Using ProcMon to View What User a Process/Program Is Running Under

Version 2

    Purpose

    This article outlines how to use the Microsoft tool Process Monitor (ProcMon) to find what user a process or program is running as.

    This can become useful in narrowing down permission issues when facing resriction issues such as 'Access Denied'.

     

    Note: This article assumes you have already downloaded and have some basic knowledge about capturing and filtering data.

    This article is a good starting place if you need a refresher: Understanding Process Monitor

     

    Steps

    • Run your ProcMon capture
    • Apply necessary filters to locate the event of interest
      • In my case I wanted to see who launched Notepad.exe

     

    • Double click the event of interest
    • In the Event Properties window, select the Process tab
    • The User value indicates who is running the process/program
      • In my example I ran Notepad.exe as the local system account.