From: nospam@needed.invalid   
      
   On Sun, 12/14/2025 10:58 PM, T wrote:   
   > On 12/14/25 11:31 AM, Paul wrote:   
   >> Just out of curiosity, have you ever captured an*entire*   
   >> backup session with Process Monitor ?   
   >   
   > No.  Don't even know how.   
   >   
   >   
   >> I bet if your Cobian session was backing up D:   
   >> on the customer machine, this socket issue doesn't happen.   
   >>   
   >>     Paul   
   >   
   > It has two tasks.  both back up the same thing.  One goes to   
   > the vsftp server, the other goes to a USB drive.   
   >   
   >   
   > The backup to the USB drive, do not have the issue.   
   >   
   > Also Cobian uses the \\?\ file format (which I forget   
   > what it is called), so it have no issue with long   
   > file names.   
      
   2.9MB . Uses the ETW subsystem. Sorta like STrace on Linux/Unix   
   but miles better at it. Can also trace network activity (a relatively   
   recent addition). This is not GDB or WinDBG, and it only debugs   
   certain kinds of operations (the way STrace does for files).   
      
   https://learn.microsoft.com/en-us/sysinternals/downloads/procmon   
      
   Usage is simple.   
      
   1) Start it running.   
   2) Now, start the thing being studied (A Cobian backup). Note the time on the   
      clock when the Cobian is kicked off.   
      
   3) In the ProcMon File menu, select File:Capture Events to "Stop Trace".   
      
   4) The hard part is Filter definition. The trace has a lot of info.   
      We don't want to look at it all.   
      
      Select "Process" "Begins With" "Cobian"   
      
      That would filter out noise from the OS.   
      
      Now, you might see Registry events or you might see   
      CreateFile/ReadFile/WriteFile activity. You can select to   
      only see those, for example. You could ask it to include   
      network packets.   
      
   Click Apply.   
      
   A Filter gets you down to maybe 100,000 events. Looking at timestamps   
   (maybe), you can consider only a portion of the trace when scrolling   
   through it. Otherwise, a 20 minute trace might be too big to analyze.   
      
   It's a simple tool, but it relies on your cleverness to design filters   
   to get the most value from it.   
      
   You can save a trace as a PML file (ticking the boxes so the *whole*   
   trace is saved). Then, you can open that file any time you feel up   
   to it, for a bash at the filtering and analysis. During the run, all   
   the Process Names are recorded. What it does not record, is if   
   you do "tasklist /svc" in a terminal, that maps PID to a service   
   such a "wuauserv", and collecting this info to go with a tracing   
   activity, helps you later understand when "some PID starts doing stuff".   
   Using the captured tasklist output, you have a handy reference   
   as to "what PID 1234 is" in the trace.   
      
      Paul   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)