Filemon Logo5 stars  
Copyright © 1998-1999 Mark Russinovich
Last Updated January 21, 1998 V2.01
Introduction Portmon is a GUI/device driver combination that monitors and displays all serial and parallel port activity on a system. It has advanced filtering and search capabilities that make it a powerful tool for exploring the way NT works, seeing how applications use ports, or tracking down problems in system or application configurations.

Portmon works on NT 4.0, 5.0 (Windows 2000), Windows 95 and Windows 98.
Sample Screen Shot This is a screenshot of Portmon watching a dial-up session.

Installation and Use

Simply run the Portmon GUI (portmon.exe) from the same directory that the driver (Portm.sys) resides in. Note that it must be located on a non-network drive and that you must have administrative privilege to run Portmon. When Portmon is started for the first time it will monitor all serial and parallel. Menus, hot-keys, or toolbar buttons can be used to clear the window, select and deselect monitored ports, save the monitored data to a file, and to filter and search output.

As events are printed to the output, they are tagged with a sequence number. If Portmon's internal buffers are overflowed during extremely heavy activity, this will be reflected with gaps in the sequence number.

Use the Filter dialog to select what data will be shown in the list view. The '*' wildcard matches arbitrary strings, and the filters are case-insensitive. Only matches shown in the process include filter, but that are not excluded with the process exclude filter, are displayed. Use ';' to separate multiple strings in a filter (e.g. "*Portmon*;*Explorer*").

Portmon understands all serial and parallel port I/O control (IOCTLs) commands and will display them along with interesting information regarding their associated parameters. For read and write requests Portmon displays the first several dozen bytes of the buffer, using '.' to represent non-printable characters. The Show Hex menu option lets you toggle between ASCII and raw hex output of buffer data.

How it Works: WinNT

 The Portmon GUI is responsible for identifying serial and parallel ports. It does so by enumerating the serial ports that are configured under HKEY_LOCAL_MACHINE\Hardware\DeviceMap\SerialComm and the parallel ports defined under HKEY_LOCAL_MACHINE\Hardware\DeviceMap\Parallel Ports. These keys contain the mappings between serial and parallel port device names and the Win32-accessible names.

When you select a port to monitor, Portmon sends a request to its device driver that includes the NT name (e.g. \device\serial0) that you are interested in. The driver uses standard filtering APIs to attach its own filter device object to the target device object. First, it uses ZwCreateFile to open the target device. Then it translates the handle it receives back from ZwCreateFile to a device object pointer. After creating its own filter device object that matches the characteristics of the target, the driver calls IoAttachDeviceByPointer to establish the filter. From that point on the Portmon driver will see all requests aimed at the target device. A complete source code example of filtering is demonstrated by our Filemon file system monitor.

Portmon has built-in knowledge of all standard serial and parallel port IOCTLs, which are the primary way that applications and drivers configure and read status information from ports. The IOCTLs are defined in the DDK file \ddk\src\comm\inc\ntddser.h and \ddk\src\comm\inc\ntddpar.h, and some are documented in the DDK.
How it Works: Win9x On Windows 95 and 98, the Portmon GUI relies on a dynamically loaded VxD to capture serial and parallel activity. The Windows VCOMM (Virtual Communications) device driver serves as the interface to parallel and serial devices, so applications that access ports indirectly use its services. The Portmon VxD uses standard VxD service hooking to intercept all accesses to VCOMM's functions. Like its NT device driver, Portmon's VxD interprets requests to display them in a friendly format.
Related Utilities Here are some other monitoring tools available at Systems Internals:
  • Regmon - a Registry monitor
  • Filemon - a file system monitor
  • PMon - a process and thread monitor (NT/Win2K)
  • Diskmon - a hard disk monitor (NT/Win2K)
  • DebugView/EE - a debug output monitor

In order to help us track its use, please download through the link that represents the operating system on
which you will use or mostly use Portmon.
Note that the zip files are identical, and Portmon runs on either platform.

Download Portmon (x86 - 52KB) - you plan on using Portmon on Win9x

Download Portmon (x86 - 52KB) - you plan on using Portmon on WinNT

Download Portmon (Alpha - 84KB)