Most active commenters
  • egorfine(4)
  • notepad0x90(3)

A Linux version of the Procmon Sysinternals tool

(github.com)
165 points LelouBil | 49 comments | 31 Aug 25 22:43 UTC | HN request time: 1.87s | source | bottom
1. perching_aix ◴[01 Sep 25 00:56 UTC] No.45088446[source]
If this works remotely as well as the Windows version, I'm stoked. Polling for information (like with lsof) really rubs me the wrong way.
replies(2): >>45088480 #>>45088733 #
2. calvinmorrison ◴[01 Sep 25 01:02 UTC] No.45088480[source]
really? i have to use procman and associated utilities often and they really pale in comparison with linux and even moreso other unix utils (like dtrace)
replies(5): >>45088759 #>>45089005 #>>45089451 #>>45091282 #>>45091614 #
3. 0x696C6961 ◴[01 Sep 25 01:54 UTC] No.45088733[source]
Check out sysdig.
4. perching_aix ◴[01 Sep 25 02:00 UTC] No.45088759{3}[source]
Care to expand on that? I'm similarly just forced to use Linux and its tooling ecosystem, so decent chances I'm simply missing what's cool/cooler.
replies(1): >>45093773 #
5. notepad0x90 ◴[01 Sep 25 02:06 UTC] No.45088794[source]
does this provide telemetry not available with strace?

And is the output csv/logfile compatible with the windows equivalent? If so, that'd be amazing! tools like procdot can analyze/visualize the data:

https://procdot.com/

replies(1): >>45092642 #
6. baranul ◴[01 Sep 25 02:46 UTC] No.45088975[source]
Expect Microsoft to come out with more Linux tools. The demand, interest, and requests are likely to only increase.
replies(4): >>45090000 #>>45090982 #>>45091533 #>>45092514 #
7. sirjaz ◴[01 Sep 25 02:54 UTC] No.45089005{3}[source]
Windows Server 2025 supports dtrace out of the box: https://learn.microsoft.com/en-us/windows-server/administrat...
replies(1): >>45090165 #
8. fennec-posix ◴[01 Sep 25 03:10 UTC] No.45089089[source]
This feels like a TUI front-end for strace, but I'm not complaining. This I think will come in handy.
replies(1): >>45089145 #
9. fennec-posix ◴[01 Sep 25 03:19 UTC] No.45089145[source]
Though interestingly, seems to use its own eBPF library
10. maldonad0 ◴[01 Sep 25 04:25 UTC] No.45089437[source]
Looks like btop but M$.
replies(1): >>45089482 #
11. lll-o-lll ◴[01 Sep 25 04:27 UTC] No.45089451{3}[source]
dtrace is more comparable to ETW in windows land. Procmon is more for quick and dirty analysis. Maybe there are other *nix tools that are more appropriate, but I look forward to trying this one out.
12. superkuh ◴[01 Sep 25 04:32 UTC] No.45089482[source]
The sysinternals guys (Mark Russinovich and Bryce Cogswell) and code, at least most of it, existed independently of microsoft for many years. It was great. So great MS bought it and brought it and them inside. Russinovich is CTO of Azure now or something. So sysinternals is now random MS hires but I like to think it's still not really a microsoft product, just owned and mantained by them.

I was a windows user till XP came out and I've missed sysinternals tools. I'm going to enjoy this on my newer kernel machines. Seems to require some pretty cutting edge features.

replies(3): >>45089904 #>>45091640 #>>45092527 #
13. K2h ◴[01 Sep 25 06:07 UTC] No.45089904{3}[source]
Awesome you knew their names! I have connected with Bryce through his development of Go Map!! For open street maps.
replies(1): >>45090863 #
14. notepad0x90 ◴[01 Sep 25 06:24 UTC] No.45090000[source]
They have one of the largest Linux user base out there in Azure. They have their own distro. My favorite Linux memory forensics tool (AVML) is made by them. Sysmon for Linux uses eBPF which makes it a tad-bit more powerful than auditd,etc..

