ProcmonMCP is a Model Context Protocol (MCP) server that allows LLMs to autonomously analyse Process Monitor (Procmon) XML log files. It exposes a comprehensive set of analysis tools to any MCP-compatible client, including Claude Code, Claude Desktop, Cline, and others.
Process Monitor captures detailed system activity — file access, registry operations, network connections, process creation, and more. ProcmonMCP parses these XML logs into an optimised in-memory representation and exposes them as MCP tools, enabling an LLM to investigate system behaviour without manual data wrangling.
Key capabilities:
- Load files at runtime — no need to restart the server to analyse a different capture
- Parsed-capture cache — reloading an unchanged file is near-instant (parsing is skipped)
- String interning for reduced memory footprint on large logs
- Indexed lookups by process name, operation, PID, and file path for fast filtering
- Multiple transport protocols — stdio (recommended), Streamable HTTP, and SSE (deprecated)
- Progress feedback during file loading via MCP notifications
This project was inspired by the approach taken in GhidraMCP.
Security Warning
Process Monitor logs can contain extremely sensitive system information (keystrokes, passwords in command lines, file contents, network traffic details, etc.).
- This tool loads any file path that the user running the script has read permissions for. There is no directory sandboxing.
- Only run this server in trusted environments.
- Never run this server with Procmon logs captured from systems containing sensitive production or personal data unless you fully understand and accept the risks.
- Review the logs you intend to load for sensitive information before using this tool.
- Python 3.7 or newer (developed and tested with 3.10+)
pip(Python package installer)
git clone https://github.com/JameZUK/ProcmonMCP
cd ProcmonMCP
pip install -r requirements.txtOr install the package itself (provides a procmon-mcp console script):
pip install . # core only (mcp[cli])
pip install ".[all]" # core + optional lxml and psutil
pip install -e ".[dev]" # editable install with test tooling| Package | Required | Purpose |
|---|---|---|
mcp[cli]>=1.8.0 |
Yes | MCP SDK with CLI tools and Streamable HTTP support |
lxml>=4.9.0 |
Recommended | Faster XML parsing (falls back to stdlib ElementTree if absent) |
psutil>=5.9.0 |
Optional | Memory usage reporting after file loading |
google-re2 |
Optional | Linear-time, ReDoS-safe engine for user filter regexes (pip install ".[re2]"; falls back to stdlib re) |
Install all at once:
pip install "mcp[cli]>=1.8.0" lxml psutilThe recommended way to use ProcmonMCP is via stdio transport with Claude Code. The server starts without any file loaded — you (or the LLM) can then use the load_file tool to open a Procmon capture.
# Add ProcmonMCP as a stdio server (user-wide)
claude mcp add procmon --scope user -- python -m procmon_mcp
# Or with a file pre-loaded at startup
claude mcp add procmon --scope user -- python -m procmon_mcp --input-file /path/to/capture.xml.gz
# Or scoped to the current project only
claude mcp add procmon --scope project -- python -m procmon_mcpclaude mcp add-json procmon '{
"type": "stdio",
"command": "python",
"args": ["-m", "procmon_mcp"]
}'Claude Code reads MCP server configuration from these locations:
| Scope | File | Description |
|---|---|---|
| Project (shared, version-controlled) | .mcp.json in project root |
Shared with the team |
| Project (personal) | .claude/settings.local.json |
Your local overrides |
| User (global) | ~/.claude.json |
Available across all projects |
Example .mcp.json for a shared project:
{
"mcpServers": {
"procmon": {
"type": "stdio",
"command": "python",
"args": ["-m", "procmon_mcp"]
}
}
}Example with a pre-loaded file and options:
{
"mcpServers": {
"procmon": {
"type": "stdio",
"command": "python",
"args": [
"-m", "procmon_mcp",
"--input-file", "/path/to/capture.xml.gz",
"--no-stack-traces"
]
}
}
}For network access or multi-client scenarios, use Streamable HTTP:
# Add as an HTTP server (start the server separately first)
claude mcp add --transport http procmon http://127.0.0.1:8081/mcpThen start the server:
python -m procmon_mcp --transport streamable-http --mcp-port 8081Once configured, verify that Claude Code can see ProcmonMCP:
claude mcp listInside a Claude Code session, you can also type /mcp to check the status of connected servers.
- Start the server (Claude Code does this automatically for stdio servers)
- Check status: The LLM calls
get_statusto see if a file is loaded - Load a file: The LLM calls
load_filewith a path to a Procmon XML capture - Analyse: The LLM uses the analysis tools to investigate the log data
| Argument | Default | Description |
|---|---|---|
--input-file <path> |
(none) | Pre-load a Procmon XML file at startup. If omitted, use load_file from the MCP client. |
--transport <mode> |
stdio |
Transport protocol: stdio, streamable-http, or sse (deprecated). |
--mcp-host <ip> |
127.0.0.1 |
Host address (HTTP transports only). |
--mcp-port <port> |
8081 |
Port number (HTTP transports only). |
--no-stack-traces |
off | Skip loading stack traces to save memory. |
--no-extra-data |
off | Skip loading unknown/extra event fields to save memory. |
--no-cache |
off | Bypass the parsed-capture cache (always re-parse, and refresh the cache). |
--clear-cache |
off | Remove all cached parsed captures, then exit. |
--debug |
off | Enable verbose debug logging. |
--log-file <path> |
(console) | Write logs to a file instead of the console. |
--profile |
off | Enable cProfile profiling (for development). |
Start with stdio (no file pre-loaded — use load_file from the client):
python -m procmon_mcpPre-load a compressed XML file:
python -m procmon_mcp --input-file /path/to/capture.xml.gzStart with Streamable HTTP on a custom port:
python -m procmon_mcp --transport streamable-http --mcp-port 9000Skip stack traces for a very large file:
python -m procmon_mcp --input-file /path/to/huge_capture.xml --no-stack-traces --no-extra-data| Transport | Use case | Status |
|---|---|---|
| stdio | Local use with Claude Code, Claude Desktop, etc. | Recommended |
| streamable-http | Network access, multiple clients, remote deployment | Supported |
| sse | Legacy MCP clients that do not yet support Streamable HTTP | Deprecated (MCP spec 2025-03-26) |
The simplest and most reliable transport. Claude Code spawns the server as a child process and communicates over stdin/stdout. No network configuration required.
Uses a single HTTP endpoint (/mcp) for all communication. Supports session management, optional SSE streaming for long-running operations, and is designed for scalability.
python -m procmon_mcp --transport streamable-http --mcp-host 0.0.0.0 --mcp-port 8081The server will be available at http://<host>:<port>/mcp.
Deprecated since MCP specification 2025-03-26. SSE is retained for backwards compatibility but will be removed in a future release. Please migrate to
streamable-httporstdio.
python -m procmon_mcp --transport sse --mcp-port 8081ProcmonMCP stores user preferences in ~/.procmonmcp/config.json. This file is created automatically and remembers:
- The last loaded file path (shown as a hint in
get_statuswhen no file is loaded) - Loading preferences (
no_stack_traces,no_extra_data)
No API keys or authentication tokens are required — ProcmonMCP is a purely local analysis tool.
Parsing a large capture is expensive (tens of seconds to minutes). After a successful
parse, ProcmonMCP serializes the optimised in-memory representation (events, interners,
indices, process tables) to ~/.procmonmcp/cache/, keyed on the source file's path,
size, and modification time plus the load options. Reloading the same unchanged file is
then served from the cache and is near-instant — in practice a 20s parse drops to well
under a second.
- The cache is invalidated automatically when the file changes (mtime/size) or when the
cache format version changes. Different
no_stack_traces/no_extra_dataoptions are cached separately. - Bypass it with
--no-cache(CLI) orno_cache: true(theload_filetool); thefrom_cachefield in the load response indicates whether the cache was used. - Clear it with
--clear-cache(CLI) or theclear_cachetool. The cache is size-bounded with LRU eviction (default 5 GiB; override with thePROCMONMCP_CACHE_MAX_BYTESenvironment variable). - Security: cache files are serialized with Python's
pickleand are read back only from your user-owned~/.procmonmcp/cachedirectory (only this tool's own output is ever deserialized). Do not point the cache at a location other users can write to.
| Tool | Description |
|---|---|
get_status() |
Returns the current server state — whether a file is loaded, loading progress, memory usage, and available actions. Call this first. |
load_file(file_path, no_stack_traces?, no_extra_data?, no_cache?) |
Loads a Procmon XML file (.xml, .gz, .bz2, .xz) for analysis. Uses the parsed-capture cache for near-instant reloads (from_cache in the response says whether it was used). Set no_cache: true to bypass the cache. Provides progress feedback. Replaces any previously loaded data. |
close_file() |
Closes (unloads) the currently loaded capture and frees its memory. Analysis tools are unavailable until another file is opened with load_file. Does not remove the on-disk cache. |
clear_cache() |
Removes all on-disk parsed-capture caches. Reclaims disk space and forces a clean re-parse on the next load. Does not affect currently loaded data. |
| Tool | Description |
|---|---|
get_loaded_file_summary() |
Returns a detailed summary of the loaded file — filename, counts, compression, index stats, interner stats, and selective loading flags. |
get_metadata() |
Returns basic metadata (filename, type, event/process counts). |
list_processes() |
Lists unique processes (PID, name, image path, parent PID) from the process list section. |
get_process_details(pid) |
Returns detailed properties for a specific process by PID. |
query_events(...) |
Queries events with flexible filters — by process, PID (filter_pid), operation, result, path (contains/regex), detail (regex), timestamp range, and stack module path. Returns event summaries with index. |
get_event_details(event_index) |
Returns all properties for a specific event by its index. |
get_event_stack_trace(event_index) |
Returns the call stack for a specific event (module path, location, address). |
| Tool | Description |
|---|---|
count_events_by_process() |
Counts events per process name. |
summarize_operations_by_process(process_name_filter) |
Counts operations for a specific process. |
get_timing_statistics(group_by) |
Calculates duration statistics grouped by process or operation. |
get_process_lifetime(pid) |
Finds the Process Create and Process Exit timestamps for a given PID. |
find_file_access(path_contains, limit?) |
Finds file system events matching a path substring (case-insensitive). |
find_network_connections(process_name) |
Returns enriched records for the remote endpoints a process accessed: endpoint, host/ip/hostname/port, operations, inferred directions (connect/send/receive), results, event count, and first/last-seen timestamps — ranked by count. |
list_network_connections(limit?) |
Capture-wide network triage: one enriched record per (process, PID, endpoint) across all processes, ranked by event count. |
get_network_top_talkers(limit?) |
Ranks unique remote endpoints across the whole capture by event count, with the count of distinct processes (and their names) that touched each. |
| Tool | Description |
|---|---|
export_query_results(...) |
Exports filtered events to CSV or JSON file. Uses the same filters as query_events. |
ProcmonMCP works with any MCP-compatible client. Below are setup instructions for popular clients.
