Knowledge Center

How to use the Microsoft Process Monitor to troubleshoot files scanned by VirusScan McShield
Technical Articles ID:   KB50981
Last Modified:  11/3/2016


McAfee VirusScan Enterprise (VSE) 8.8, 8.7i

Microsoft Windows Vista (32-bit, 64-bit)
Microsoft Windows XP SP2 (32-bit, 64-bit)
Microsoft Windows Server 2003 SP1(32-bit, 64-bit)
Microsoft Windows 2000 SP4 with Update Rollup 1



  • This article involves stopping services vital to protecting your system. Ensure that you run an On-Demand Scan on the system after re-enabling the On-Access Scanner.
  • If the ProcMon Log is being requested by Support, do not apply any filters. Replicate the issue and save a copy of the Process Monitor in the native .PML log file format and with all events.
  • This article also deals with utilities that contain log files, which can potentially fill up your hard disk in a relatively short time. Therefore, ensure that you monitor the size of the log files closely.
Determining which files are being scanned by VSE
The Process Monitor (ProcMon) tool can be helpful in determining which files should be excluded from scanning, verifying that files are excluded, and troubleshooting issues with excluded items that are still being scanned. Setting up a filter for the McShield process makes it easier to see which files are actually being scanned by the On-Access Scanner.

Setting up filters within Process Monitor to show files that are scanned by the McAfee Engine
This is not limited to files sent to the VirusScan Enterprise Anti-Virus filter driver.
For the Process Monitor to capture the On-Access Scanner's activity properly, you must start the Process Monitor while the On-Access Scanner is disabled.
  1. Allow McAfee services to be stopped:
    1. Click Start, Programs, McAfee, VirusScan Console.
    2. Right-click Access Protection, and select Properties.
    3. Deselect Prevent McAfee services from being stopped and click OK.
    4. Exit the VirusScan Console.
  2. Set the McShield service to Manual:
    1. Select Start, Run, type services.msc, then click OK.
    2. Right-click McAfee McShield and select Properties.
    3. Set Startup Type to Manual, and click OK.
    4. Restart your computer.
  3. Use the Process Monitor to capture the activity by the McShield service:
    1. Download the Process Monitor (ProcMon).
      For documentation and downloads, see KB72766.
    2. Extract the downloaded files to a clean directory using WinZip or other file extraction utility.
    3. Launch ProcMon.exe.
    4. Click Filter, and enable Advanced Output.
    5. Create the filter for McShield.

      Example: Filter for all READ actions by McShield:

      Process Name: IS McShield.exe
      Operation: CONTAINS IRP_MJ_READ
  4. Start the McShield service:
    1. Click Start, Run, type services.msc, then click OK.
    2. Right-click McAfee McShield, and select Start.
    3. Exit Services.
  5. Reproduce the issue and gather the Process Monitor information.

    IMPORTANT: After completing the procedure, remember to do the following:
    • Set the McShield service back to Automatic to revert.
    • Select the Prevent McAfee services from being stopped option to re-enable the security option that was disabled in the first step.

Rate this document

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.