From: T@invalid.invalid   
      
   On 12/14/25 9:44 PM, Paul wrote:   
   > On Sun, 12/14/2025 10:58 PM, T wrote:   
   >> On 12/14/25 11:31 AM, Paul wrote:   
   >>> Just out of curiosity, have you ever captured an*entire*   
   >>> backup session with Process Monitor ?   
   >>   
   >> No.  Don't even know how.   
   >>   
   >>   
   >>> I bet if your Cobian session was backing up D:   
   >>> on the customer machine, this socket issue doesn't happen.   
   >>>   
   >>>      Paul   
   >>   
   >> It has two tasks.  both back up the same thing.  One goes to   
   >> the vsftp server, the other goes to a USB drive.   
   >>   
   >>   
   >> The backup to the USB drive, do not have the issue.   
   >>   
   >> Also Cobian uses the \\?\ file format (which I forget   
   >> what it is called), so it have no issue with long   
   >> file names.   
   >   
   > 2.9MB . Uses the ETW subsystem. Sorta like STrace on Linux/Unix   
   > but miles better at it. Can also trace network activity (a relatively   
   > recent addition). This is not GDB or WinDBG, and it only debugs   
   > certain kinds of operations (the way STrace does for files).   
   >   
   > https://learn.microsoft.com/en-us/sysinternals/downloads/procmon   
   >   
   > Usage is simple.   
   >   
   > 1) Start it running.   
   > 2) Now, start the thing being studied (A Cobian backup). Note the time on the   
   >     clock when the Cobian is kicked off.   
   >   
   > 3) In the ProcMon File menu, select File:Capture Events to "Stop Trace".   
   >   
   > 4) The hard part is Filter definition. The trace has a lot of info.   
   >     We don't want to look at it all.   
   >   
   >     Select "Process" "Begins With" "Cobian"   
   >   
   >     That would filter out noise from the OS.   
   >   
   >     Now, you might see Registry events or you might see   
   >     CreateFile/ReadFile/WriteFile activity. You can select to   
   >     only see those, for example. You could ask it to include   
   >     network packets.   
   >   
   > Click Apply.   
   >   
   > A Filter gets you down to maybe 100,000 events. Looking at timestamps   
   > (maybe), you can consider only a portion of the trace when scrolling   
   > through it. Otherwise, a 20 minute trace might be too big to analyze.   
   >   
   > It's a simple tool, but it relies on your cleverness to design filters   
   > to get the most value from it.   
   >   
   > You can save a trace as a PML file (ticking the boxes so the *whole*   
   > trace is saved). Then, you can open that file any time you feel up   
   > to it, for a bash at the filtering and analysis. During the run, all   
   > the Process Names are recorded. What it does not record, is if   
   > you do "tasklist /svc" in a terminal, that maps PID to a service   
   > such a "wuauserv", and collecting this info to go with a tracing   
   > activity, helps you later understand when "some PID starts doing stuff".   
   > Using the captured tasklist output, you have a handy reference   
   > as to "what PID 1234 is" in the trace.   
   >   
   >     Paul   
      
   I am writing that down.  Thank you!   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)