[bboreham]

Original ProcMon used ETW, Event Tracing for Windows; the analogous technology (although very different in style) on Linux is eBPF so that’s what this tool uses.

[altano]

I think you’re mistaken. ProcMon doesn’t use ETW on Windows and I don’t believe it ever did?

[bboreham]

Sorry about that; I guess I misremembered?

This file says it does, though only for network events: https://documentation.help/Process-Monitor/documentation.pdf

[ale42]

Indeed I don't think so. ProcMon uses a kernel driver for the event tracing.