|
Softpanorama
(slightly skeptical)
Open Source Software Educational Society |
May the
source be with you,
but remember the KISS principle ;-)
|
Windows Process Viewers
Process viewers are very useful in
detection and removing spyware. Here
the ability to show path from which a particular component is loaded is very important.
Build in process viewer is useful and can show additional columns that display the
number of bytes read/written or transmitted by the process. This is very useful
information that helps to analyze spyware and detect what process is doing what.
Unfortunately Microsoft cut corners in the design of
the tool and it has severe limitations:
-
It is impossible to save process information to
file. Here Igor Nys PrcView shines as it has command
line variant pv.exe.
-
There is not information about exact path for a
file from which the process was created.
-
There is no way to view properties of the process
like organization who created executable, whether executable is signed or not,
version and so on (here Mark Russinovich PsList
shines).
-
There is no information about registry entries associated
with particular process, if any.
That's one reason that explains why alternative process
viewers proliferated and became an indispensable additional tool for Windows.
There are several reasonable choices among free process
viewers:
-
I generally recommend PrcView
for complex tasks like Spyware search. PrcView consists
of two independent components:
What it important it can
give you the full list of DLLs for each running application, including
full path, version information, vendor and other information from the header
(Right click on each application produces menu with more then a dozen options).
Important: You can write the list of processes
to the file creating a baseline. “Before” and “after” snapshots of the
processes after boot when compared to one another—for example, using the
Windiff.exe utility included in the Windows
2000 Resource Kit or in the Windows XP Support Tools (or other
diff tools) —can reveal exactly
what happens
-
HijackThis
is a utility which proved to be very useful in searching for Spyware. It includes
built-in process viewer, but standalone process viewers like
PrcView are more comprehensive as for information
about running processes. Hijack this does not provide much useful information
about running processes and there is no way to run it in command line mode.
-
PsList by Mark Russinovich
also can be used. This is a high quality tool that now is distributed
by Microsoft. Mark Russinovich continues to maintain it after joining Microsoft.
-
FAR contain a primitive
process explorer plug-in. That might be useful in some situations.
-
Other free command line tool is Microsoft
PViewer ( Process Viewer from Microsoft Resource Kit). It also displays
information about a running process and allows you to stop (kill) processes
and change process priority.
-
Microsoft antispyware tool includes process viewer.
Notes:
- Those pages are written by people for whom English is not a
native language. Some amount of grammar and spelling errors
should be expected.
- This is a Spartan WHYFF (We Help You For Free) site. It
cannot replace the best teachers and
the
best books.
- The site contain some obsolete pages as it develops like a
living tree... Some links on older pages
are broken. Please
try to use Google, Open directory, etc. to find a replacement link
(see
HOWTO search the WEB for details).
We would appreciate if you can
mail us a correct link.
|
|
It is already available from the Web site. Looks like there are sharp executives
in Trend Micro
Trend Micro has acquired HijackThis, the freeware
spyware-removal program created by Merijn Bellekom.
Financial terms of the deal, believed to be all-cash,
were not released. This is the second transaction between
Trend Micro and Bellekmom, following the company's purchase
of
CWShredder, a standalone utility used to remove
the virulent Cool Web Search spyware program.
HijackThis is the de-facto standard for spyware removal
from Windows systems. The tool generates a plaintext
logfile detailing all entries — registry and file settings
— it finds and offers tech-savvy users the ability to
remove or disable files associated with malware.
November 1, 2006. Ever wondered which program has a particular file or
directory open? Now you can find out. Process Explorer shows you information
about which handles and DLLs processes have opened or loaded.
The Process Explorer display consists of two sub-windows. The top
window always shows a list of the currently active processes, including the
names of their owning accounts, whereas the information displayed in the bottom
window depends on the mode that Process Explorer is in: if it is in handle
mode you'll see the handles that the process selected in the top window has
opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped
files that the process has loaded. Process Explorer also has a powerful
search capability that will quickly show you which processes have particular
handles opened or DLLs loaded.
The unique capabilities of Process Explorer make it useful for tracking
down DLL-version problems or handle leaks, and provide insight into the way
Windows and applications work.
Process Explorer works on Windows 9x/Me, Windows NT 4.0, Windows 2000,
Windows XP, Server 2003, and 64-bit versions of Windows for x64 processors,
and Windows Vista.
The updated package contains GUI version 5.2.12.1 and command-line program 3.11.1.1
-
Pstat: Process and Thread Status - Shows the status of all running processes
and threads.
-
PTree: Process Tree - Process Tree allows you to query the process inheritance
tree and kill processes on local or remote computers.