If you can't beat'em join'em!

replies(2): >>45090555 #>>45092836 #
15. cyberpunk ◴[01 Sep 25 06:52 UTC] No.45090165{4}[source]
This really is the weirdest timeline…
replies(1): >>45092725 #
16. INTPenis ◴[01 Sep 25 06:54 UTC] No.45090174[source]
This is great but it's kinda sad the INSTALL.md file was updated 2 months ago and it still doesn't work. Won't anyone report these issues?
replies(1): >>45090682 #
17. holowoodman ◴[01 Sep 25 07:40 UTC] No.45090435[source]
How is this different from using 'htop' and pressing 's' to strace a process?
replies(2): >>45091118 #>>45092507 #
18. hdgvhicv ◴[01 Sep 25 07:56 UTC] No.45090555{3}[source]
I guess they managed to get rid of the foot

http://mslinux.org/

19. GTP ◴[01 Sep 25 08:19 UTC] No.45090682[source]
Go on and be the one that reports it ;)
replies(1): >>45091881 #
20. SonOfLilit ◴[01 Sep 25 08:52 UTC] No.45090863{4}[source]
They are celebs in windows security. Mark's name is synonymous with windows internals, he wrote the definitive textbook.
replies(1): >>45091244 #
21. JdeBP ◴[01 Sep 25 09:16 UTC] No.45090982[source]
One can browse from https://learn.microsoft.com/en-gb/linux/packages to see what is already there.
22. noname120 ◴[01 Sep 25 09:40 UTC] No.45091118[source]
strace is not available on macOS
replies(1): >>45091240 #
23. happymellon ◴[01 Sep 25 09:57 UTC] No.45091240{3}[source]
I'm not sure how that is relevant on a piece about "a Linux version of a tool"
replies(1): >>45091843 #
24. xtracto ◴[01 Sep 25 09:58 UTC] No.45091244{5}[source]
And he also is the one that uncovered the Sony CD rootkit fiasco.

Darn I'm getting old.

25. ◴[01 Sep 25 10:05 UTC] No.45091282{3}[source]
26. darkwater ◴[01 Sep 25 10:44 UTC] No.45091533[source]
This project is from 2020 [1]. The title should actually be updated to reflect that. Also we would have really go full circle if they used GPLv3 as the license :)

[1] https://github.com/microsoft/ProcMon-for-Linux/blob/main/LIC...

27. TiredOfLife ◴[01 Sep 25 10:56 UTC] No.45091614{3}[source]
really? One of the things I miss when using linux is resmon. I have not found anything that has even remotely the same functionality. For example seeing which process is using which files.
replies(2): >>45092443 #>>45092487 #
28. 47282847 ◴[01 Sep 25 11:01 UTC] No.45091640{3}[source]
Tangent: Mark Russinovich (Jun 20, 2025): “I had the thrill of a lifetime, hosting dinner for Bill Gates, Linus Torvalds and David Cutler. Linus had never met Bill, and Dave had never met Linus.“

https://www.linkedin.com/posts/markrussinovich_i-had-the-thr...

replies(1): >>45092853 #
29. noname120 ◴[01 Sep 25 11:33 UTC] No.45091843{4}[source]
My bad, for some reason I thought it was about macOS rather than Linux. Procmon actually doesn’t even support macOS: https://github.com/microsoft/ProcMon-for-Linux/issues/37
30. INTPenis ◴[01 Sep 25 11:39 UTC] No.45091881{3}[source]
I will as soon as I get home from work lol.
31. carlhjerpe ◴[01 Sep 25 12:44 UTC] No.45092292[source]
I wonder why the project needs both GCC and Clang to build, usually it's one or the other.
replies(1): >>45092531 #
32. olddustytrail ◴[01 Sep 25 13:10 UTC] No.45092443{4}[source]
You can do that with sysdig.
33. bdhcuidbebe ◴[01 Sep 25 13:17 UTC] No.45092487{4}[source]
There’s multiple tools.

