document updated 18 years ago, on May 14, 2008

Different kinds of monitors can be installed:

File creation: Use procmon, capture everything. After capture, Tools>Unique values, Column=Process Name, click Show, double-click all involved processes, close dialog. (note that all events listed are now just for the Tools>File summmary, sort by number of writes.
Registry creation: Same as "file creation", but use Tools>Registry summmary, and sort by number of writes.