App-V and Process Monitor

The number one tool in troubleshooting applications has been and still is Process Monitor – providing great insight into everything that happens in the background of an application. However, when combining App-V and Process Monitor – there are some challenges to see the entire background activity – especially when it comes to registry activity. For quite some time there has been things that haven’t been properly shown when troubleshooting using Process Monitor and attempting to view the activity within the registry for a virtual application.

Process Monitor does present us with quite a few different ways of starting – lets explore the possibilites;

image

Obviously – we could just start it and see what it spits out. Looking through the possible start-up switches presents quite a few different ways of starting procmon. For our specific scenario – the /hookregistry looks mighty tempting, but it states that it only works on x86 Vista. The announcement for the feature were on the Softgrid-blog and was a first turning point after Microsoft acquired Softricity.

This is only whats documented and if looking around the internet – we can find one additional method of troubleshooting App-V. /externalcapture is a more commonly known startup switch, but its not documented (as you can see above) and apart from some presentations by Microsoft and unofficial blog-entries – there isn’t a whole lot formally written down about this gem.

Key question – whats the best method of using Process Monitor to troubleshoot App-V applications?

Well – lets find out;
A specific application is selected – mainly because its small, it does access the virtual registry when it starts and hopefully we can understand the difference between these behaviors. A filter is applied to only include the process in question (opwin.exe) and all the tests are preformed on a Windows 7 SP1 x86 machine.

Test 1
procmon.exe
image
Result is 265 items in total

Test 2
procmon.exe /hookregistry
image
Result is 265 items in total

Test 3
procmon.exe /externalcapture
image
Result is 322 items in total

So – we can clearly see that /externalcapture provides more registry output than the other possible options. What is the difference?

Procmon.exe /externalcapture shows us quite a few entries that are not at all visible from all the other options we used – especially the below are never shown at all when using the startup switches from the first two test cases.

image

One Comment

  1. Robin Penny said:

    Tim Mangen said at briforum Chicago 2013 https://www.youtube.com/watch?v=NmBtgubAdKE (35minutes in) that /externalcapture no longer works. If that’s true maybe a comment should be added to this article.

    January 30, 2015
    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *