Procmon-PML-MCP

A C# MCP (Model Context Protocol) server that parses Process Monitor .PML log files, enabling AI assistants to explore, filter, and analyze ProcMon captures.

Overview

Process Monitor captures detailed system activity (file system, registry, network, process events) but its binary .PML format is opaque. This MCP server implements the PML v9 format and exposes it through a set of tools that let you query events, inspect processes, resolve stack traces, and filter by any combination of criteria.

Supports all the key features from the Process Monitor UI:

• Event Properties: Date/Time, Thread ID, Class, Category, Operation, Result, Path, Duration, Detail (registry type/length/data, file access flags, etc.)
• Process Properties: PID, PPID, User, Integrity, Architecture, Virtualized, Session ID, Auth ID, Command Line, loaded Modules
• Stack Traces: K/U (Kernel/User) frame indicators, module + offset resolution
• Process Tree: Full parent-child hierarchy view
• Timing: Relative Time, Completion Time, Time of Day

Requirements

• .NET 10.0+
• Process Monitor .PML log files (captured with Procmon)

Project Structure

src/             C# MCP server source (ProcMonMcp.csproj)
tests/           xUnit tests (ProcMonMcp.Tests.csproj)
.mcp.json        Project-level MCP server config

Build & Run

dotnet build ./src
dotnet run --project ./src       # starts MCP server on stdio

Run Tests

dotnet test ./tests

Usage

As an MCP server

This repo includes a .mcp.json at the project root, so Claude Code will automatically discover the server when working in this directory.

To configure it manually in another project or globally (~/.claude/settings.json):

{
  "mcpServers": {
    "procmon": {
      "command": "dotnet",
      "args": ["run", "--project", "C:\\github\\Procmon-PML-MCP\\src"]
    }
  }
}

Tools

Tool	Description
load_pml	Load a .PML file for analysis (must be called first)
get_pml_info	File header info, event class distribution, time range
list_processes	List captured processes with PID, user, integrity, virtualized, command line
get_process_details	Process details including all loaded modules with addresses and versions
get_process_tree	Process tree (parent-child hierarchy), optionally rooted at a specific process
get_events	Browse events by index range with category and relative time
get_event_detail	Full detail for a single event: path, parsed detail properties (registry type/length/data, file access flags), category, relative time, completion time
get_event_stacktrace	Stack trace with K/U indicators and module+offset resolution
search_events	Filter by process, event class, operation, path, result, time, duration
search_by_path	Find events involving a specific file/registry/network path
get_events_summary	Statistical summary: top processes, operations, results, categories
get_process_activity	Activity breakdown for a single process
find_errors	Find events with error results
find_slow_events	Find slowest events by duration

Example Workflow

1. load_pml with the path to your .PML file
2. get_pml_info to understand the capture scope
3. get_process_tree to see the process hierarchy
4. get_events_summary for a high-level overview
5. search_events or search_by_path to drill into specific activity
6. get_event_detail to inspect a specific event's properties
7. get_event_stacktrace to see the call stack for any event

PML Format

The parser handles PML version 9 (current as of Procmon 4.x) with support for:

• File header (936 bytes) with section offsets (events, processes, strings, icons)
• Event records: 5 classes (Process, FileSystem, Registry, Network, Profiling)
• Event offset table (5 bytes per entry) for random access
• Process records (108-byte header) with loaded module lists (64 bytes per module)
• String table (UTF-16LE with offset array)
• Stack frame resolution against process module lists (K/U classification)
• Registry event detail parsing with value type, length, and data extraction
• Extra data section parsing for captured registry values

License

MIT