explaingit

microsoft/procmon-for-linux

4,675CAudience · developerComplexity · 3/5LicenseSetup · moderate

TLDR

Linux port of Microsoft's Process Monitor that records every system call a program makes in real time, letting you see exactly what files, network connections, and OS resources any process touches.

Mindmap

mindmap
  root((Procmon Linux))
    What it does
      Tracks system calls
      Monitors file access
      Watches network calls
    How to Use
      Run as admin
      Filter by process ID
      Save to database
    Modes
      Live interactive view
      Headless server mode
    Origins
      Port from Windows
      Open source MIT
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Debug a misbehaving Linux program by recording every file read, write, and network connection it makes.

USE CASE 2

Monitor suspicious processes for security analysis by capturing all their system calls in real time.

USE CASE 3

Save a capture session to disk and review it later to diagnose intermittent or hard-to-reproduce issues.

USE CASE 4

Run headless on a Linux server to capture system call events to a file for offline analysis without a display.

Tech stack

CLinuxUbuntu

Getting it running

Difficulty · moderate Time to first run · 30min

Requires administrator (root) privileges to run and access system call information.

Use freely for any purpose including commercial, just keep the copyright notice.

In plain English

Process Monitor for Linux is a Microsoft tool that watches what programs on a Linux computer are doing at a low level. Specifically, it tracks system calls, which are the requests a program sends to the operating system when it wants to read a file, write data, open a network connection, or do almost anything that involves the underlying machine. By recording these calls, you can see exactly what a program is up to while it runs. The tool is a Linux port of a well-known Windows utility called Procmon, which has been used by Windows developers and security researchers for many years. This version brings the same idea to Ubuntu Linux. You run it with administrator privileges, and it shows you a live stream of activity. You can narrow the view to specific processes by their ID numbers, or filter to only certain types of system calls. Results can be saved to a database file on disk and reviewed later using the same tool. There is also a headless mode for running on servers where there is no screen, writing captured events straight to a file without an interactive display. Installation instructions and build steps are in separate files linked from the README. The project is open source under the MIT license and welcomes bug reports and feature requests through GitHub.

Copy-paste prompts

Prompt 1
Use Process Monitor for Linux to trace what files and network connections my Python web server opens during startup.
Prompt 2
How do I filter Process Monitor for Linux output to show only file system calls from a specific process ID?
Prompt 3
Write a script that runs procmon-for-linux in headless mode for 60 seconds, saves the output, then summarizes the most-accessed files.
Prompt 4
Help me use procmon-for-linux to find out why my application is failing silently by tracing its system calls.
Prompt 5
How do I build Process Monitor for Linux from source on Ubuntu and run it with the required administrator privileges?
Open on GitHub → Explain another repo

← microsoft on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.