Sysinternals procmon sometimes ignores the Drop Filtered Events checkbox #36
Comments
|
@randomascii Thanks for reporting this. This is definitely one of those small nits I deal with nearly every day! |
|
It would be good just to know where the procmon settings are stored, since then I could spelunk into them and/or reset them by deleting the registry keys. It is odd that it works on some machines and not others, and that on one machine the upgrade to 3.53 fixed the issue. |
|
Assigning to Alex who will investigate in the couple few weeks, once he's cleared is current high-pri backlog. |
|
I hit this again while tracing a build of Chrome. All events except for 200 were filtered out and the "drop events" setting was set, but events were clearly not dropped. The procmon working set went to 99 GB and I hit lots of OOM failures. Any guidance as to where the settings are so that I can clear them, since that seems to help? |
|
@randomascii |
|
Thanks! I deleted most of the settings (I just kept DbgHelpPath and SymbolPath because I am lazy and didn't want to reconfigure) and then started it and reconfigured my filtered capture with most events dropped. It claimed that it was displaying ~20 items out of 128,000 (the 128,000 from before I applied the filter) but the commit size went up to ~15 GB (and there were two procmon64.exe processes). I then stopped capturing and cleared the capture but it is taking many minutes for the commit charge to come down. It's dropping by a few MB per second and I don't want to wait an hour. I quit and then relaunched it (DestructiveFilter gets written to the registry on exit) and it briefly seemed to be working. WS/commit was holding steady at 1.7 GB/7 GB for a while. However after a couple of minutes I have a second Procmon64.exe process (maybe it was always there?) and it's WS and commit are growing without bounds. It's at 10 GB/10 GB now and still going up. So, I can reproduce the bug 100% of the time. Procmon thinks it has captured zero events and the main Procmon process uses a reasonable (large, but reasonable) amount of WS and commit, but the other Procmon process grows without bounds. Resetting everything doesn't help. I don't understand the multi-proc behavior so I can't reason about it. I guess I'll need to find other ways to monitor my builds. |
|
@randomascii, I would like to repro this. Can you share details of your filters? You don't have to be too specific - just the filter type (process name, etc.) and relationship (is, greater than, etc.) |
|
@zodiacon Here's one way:
|
|
Excellent, thank you! On it. |
|
Just a warning: I suspect there are multiple bug entrypoints here; I believe I've also seen this without touching the Enable Advanced Output feature. That will be harder to reproduce, of course. |
|
Found the bug :) |
That's great! I look forward to a fixed version as this will unblock some important scenarios. It's not really important but are there any interesting details you can share about the cause? I'm just curious. |
|
Not worth sharing :) |
|
So, Procmon 3.70 was released today but this behavior still seems to be present. And the feature doesn't seem to work anymore. Video: Clicking Filter > Drop Filtered Events doesn't stop the event flow anymore procmon370.mp4Video: Removing a filter does show events that should have been dropped procmon370_events.mp4 |
|
Does your filter include "Result" column conditions? |
|
@zodiacon Nope. Just the default inbox filters. |
|
@riverar the default inbox filters do include at least one result column item. |
|
@zodiacon Ah missed that, thanks. Working as expected now. Might help to add a warning in status bar to that effect, or something! |
|
Agreed! |
Description
While trying to track down the cause of a file being created by Chromium's browser_tests my coworker left procmon running with an aggressive filter (so aggressive that no events were shown) and with Drop Filtered Events checked. Despite the request to drop all events the working set for procmon gradually increased to hundreds of GB. I was able to reproduce this on some other machines, but not all. On one machine upgrading fixed the problem, but on other machines it did not. On some machines the new version (3.52) failed, and on some machines the old version (3.52) worked. I first mentioned this issue here:
https://twitter.com/BruceDawson0xB/status/1296156206839418880
This issue made procmon unusable for my coworker for this scenario. Luckily it worked on one of my machines so I was able to gather the necessary data for them.
Steps to reproduce
The bug is inconsistent. The feature works sometimes and fails other times. It is not obvious that the feature is failing unless you know what to look for. If you realize that the event counts are not supposed to go up when all events are dropped then the bug is obvious. Otherwise you have to notice that the memory footprint is increasing without bounds.
Expected behavior
Filtered events should be dropped when that is requested, thus reducing CPU and memory load.
Actual behavior
Filtered events are not reliably dropped when requested, for unknown reasons.
If necessary I can do some debugging on the machine that currently exhibits the problem.
The text was updated successfully, but these errors were encountered: