![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 3%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
AFAIK, Process Monitor does not have a single button to exclude all currently running processes. You can work around it by manipulating the registry where the filters are stored or by creating a custom configuration file. ProcMon stores its filter rules in the Windows Registry under the key HKEY_CURRENT_USER\Software\Sysinternals\Process Monitor. Each filter is a binary structure, which makes manual CSV-to-Filter conversion difficult without a helper script.
One way to handle this is to use a PowerShell script to gather all unique, currently running process names and generate a Process Monitor Configuration file or modify the registry directly. A simpler manual approach is to use the Include filter logic. Instead of excluding what is running, you can create a filter for the attribute Process Name is not empty and then use the Drop Filtered Events option under the Filter menu. This ensures that only new activity is captured once you begin your specific action.
If you prefer the exclusion method, you can use the following PowerShell command to copy all current process names to your clipboard, formatted as a list that you can quickly reference, though ProcMon still requires these to be added to the filter dialog one by one unless you use a configuration injector.
Get-Process | Select-Object -ExpandProperty Name -Unique | Set-Clipboard
Another workaround is to use the Time of Day filter. Before you run your action, note the current system time down to the second. Open the Filter dialog (Ctrl+L) and add a rule where Time of Day is after your noted time, then set the action to Include. This should hide every process event that occurred before your test began, effectively giving you a clean slate without needing to name every individual background process.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin