When a program or service slows down your Windows 11 startup, you need a tool that captures every file system, registry, and process activity during boot. The Sysinternals Procmon Boot Logging feature records all operations from the moment the system starts until you stop the trace. This article explains how to configure, run, and analyze a boot-time Procmon log to identify the root cause of a slow or misbehaving process. You will learn the exact steps to enable boot logging, reproduce the issue, and filter the data to find the culprit.
Key Takeaways: Profiling a Process with Procmon Boot Logging
- Procmon.exe /AcceptEula /NoConnect /LoadConfig: These command-line arguments enable automatic boot-logging configuration without user interaction.
- Procmon /BackingFile <path>.pml: Saves the boot trace directly to a PML file on disk, preserving all data for later analysis.
- Enable Boot Logging in Process Monitor: Turning on this setting from the Options menu causes Procmon to start capturing at the next system restart.
What Procmon Boot Logging Captures and Why You Need It
Procmon Boot Logging records every operation that Process Monitor sees from the moment Windows 11 starts until you stop the capture. This includes file reads and writes, registry key access, process creation, thread activity, and network operations. Normal Procmon sessions begin after you launch the tool, missing all startup activity. Boot logging solves that by having Procmon start automatically during boot, before most services and applications run.
The feature is useful when you suspect a driver, a startup program, or a Windows service is causing a delay or a crash during boot. For example, a third-party antivirus might scan every registry call, or a misconfigured service might hang waiting for a network resource. The boot log shows you exactly which process made each call, how long it took, and what the result was.
Prerequisites for Boot Logging
You need administrative privileges on Windows 11 to run Procmon with boot logging. The tool itself is a single executable file — no installation is required. Download the latest version of Process Monitor from the official Microsoft Sysinternals site. Save it to a folder such as C:\Tools or your desktop. Boot logging also requires that the Windows 11 system can restart normally; if the system is unbootable, use the Windows Recovery Environment instead.
How Boot Logging Works Internally
When you enable boot logging, Procmon writes a driver and a configuration file to the system drive. At the next restart, the driver loads early in the boot process and begins capturing events into a circular buffer. After you log on and launch Procmon again, the tool reads the buffer and saves it as a PML file. If you specify a backing file path, Procmon writes directly to disk without a buffer limit, which is better for long captures.
Steps to Enable Procmon Boot Logging on Windows 11
Follow these steps to configure and run a boot trace using Process Monitor. The procedure works identically on Windows 10 and Windows 11.
- Download and launch Process Monitor as administrator
Open the Sysinternals Process Monitor page in your browser and download Procmon.exe. Right-click the file and select Run as administrator. Accept the EULA if prompted. - Open the Boot Logging configuration dialog
In Process Monitor, go to Options > Enable Boot Logging. A dialog appears with several settings. - Set the backing file path for the log
In the dialog, check the box labeled Write events to a backing file. Enter a full path such as C:\ProcmonBoot.pml. This ensures the log is saved to disk even if the buffer overflows. Leave the Generate thread events and Enable stack capture options unchecked unless you need detailed thread data. - Confirm and restart the system
Click OK. A message tells you that boot logging is enabled. Click Yes to restart Windows 11 immediately. If you need to save work, click No and restart manually later. - Reproduce the problem during boot
After the restart, Windows 11 boots normally. Procmon starts capturing from the very beginning of the boot process. Perform any action that triggers the issue — for example, launch the slow application or wait for the hang to occur. - Stop the boot trace and open the log
Log on to Windows 11. Launch Process Monitor again as administrator. Go to Options > Enable Boot Logging and uncheck it. Click OK. Procmon prompts you to save the captured events. Choose Save to keep the PML file at the path you specified earlier. - Analyze the log with filters
Open the PML file via File > Open. Use the Filter menu to narrow down events by process name, operation type, path, or duration. For example, filter on Process Name = your target program to see only its activity.
Analyzing the Boot Log to Profile a Specific Process
Once you have the PML file open, you need to isolate the process you want to profile. Procmon captures tens of thousands of events per second, so filtering is essential.
- Set a process filter
Go to Filter > Filter. In the dialog, set the first drop-down to Process Name, the second to is, and type the exact executable name such as chrome.exe. Click Add and then OK. The display now shows only events from that process. - Identify slow operations using the duration column
If the Duration column is not visible, right-click any column header and select Select Columns. Check Duration and click OK. Sort by Duration descending to see the longest operations. A duration above 1000 milliseconds indicates a potential bottleneck. - Look for failed operations
Filter on Result is not SUCCESS. Failed registry or file operations can cause retries and delays. Common failure codes include NAME NOT FOUND, ACCESS DENIED, and BUFFER OVERFLOW. - Review the call stack for a slow operation
Double-click a long-duration event. In the Event Properties window, click the Stack tab. The stack shows which driver or DLL was executing when the operation took place. This helps identify a third-party driver as the cause. - Export the filtered data
Select File > Export > Export All to CSV if you need to analyze the data in Excel or another tool. Choose a meaningful file name and save it.
Common Mistakes and Limitations When Using Boot Logging
The PML file is too large to open
A full boot trace can exceed 2 GB. Procmon may run out of memory when loading such a file. To avoid this, set a smaller backing file limit in the boot logging dialog, or use the /MaxFileSize command-line parameter. Alternatively, filter the trace while it is still being captured by enabling only the operations you need via Options > Enable Boot Logging and selecting specific event types.
Procmon does not start capturing at boot
If boot logging is enabled but no events appear after restart, the Procmon driver may not have loaded. Verify that the Procmon executable is on a local NTFS drive, not a network location or a removable drive. Also, check that Secure Boot is not blocking the driver. In rare cases, antivirus software may prevent the driver from loading. Temporarily disable real-time protection and try again.
The boot log contains events from only one boot session
Procmon boot logging captures only the next boot after you enable it. If you restart again without disabling boot logging, the second boot will overwrite the previous buffer. To capture multiple boots, save the log after each session and then re-enable boot logging before the next restart.
Boot Logging via Command Line vs GUI Configuration
| Item | GUI Method | Command-Line Method |
|---|---|---|
| Configuration | Options > Enable Boot Logging | Procmon.exe /AcceptEula /NoConnect /LoadConfig |
| Backing file | Set path in the dialog | Procmon.exe /BackingFile C:\Log.pml |
| Start capture | Click OK and restart | Same — restart is required |
| Stop capture | Disable boot logging via GUI | Run Procmon.exe /Terminate |
| Memory usage | Default buffer in RAM | Specify /MaxFileSize to limit disk usage |
The command-line method is better for scripting or remote troubleshooting. You can create a batch file that enables boot logging, restarts the computer, and later stops the trace automatically. The GUI method is simpler for one-time use but requires manual interaction after boot.
Conclusion
You can now profile any process during Windows 11 startup using Sysinternals Procmon boot logging. The key steps are enabling the feature from the Options menu, setting a backing file path, restarting, reproducing the issue, and filtering the resulting PML file by process name and duration. Use the Duration column and the Stack tab to pinpoint slow driver calls or failed operations. For repeated captures, automate the process with command-line parameters such as /BackingFile and /Terminate. This method works on both Windows 11 and Windows 10 and gives you a complete picture of boot-time behavior.