See the Quick Start with Claude Code section above.
Add the following to your Claude Desktop configuration file:
- macOS:
~/Library/Application Support/Claude/claude_desktop_config.json - Windows:
%APPDATA%\Claude\claude_desktop_config.json
{
"mcpServers": {
"procmon": {
"command": "python",
"args": ["-m", "procmon_mcp"]
}
}
}For Cline with Streamable HTTP transport, first start the server:
python -m procmon_mcp --transport streamable-http --mcp-port 8081Then in Cline, select MCP Servers and add:
- Server Name: ProcmonMCP
- Server URL:
http://127.0.0.1:8081/mcp
(Assuming a Procmon XML file is loaded)
- "Get the summary of the loaded file."
- "List the unique processes found in the log."
- "Count the events per process." (Identify high-activity processes)
- "Calculate timing statistics grouped by process." (Identify long-duration events)
- "Get details for process PID 4568." (Check command line, parent PID, image path)
- "Summarise operations for process
suspicious.exe." - "Query events where filter_process is
suspicious.exeand filter_operation isRegSetValue, limit 10." - "Find network connections for process
suspicious.exe." (Enriched: directions, results, counts, first/last-seen) - "List network connections across the whole capture." (Capture-wide triage, busiest first)
- "Show the network top talkers." (Rank remote endpoints by event count)
- "Find file access containing
temp\\suspicious_data, limit 50."
- "Query events where filter_operation is
RegSetValueand filter_path_contains isCurrentVersion\\Run, limit 20." - "Query events where filter_operation is
CreateFileand filter_path_contains isStartUp, limit 10."
- "Query events where filter_result is
ACCESS DENIED, limit 10." - "Query events where filter_result is
NAME NOT FOUND, limit 10." - "Get details for event 987."
- "Get stack trace for event 987."
- "Export query results to
suspicious_reg_writes.csvwhere filter_process issuspicious.exeand filter_operation containsRegSet." - "Export query results to
network_activity.jsonin json format."
ProcmonMCP builds four indices during file loading for fast filtered lookups:
| Index | Used by | Complexity |
|---|---|---|
| Process name (interned ID) | query_events, count_events_by_process |
O(1) lookup |
| Operation (interned ID) | query_events, summarize_operations_by_process |
O(1) lookup |
| PID | query_events (filter_pid), get_process_lifetime |
O(1) lookup with set intersection |
| File path (interned ID) | find_file_access |
O(unique_paths) substring scan |
For filters not backed by an index (e.g., regex, path contains, stack module path), ProcmonMCP falls back to a linear scan of all events. Use indexed filters first to narrow results, then apply more expensive filters.
- Memory usage: Whilst optimised with string interning, loading extremely large XML files (millions of events with stack traces) can consume significant RAM. Use
--no-stack-tracesand--no-extra-datafor very large files. - Loading time: Parsing and optimising large XML files takes time, particularly compressed ones. Progress is reported during loading. Reloading an unchanged file is near-instant thanks to the parsed-capture cache; only the first parse pays the full cost.
- XML structure: Relies on the standard Procmon XML export structure. Malformed or non-standard XML will likely cause parsing errors.
- Non-ASCII names: Procmon's XML export double-encodes non-ASCII process/path names (e.g. Japanese filenames). ProcmonMCP detects and repairs this on load so names are readable and matchable by their true value; if a process name is still awkward to type exactly, filter by
filter_pidinstead. - Stack traces: Stack trace quality depends on what Procmon resolved and included in the XML export. Requires running Procmon with symbols configured correctly.
- Single file at a time: Only one file can be loaded at any given time. Loading a new file replaces the previous data.
Notable changes are recorded in CHANGELOG.md.
Contributions are welcome! Please feel free to submit pull requests or open issues on GitHub.
This project is licensed under the MIT License — see the LICENSE file for details.