-
PViewer: Process Viewer - Process Viewer is a Windows-based tool that displays
information about a running process and allows you to stop (kill) processes
and change process priority. See also
Microsoft pviewer
This GUI tool displays information about a running
process and allows you to stop processes and change process
priority. Note
- Process Viewer is similar to Pview.exe,
but it can view processes on remote computers.
|
Security Task Manager shows all
active processes on your computer. You can easily recognize the endangering
potential of each process. No other Task Manager or Process Viewer has this
feature. Furthermore you can put a process into quarantine or search the internet
for information about that process.
Small command line utility to view, kill, suspend or set the
priority and affinity of processes, perhaps from a batch file? . . Has a virus
disabled your Task Manager? . . or perhaps your Administrator has?
The Command Line Process Utility will function even when the
task manager is disabled and/or the dreaded "Task Manager has been disabled
by your Administrator" dialog box appears.
Works on remote machines with the Microsoft Telnet Server
(tlntsvr) found on Windows 2000 and XP or with
BeyondExec for Windows NT4/2000/XP.
View processes, owners, and CPU time . .
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.01
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
ImageName PID Threads Priority CPU%
[System Process] 0 1 0 100 Error 0x6 : The handle is invalid.
System 8 43 8 0 Error 0x5 : Access is denied.
SMSS.EXE 180 6 11 0 NT AUTHORITY\SYSTEM
CSRSS.EXE 204 11 13 0 NT AUTHORITY\SYSTEM
WINLOGON.EXE 224 16 13 0 NT AUTHORITY\SYSTEM
SERVICES.EXE 252 33 9 0 NT AUTHORITY\SYSTEM
LSASS.EXE 264 16 9 0 NT AUTHORITY\SYSTEM
svchost.exe 436 10 8 0 NT AUTHORITY\SYSTEM
spoolsv.exe 468 15 8 0 NT AUTHORITY\SYSTEM
CrypServ.exe 496 3 13 0 NT AUTHORITY\SYSTEM
svchost.exe 512 28 8 0 NT AUTHORITY\SYSTEM
hidserv.exe 532 4 8 0 NT AUTHORITY\SYSTEM
jtagserver.exe 560 3 8 0 NT AUTHORITY\SYSTEM
mdm.exe 584 6 8 0 NT AUTHORITY\SYSTEM
nvsvc32.exe 628 2 8 0 NT AUTHORITY\SYSTEM
regsvc.exe 664 2 8 0 NT AUTHORITY\SYSTEM
mstask.exe 704 6 8 0 NT AUTHORITY\SYSTEM
stisvc.exe 728 4 8 0 NT AUTHORITY\SYSTEM
WinMgmt.exe 804 3 8 0 NT AUTHORITY\SYSTEM
mspmspsv.exe 876 2 8 0 NT AUTHORITY\SYSTEM
svchost.exe 896 5 8 0 NT AUTHORITY\SYSTEM
explorer.exe 616 15 8 0 NEPTUNE\Administrator
mixer.exe 1092 3 8 0 NEPTUNE\Administrator
PRISMSTA.exe 1048 1 8 0 NEPTUNE\Administrator
rundll32.exe 952 2 8 0 NEPTUNE\Administrator
DIRECTCD.EXE 960 3 8 0 NEPTUNE\Administrator
internat.exe 1180 1 8 0 NEPTUNE\Administrator
OSA.EXE 1192 2 8 0 NEPTUNE\Administrator
Icq.exe 1200 11 8 0 NEPTUNE\Administrator
devenv.exe 1324 4 8 0 NEPTUNE\Administrator
IEXPLORE.EXE 1140 7 8 0 NEPTUNE\Administrator
CMD.EXE 1340 1 8 0 NEPTUNE\Administrator
Process.exe 1132 1 8 0 NEPTUNE\Administrator
|
Additional switches can be used to display User and Kernel
Times (-t) or the Creation Time of processes (-c).
Kill Processes . . .
Processes can be killed immediately (terminated without saving
files or cleaning up) by specifying either the name or the PID (Process IDentifier).
In cases where there are multiple processes running with the same name and your
desire is to kill a specific process you will need to use the PID.
C:\>process -k 748
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.01
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 748 'winword.exe'
|
If an image name such as iexplore.exe is specified, the utility
will kill all processes by that name.
C:\>process -k iexplore.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.01
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 996 'iexplore.exe'
Killing PID 1832 'iexplore.exe'
Killing PID 1852 'iexplore.exe'
Killing PID 1692 'iexplore.exe'
|
Close Processes . . .
