Process Monitor can log activity from a point very early in the boot process during the initialization of boot-start device drivers
. Configure Process Monitor to log the next boot by selecting Enable Boot Logging from the Options menu. Process Monitor's driver
will log activity at the next boot into a file in the %Windir% directory and will continue logging through the shutdown
or until you run Process Monitor again. Thus, if you don't run Process Monitor during a boot session you will capture a trace of the entire boot to shutdown
When you run Process Monitor it looks to see if a previous boot log has been generated, and if so, asks you where you want to place the processed boot log output file. Process Monitor displays the trace after it has finished translating it. To see activity from the System process, which is the only process early in a boot, select Enable Advanced Output from the Options menu.
If you configure boot logging and the system crashes early in the boot you can deactivate boot logging by choosing the Last Known Good option from the Windows boot menu (which you access by pressing F8 during the boot).
Note: network events, which are based on ETW (Event Tracing for Windows), are not available in boot logs.