Deutsch | English


This tool processes Sysinternals Process Monitor (Procmon) logfiles and PCAP-logs (Windump, Tcpdump) to generate a graph via the GraphViz suite. This graph visualizes any relevant activities (customizable) and can be interactively analyzed.
Download latest Windows version

Download latest Linux version


Christian Wojner




View ...


Support the ProcDOT project ...

News on Twitter


Project website of ProcDOT



1.1 (Build 47) See changelog included in the ZIP archive     x
1.1 (Build 46) See changelog included in the ZIP archive   x x
1.1 (Build 44) Fixed: Issue with "'" in paths     x
1.1 (Build 43) Fixed: Performance issues     x
1.1 (Build 42) -     x
1.0 (Build 31) -     x

You've got some feedback (issues, ideas, etc.)?
Join our ProcDOT forum or drop us a line:

ProcDOT now has its own dedicated website:


ProcDOT depends on third party software! Please follow the instructions in the included readme.txt to install and configure ProcDOT properly.


  1. Select your logfiles
    Sad but true, the specs for Procmon's native file-format (.PML) are not (publicly) available. Therefore you have to export your .PML file to .CSV which can be easily done via the "Save" menuitem in Procmon. Be sure to select "all events".
  2. choose graphing mode (no paths, compressed)
  3. select the first relevant (malicious) process (launching process)
  4. click "Refresh"


  • Node legend:
  • Moving the Graph:
    Drag with mouse (left button)
  • Zooming the Graph (in steps):
    Ctrl + Scroll wheel
  • Zooming the Graph (100%):
    Left double click (double click again to go back to previous scope)
  • Going back to previous scope:
    Right double click (double lick again to re-fit and center graph to window)
  • Finding text:
  • Clear found text:
  • Contextmenu for nodes:
    Get details, add filter rule



Cheatsheet: The User Interface

Tutorial-Video 1: The User Interface
Tutorial-Video 2: The Graph
Tutorial-Video 3: Analysis (Part 1)
Tutorial-Video 4: Analysis (Part 2): The Timeline


Most issues can be solved by following the instructions in the readme.txt!

ProcDOT whines about an "unknown format" of the used Procmon file.

Most probably you forgot to pre-configure Procmon properly. Please follow the instructions in the readme.txt!

ProcDOT whines about a not available PNG file.

Most probably you forgot to pre-configure Procmon properly. Please follow the instructions in the readme.txt!
However, with build 22 this error message will change to a more precise one. Actually the same "unknown format" message the "launcher" button uses if the Procmon file format doesn't match.

I get a blank (white) screen instead of a graph.

Most probably you forgot to choose a "launcher" process. If you just monitored a running system without invoking a specific process which can be chosen as a "launcher" keep the "launcher" empty, check the "dumb" checkbox, and refresh the graph.

Which executables shall I choose in ProcDOT's options?

For windump choose the according WinDump.exe (under Linux choose the according tcpdump with a fully qualified path, otherwise it won't work).
For the (DOT) executable of the Graphviz-Suite go to the according "bin"-folder and choose dot.exe (or dot under Linux).

I can't see any file-activities in the graph but in Procmon I can.

There can be multiple reasons for that ... - Procmon filters (choose "Export all events") - Procmon option "Filter > Enable Advanced Output" (should be disabled!) - ProcDOT filters for files (Session and Global)

I can't see any plugins in the plugins mainmenu/plugins manager.

Most probably you missed the line in the readme.txt stating "... copy the folder "plugins" (included in the zip archive) beneath your ProcDOT executable.".
Phone: +43 1 5056416 78
more ...
DROWN update
2016/04/11 | As I wrote ...
One quick note on DNSSEC Validation failures
2015/03/11 | I wrote ...
more ...
Last Change: 2016/8/23 - 09:42:42