For your stated issue, see lsfd

https://www.man7.org/linux/man-pages/man1/lsfd.1.html

34. egorfine ◴[01 Sep 25 13:22 UTC] No.45092507[source]
This is not microsofty enough.

I mean it.

35. egorfine ◴[01 Sep 25 13:23 UTC] No.45092514[source]
I remember Steve Ballmer's Microsoft well enough to know to never touch anything Microsoft for Linux.

(All: feel free to downvote my neckbeard comment because I'm obviously in the wrong here)

replies(1): >>45094220 #
36. egorfine ◴[01 Sep 25 13:25 UTC] No.45092527{3}[source]
It was truly great for Windows, no doubt about that.

Now, is it great for Linux? Absolutely not. These tools existed to vaguely resemble the capabilities we have had on *nix for decades and I'm not sure what kind of value could they bring back to Linux... like, really, what? A different, Microsoft-style optics to look at processes?

37. egorfine ◴[01 Sep 25 13:25 UTC] No.45092530[source]
I wonder what the goals of this project. Why does it exist?
38. bena ◴[01 Sep 25 13:25 UTC] No.45092531[source]
Is it more a "collection of tools held together by a common frontend" or a unified product?

If it's a collection, I can see the individual pieces needing various compilers.

39. xuhu ◴[01 Sep 25 13:43 UTC] No.45092642[source]
This can trace all processes on the host while strace traces one PID and its descendants. And bpf tracing does not stop processes at each syscall, so they run without slowdowns.
replies(1): >>45095266 #
40. actionfromafar ◴[01 Sep 25 13:59 UTC] No.45092725{5}[source]
But is it like the "real" dtrace or is like how PowerShell wget isn't actually wget but an alias for Invoke-WebRequest?
replies(1): >>45092796 #
41. p_ing ◴[01 Sep 25 14:08 UTC] No.45092796{6}[source]
Two seconds of investigation yields that it is a port of dtrace.

https://learn.microsoft.com/en-us/windows-hardware/drivers/d...

replies(1): >>45093483 #
42. dotancohen ◴[01 Sep 25 14:14 UTC] No.45092836{3}[source]

  > If you can't beat'em join'em!
Microsoft has a history of joining'em to beat'em. Is EEE no longer a memory?
43. dotancohen ◴[01 Sep 25 14:16 UTC] No.45092853{4}[source]
The phrasing implies that meeting someone is not bi-directional.
44. OlivOnTech ◴[01 Sep 25 15:13 UTC] No.45093338[source]
Requirements OS: Ubuntu 18.04 lts

It's quite limited for an auditing tool...

45. actionfromafar ◴[01 Sep 25 15:26 UTC] No.45093483{7}[source]
Well, true, but I'm not in a position to understand what that means. I remember talks about dtrace in Linux way back when and something about how "it's not the same thing, you have to add support in all of userspace which is not there" or something like that.
46. calvinmorrison ◴[01 Sep 25 15:55 UTC] No.45093773{4}[source]
yes. I work with ancient and opaque tools that dont have good debugging / reporting facilities. Often we have to jump into procmon or whatever see why the heck the thing is stuck. something like strace is native and everywhere and you can sus out easily - hey this proc is trying to open this thing over and over.

procmon is cool, but i have found it limited when the program isnt doing anything 'obvious', and also that i have to download it and run it from the web is a problem when debugging on client systems.

47. spauldo ◴[01 Sep 25 16:37 UTC] No.45094220{3}[source]
Yep, right there with you.
48. notepad0x90 ◴[01 Sep 25 18:26 UTC] No.45095266{3}[source]
I think auditd can trace all syscalls system wide and let you filter as well. But it is a daemon whereas this is a tool you can run and interact with.