A C# MCP (Model Context Protocol) server that parses Process Monitor .PML log files, enabling AI assistants to explore, filter, and analyze ProcMon captures.
Process Monitor captures detailed system activity (file system, registry, network, process events) but its binary .PML format is opaque. This MCP server implements the PML v9 format and exposes it through a set of tools that let you query events, inspect processes, resolve stack traces, and filter by any combination of criteria.
Supports all the key features from the Process Monitor UI:
- Event Properties: Date/Time, Thread ID, Class, Category, Operation, Result, Path, Duration, Detail (registry type/length/data, file access flags, etc.)
- Process Properties: PID, PPID, User, Integrity, Architecture, Virtualized, Session ID, Auth ID, Command Line, loaded Modules
- Stack Traces: K/U (Kernel/User) frame indicators, module + offset resolution
- Process Tree: Full parent-child hierarchy view
- Timing: Relative Time, Completion Time, Time of Day
- .NET 10.0+
- Process Monitor
.PMLlog files (captured with Procmon)
src/ C# MCP server source (ProcMonMcp.csproj)
tests/ xUnit tests (ProcMonMcp.Tests.csproj)
.mcp.json Project-level MCP server config
dotnet build ./src
dotnet run --project ./src # starts MCP server on stdiodotnet test ./testsThis repo includes a .mcp.json at the project root, so Claude Code will automatically discover the server when working in this directory.
To configure it manually in another project or globally (~/.claude/settings.json):
{
"mcpServers": {
"procmon": {
"command": "dotnet",
"args": ["run", "--project", "C:\\github\\Procmon-PML-MCP\\src"]
}
}
}| Tool | Description |
|---|---|
load_pml |
Load a .PML file for analysis (must be called first) |
get_pml_info |
File header info, event class distribution, time range |
list_processes |
List captured processes with PID, user, integrity, virtualized, command line |
get_process_details |
Process details including all loaded modules with addresses and versions |
get_process_tree |
Process tree (parent-child hierarchy), optionally rooted at a specific process |
get_events |
Browse events by index range with category and relative time |
get_event_detail |
Full detail for a single event: path, parsed detail properties (registry type/length/data, file access flags), category, relative time, completion time |
get_event_stacktrace |
Stack trace with K/U indicators and module+offset resolution |
search_events |
Filter by process, event class, operation, path, result, time, duration |
search_by_path |
Find events involving a specific file/registry/network path |
get_events_summary |
Statistical summary: top processes, operations, results, categories |
get_process_activity |
Activity breakdown for a single process |
find_errors |
Find events with error results |
find_slow_events |
Find slowest events by duration |
load_pmlwith the path to your.PMLfileget_pml_infoto understand the capture scopeget_process_treeto see the process hierarchyget_events_summaryfor a high-level overviewsearch_eventsorsearch_by_pathto drill into specific activityget_event_detailto inspect a specific event's propertiesget_event_stacktraceto see the call stack for any event
The parser handles PML version 9 (current as of Procmon 4.x) with support for:
- File header (936 bytes) with section offsets (events, processes, strings, icons)
- Event records: 5 classes (Process, FileSystem, Registry, Network, Profiling)
- Event offset table (5 bytes per entry) for random access
- Process records (108-byte header) with loaded module lists (64 bytes per module)
- String table (UTF-16LE with offset array)
- Stack frame resolution against process module lists (K/U classification)
- Registry event detail parsing with value type, length, and data extraction
- Extra data section parsing for captured registry values
MIT