wtrace is a process monitor for Windows
wtrace is an open-source console-based process monitor for Windows. It’s essentially a stripped-down version of Sysinternals Process Monitor which you can run at the command line.
The program is entirely portable, with no drivers or Windows services involved. Just unzip the single executable and run it from an elevated command line.
Basic usage sounded simple, at least in theory. Run the program from an elevated command line with the name of the process image -- wtrace outlook.exe -- and it displays file creates, reads, writes, closes, thread starts, ALPC and RPC actions (local and remote procedure calls) and more.
We tried this on a Windows 10 system and ran into a major issue: it hardly ever worked. Most of our monitoring attempts resulted in an error message and the utterly useless error code 0x80004005, which is Windows-speak for "something’s gone wrong but we don’t know what it is."
We couldn’t see the reason for this, whether it was a general bug or something specific to our computer, but there is a sort-of workaround. We passed wtrace the process ID instead (see the PID column in Task Manager) and everything worked just fine.
As wtrace is running, any actions it detects are displayed in real time at the command line, looking something like this.
1134,4316 (1072) FileIO/Create 'C:\' (0xFFFFFA801D789CA0) rw-
1135,2725 (1072) FileIO/Create 'C:\Windows\Prefetch\MSPAINT.EXE-B4A5B5E8.pf' (0xFFFFFA8023E185A0) —
1135,5118 (1072) FileIO/Create 'C:\Windows' (0xFFFFFA8023E185A0) rw-
1135,5514 (1072) FileIO/Create 'C:\Windows\SYSTEM32\wow64.dll' (0xFFFFFA801D789CA0) rw-
1135,8384 (1072) FileIO/Close 'C:\' (0xFFFFFA801D789CA0)
If you don’t want to view or scroll through this as it happens, redirect the output to a file in the usual way, like wtrace 14200 > log.txt
Close the target process and wtrace displays summaries of various actions, before closing itself.
For example, a === TCP/IP === section listed all detected connections with the source and destination IPs, and the total bytes sent and received.
Overall, wtrace won’t in any way replace Sysinternals Process Monitor, but some people might like to use it as well. Console operations can be more convenient sometimes, and the summaries of network and other actions are helpful. Take a look.
Wtrace is an open-source tool for Windows 7 and later.