OK I love ProcMon. But leaving it to run the whole day to capture that bizarre random event that you just can’t figure out what causes it is probably not a good idea. Massive ProcMon logs can get very hard to filter and take a long time to save.
So I have two options:
One is to configure the number of events to keep in ProcMon. This is found in Options –> History Depth…
Let’s you configure maximum number of events to save. It is in millions, and the smallest amount you can keep is 1 million events.
If set to 1 million it captures to about 1.6 million then resets to the most recent 800,000 or so events. What you will get when using with a backing file is it will start <backingfile>-1.pml then <backingfile>-2.pml will start logging with the new events. <backingfile>-1.pml stays around until <backingfile>-3.pml is created, and so on.
On my machine I found 1 million events took up about 420 MB uncompressed and 35 MB zipped. Of course this will vary based on events captured.
However maybe you want to capture over a long time, but to ensure each individual log if small enough to work with easily. This batch file will keep looping and overwriting old log files automatically. As configured here it will make 5 logs of 5 minutes each, then will start overwriting the oldest one. The five minute logs I’ve found averaged ~270 MB uncompressed per log file on my Windows Developer Preview x64 machine during light usage, and these zipped to about 30 MB each.
The batch file can be downloaded here, rename to .cmd, run as Administrator with ProcMon in the path.