Process Monitor (procmon) does not show some UDP / TCP network activity events, shown in Network Monitor

Question

I observe sometimes a difference between Process Monitor and Network Monitor. Process Monitor does not show some UDP / TCP network events.

Here is an example:

net use * \\test12345.domain.local\test

shows in Netmon as:

Enter image description here

shows in Process Monitor:

Enter image description here

Why is the NetBIOS nameservice (:137) communication is missing in Process Monitor?

(I've tested it on several virtual and physical Windows PCs, like Windows Server 2008 R2, Windows 7, and Windows Server 2008.)

I would ask on the sysinternals forum and for more clues, there is a fork of Wireshark that associates packets with process, if netmon doesn't. It might be that the 137 network traffic happens at the kernel level from a Localsystem level access. — Justin Dearing, Dec 23 '14 at 22:46

score 2 · Accepted Answer · answered Dec 23 '14 at 23:02

2

System is deactivated by the default filter (exclude system events). Delete the filter and these events will show up.

answered Dec 23 '14 at 23:02

Justin Dearing

score 1 · Answer 2 · edited Dec 09 '18 at 07:15

1

Shot in the dark: Use psexec to run Process Monitor as localsystem.

edited Dec 09 '18 at 07:15

Peter Mortensen

answered Dec 23 '14 at 22:47

Justin Dearing

What is *"localsystem"*? A Windows user account? Or something else? Can you add a reference? – Peter Mortensen Dec 09 '18 at 07:32

2 Answers2