Have you ever gone to the Task Manager in Windows and clicked on the Process tab only to see that svchost.exe is taking up 100% of your CPU? Well, unfortunately that doesn’t help you figure out which program in Windows is actually using up all that processing power.
In Windows, there are many processes, like SVCHOST, that actually can run several different Windows services, such as Windows Update, DCOM, Remote Procedure Call, Remote Registry, DNS, and lots more. Or maybe you just need to figure out which DLLs are loaded and which handles are open for a particular process. You may also want this information so that you can disable Windows startup progams.
Definitely if you work in IT, there will want come a time when you need to get more information about a Windows process. There are two really useful tools for exploring Windows processes in detail and I will give a short overview of both.
Process Explorer
Process Explorer is a nifty freeware application that lets you find out the exact Windows service or program that owns a particular process. For example, if you want to know the service that is running for each of the different svchost processes, just hover your mouse over the process name.
You can also use Process Explorer to figure out which program has a particular file or directory open and then kill that process. This is great if you are trying to delete or move files, but they are locked or open by an active Windows process.
You can also find out which DLLs the process has loaded and which files handles the process currently has open. It’s very useful for figuring out DLL-version problems or tracking handle leaks.
Process Monitor
So Process Explorer is great for figuring out about hidden processes like svchost, etc, but you can use Process Monitor to get real-time file, registry and process/thread activity. I really like Process Monitor because it is a combination of RegMon and FileMon, two great monitoring programs from Sysinternals.
It’s a great tool for troubleshooting your system and also for hunting out pesky malware. Since Process Monitor allows you to see exactly which files and registry keys are being accessed by a process in real-time, it’s great for seeing all the files and registry entries added when installing a new program.
It also captures more detailed information about a process such as image path, user, session ID, and command line.
When you first open Process Monitor, it can be quite intimidating because it will load up thousands of entries and mostly stuff that the system processes are doing. However, you can use the advanced filters to find exactly what you are looking for.
In the Filter dialog, you can filter by Process Name, Event Class, PID, Session, User, Version, Time of Day, and lots more. After loading up Process Monitor, it found 800,000 events on my machine! However, I can bring it down to less than 500 by adding filters to hone in on one process.
It also has many other advanced features like monitoring of image (DLL and kernel mode device drivers), non-destructive filtering, capture of thread stacks, advanced logging, boot time logging, and lots more.
So if you ever wanted to know more or get more information about those Windows processes in Task Manager, check out Process Monitor and Process Explorer! Enjoy!
1 Comment Already
Pingback & Trackback
Please Leave Your Comments Below