This article outlines how to use the Microsoft tool Process Monitor (ProcMon) to find what user a process or program is running as.
This can become useful in narrowing down permission issues when facing resriction issues such as 'Access Denied'.
Note: This article assumes you have already downloaded and have some basic knowledge about capturing and filtering data.
This article is a good starting place if you need a refresher: Understanding Process Monitor
- Run your ProcMon capture
- Apply necessary filters to locate the event of interest
- In my case I wanted to see who launched Notepad.exe
- Double click the event of interest
- In the Event Properties window, select the Process tab
- The User value indicates who is running the process/program
- In my example I ran Notepad.exe as the local system account.