server resources.

+ Fast and easy to use.

+ Point-and-click interface easily guides through registry.

- Would like to see it as a service.

Must Read Articles