On the other hand if you want to gracefully close programs
by sending them a WM_CLOSE message first, you can used the -q option. This allows
processes to clean up, save files, flush buffers etc. However it can cause deadlocks.
e.g trying to close Microsoft Word when a unsaved, but edited document is open
will generate a dialog box "Do you want to save changes to document 1?". This
will prevent winword.exe from exiting until a user responds to the prompt.
C:\>process -q wordpad.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.01
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Sending PID 1836 'wordpad.exe' WM_CLOSE Message. Timeout is 60 seconds.
wordpad.exe (PID 1836) has been closed successfully.
|
When this option is used a WM_CLOSE message is immediately
sent to the process. It then waits up to a default of 60 seconds for the program
to clean up and gracefully close before it is killed. The different timeout
can be specified as an option after the PID/Image Name.
Suspend & Resume Processes . . .
Processes can be suspended if you need some extra CPU cycles
without having to kill the process outright. Once the requirement for the extra
CPU cycles has passed you may resume the process and carry on from where you
left off. The process is suspended by sleeping all the processes' active threads.
C:\>process -s winword.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.01
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Suspending PID 748 'winword.exe'
Threads [1084][308]
|
Suspending a process causes the threads to stop executing
user-mode (application) code. It also increments a suspend count for each thread.
Therefore if a process is suspended twice, two resume operations will be required
to resume the process (Decrement the suspend count to zero).
Change the priority of processes . . .
When viewing the list of processes, the 4th column shows the
base priority of a process. This is a numeric value from zero (lowest priority)
to 31 (highest priority). You may set the base priority of a process by specifying
one of the priority classes below.
| Low |
4
|
| BelowNormal |
6
|
| Normal |
8
|
| AboveNormal |
10
|
| High |
13
|
| Realtime |
24
|
Please note Windows NT4 does not support the Above Normal
and Below Normal priority classes. Specifying these two parameters on a Windows
NT4 machine will result in a " The Parameter is incorrect " error.
C:\>process -p winword.exe high
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.01
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Setting PriorityClass on PID 748 'winword.exe' to 128
|
Change the affinity of processes . . .
The affinity is a mask which indicates on which processors
(CPUs) a process can run. This is only useful on multiprocessor systems. When
the -a option is used in conjunction with a process name or PID, the utility
will show the System Affinity Mask and the Process Affinity Mask. The System
Affinity Mask shows how many configured processors are currently available in
a system. The Process Affinity Mask indicates on what processor(s) the specified
process can run on.
C:\>process -a wordpad.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.01
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Getting Affinity Mask for PID 1084 'wordpad.exe'
System : 0x0001 0b00000000000000000000000000000011 [2 Installed Processor(s)]
Process : 0x0001 0b00000000000000000000000000000011
|
To set the affinity mask, simply append the binary mask after
the PID/Image Name. Any leading zeros are ignored, so there is no requirement
to enter the full 32 bit mask.
C:\>process -a wordpad.exe 01
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.01
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Setting Affinity Mask for PID 1084 'wordpad.exe'
Affinity Mask Successfully Set to 00000000000000000000000000000001
|
Download
Version 2.03, 25K bytes. (Freeware)
Now supports Windows NT4 Workstation and Server, plus continued
support for Windows 2000/XP in a single executable.
Revision History
- 5th June 2003 - Version 2.03
- Added -c switch which displays the creation times
of processes.
- 29th May 2003 - Version 2.02
- Corrected Inaccurate CPU % Times.
- Added -t switch which displays both User Mode
and Kernel Mode CPU times.
- 15th May 2003 - Version 2.01
- Fixed memory allocation errors for systems with
greater than 100 processes. Application will handle a maximum of
65535 processes.
- Fixed bug in -q, -k when used with PID. Specifying
a PID would kill all processes with the same name than the specified
process.
- Fixed bug with the -a switch when used with PID.
- 26th April 2003 - Version 2.00pre1 (Pre-Release Beta)
- Caved in to overwhelming demand for support for
Windows NT4. Rewrote code to detect operating system and use appropriate
API calls plus a couple of undocumented calls to provide all the
functionality of previous versions yet across all three NT platforms.
- Added preliminary support for the setting and
display of Affinity Masks for multi processor systems.
- Added support for killing multiple processes
by name. e.g using -k iexplorer.exe will kill all running instances
of Internet Explorer, something previously accomplished by a batch
file.
- Added the ability to specify the timeout for
the -q option.
- Improved OpenProcess access so CPU time can now
be sought from processes we don't have adequate rights too.
- 15th April 2003 - Version 1.03
- Modified string to number conversion to correct
problem with strings contain leading numbers. eg process -s 3dsmax.exe
would try to suspend the process with PID 3 and not 3dsmax.exe.
- Added -q Send WM_CLOSE message option. This will
gracefully issue a WM_CLOSE message to the program and wait for
it to close.
- 21st December 2002 - Version 1.01
- Corrected problems with exit codes
- 0 = Success (Process found and desired action
performed)
- 1 = Miscellaneous Error.
- 2 = Cannot find Process (No processes left
my this name)
- 22nd September 2002 - Version 1.00
- First release to public.
Download
version 3.6.2.1 (90K) Also from
PCWorld.com - PrcView (Process Viewer) v3.6.2.1 For each process
it displays memory, threads and module usage. For each DLL it shows full path
and version information. Includes PV.EXE - a new utility that provides PrcView functionality
from the command-line. Use pv –h for more information about available options.
Introduction
PrcView is a process viewer utility that displays detailed
information about processes running under Windows. For each process it displays
memory, threads and module usage. For each DLL it shows full path and
version information. PrcView comes with a command line version that allows you
to write scripts to check if a process is running, kill it, etc.
What’s new
- Minor bug fixes
- Fixed bug that causes process environment appear corrupted
on Win 9x
- Shows process startup directory
- Shows/sets process affinity (UI version only)
- Command line and window title filters in command-line
version
What’s new in 3.0
- DLL usage summary - displays all DLL’s currently in use,
shows processes which use selected DLL
- Displays complete task tree – parent/child relationships
for all processes in the system
- Displays Task list like the standard task manager
- PrcView distribution now includes PV.EXE - a new utility
that provides PrcView functionality from the command-line. Use pv –h for
more information about available options.
What’s new in 2.0
- Get the full list of DLL’s for each running process including
FULL PATH for each loaded module - discover what DLL’s your process really
uses and where they are located.
- Double click on any module or process to get the full
version information
- Save any view as a tab-separated text file by just pressing
F2
- Process Finder Tool - just drag the finder icon and drop
it to the process Window to select the desired process
- Smooth update - you don’t need to press the refresh "button"
to get the updated list of all processes, PrcView periodically updates the
process list for you
- New look and nice icons
Installation
No special installation is required on Windows 95/98. Create
a new, empty folder and place the files PRCVIEW.EXE and PRCVIEW.HLP there. For
Windows NT4 you will also need a
PSAPI.DLL that
is part of the PrcView archive.
Main Window
The main window shows you a list of running processes including
information process Id, priority, and full path to the process module. You can
sort columns by clicking on the column header.
Note that although you don’t need to have administrative privilege
on Windows NT to run PrcView, list of task PrcView can access depends on your
set of privileges.
Show modules
Information about each loaded module including the module
name, the module base address in process space, the module size and full to
the loaded module path.
Show version
You can display comprehensive version information by double-clicking
the appropriate line in the main or module window
Show threads
Information about all process threads including threads Id
and priority. Note that if PrcView uses Performance Data Helper to enumerate
threads under Windows NT, it can take a few seconds at the first time to open
the list of threads while Windows is loading all necessary libraries.
Show Memory
Information about all memory blocks belonging to the selected
process. Contains information about base address, protection, size and state
for each memory block.
Show Heaps
Information about all heaps allocated by the selected process.
You can display heap memory blocks by double clicking on the appropriate heap
in the list box
Show Version
Displays version information about selected module. You can
display version information by double-clicking the appropriate line in the main
or module window
Kill process
Just another way to kill a selected process. Note that killing
a process can cause undesired results including loss of data and system instability.
The process will not be given a chance to save its state or data before it is
terminated. It is advisable to try the "Notify" button in the "Kill" dialog
to close a GUI-based application first (via WM_SYSCOMMAND)
Debug process
Nice way to attach a debugger to a running application. PrcView
reads the "AeDebug" key and starts a registered debug application. PrcView allows
you not only to select a process to debug but also to associate a particular
project with it. This is especially useful while debugging an DLL that has a
separate project. Associations are stored in the registry.
Set priority class
Allows you to specify a new priority class for the selected
process.
The Process Finder Tool
With the Process Finder Tool you can find the process corresponding to a selected
window. To find a process:
- Arrange your windows so that PrcView and the window of
the desired process are visible.
- Press the Find Process button on the toolbar.
- Keep left mouse button pressed while dragging the Finder
Tool to the desired window.
- Release mouse button. PrcView will select the corresponding
process in the main view.
Process Tree
Shows you the process hierarchy for all running processes.
You can select the desired task by clicking on the process item in the Process
Tree window.
Module Usage
Information about all loaded modules in the system including
the module name, the module base address in process space, the module size and
full to the loaded module path. Selecting a module from the module list shows
only processes witch use a selected module. Selecting "Module Usage" again returns
the main window to the original process list. You can display comprehensive
version information by double-clicking the appropriate line in the window.
Show Application
Shows all top-level window titles. You can select the desired
task by clicking on the process item in this window. Double-click sends the
selected application to the front.
Configuration option
- Start Minimized – PrcView starts minimized. This option
is useful in combination with the "Use System Tray" option if you plan to
place PrcView in the "Startup" folder
- Use System Tray – PrcView places a small icon In the
System Tray, hiding itself when minimized
- Allow Multiply Instances – If turned "on", PrcView allows
to start more than one instance of the program. If turned "off" the instance
of PrcView that is already running will be activated.
- Set Refresh Times – Allows to specify refresh times for
main/thread/module windows. If specified time is greater than zero, PrcView
will refresh windows cyclically.
Refreshing Information
Use Menu/Toolbar in the main view or F5 in any view to refresh
information in the corresponding window
Save Current View
Use Menu/Toolbar in the main view or F2 in any view
to save information in the corresponding window
Reporting Bugs and Feedback
If you encounter a problem while running PrcView, please visit
http://www.prcview.com
to obtain the latest version. If you still have problems, please send a description
of your problem to
support@prcview.com
PrcView by Igor Nys is a very nice freeware
process viewer. Can be used for spyware detection. This information shown includes
such details as the creation time, version and full path for each DLL used by a
selected process, a list of all threads, memory blocks and heaps.
- PrcVIew also allows you to kill and
attach a debugger to a selected process. PrcView runs on both Windows 95/98
and Windows NT platforms and includes two versions: Gui based and command-line
version of the
program:
- PV.EXE - a utility that provides PrcView functionality
from the command-line. Use pv –h for more information about available options.
Ever wondered which program has a particular
file or directory open? Now you can find out. Process Explorer shows
you information about which handles and DLLs processes have opened or loaded.
The Process Explorer display consists of two sub-windows. The top window
always shows a list of the currently active processes, including the names of
their owning accounts, whereas the information displayed in the bottom window
depends on the mode that Process Explorer is in: if it is in handle mode
you’ll see the handles that the process selected in the top window has opened;
if Process Explorer is in DLL mode you’ll see the DLLs and memory-mapped
files that the process has loaded. Process Explorer also has a powerful
search capability that will quickly show you which processes have particular
handles opened or DLLs loaded.
The unique capabilities of Process Explorer make it useful for tracking
down DLL-version problems or handle leaks, and provide insight into the way
Windows and applications work.
What's new in Version 8.50:
-
Finder tool for identifying the process that
owns a selected window
-
Strings listings for process and DLL images
-
Google menu item for searching process and DLL
information
-
Tray tooltip shows highest-CPU consuming process
-
Window status column (like Task Manager's Status
column on the Applications tab)
-
DLL view for System process shows list of loaded
device drivers
What's new in Version 8.40:
-
TCP/IP process properties page shows active
TCP and UDP endpoints
-
Display updating code eliminates all flicker
-
64-bit version shows which processes are 64-bit
on process properties and adds 64-bit process column
-
Additional opacity settings
-
Improved symbol support
What's new in Version 8.30:
-
Runs in non-admin account
-
Treeview functionality to collapse and expand
process subtrees
-
Can bring process-owned window to the foreground
-
System CPU graph shows timestamps and most-active
process for any given point
-
Per-process graph data tracked even when main
window is minimized to tray
-
Per-process graph data displays timestamps
-
Tray icon has black background
-
Can set process CPU affinity
-
Process tooltip no longer between mouse pointer
and process name
-
Ability to add a comment to processes and new
comment column
-
More system information, including I/O deltas
and paging data
-
New process columns for I/O delta and page-fault
delta
-
More process performance information in process
properties dialog
-
Improved performance
What's new in Version 8.20:
-
Can open multiple process properties dialogs
simultaneously
-
Process properties and thread stack dialogs
are resizable
-
System information dialog CPU and memory usage
graphs like Task Manager
-
More performance data on the System Information
dialog
-
Per-process CPU and memory graph tab in process
properties
-
Opacity settings
-
New tray window context menu options
-
More performance information on process properties
dialog
-
Lock option in shutdown menu
-
Reconfigured menu items and highlighting configuration
-
New status bar column options
What's new in Version 8.10:
-
Status bar information is configurable to show
CPU usage, commit charge, # of processes, and more
-
Can terminate individual threads
-
New Shutdown menu for logging off and shutting
down the system
-
Only allow one instance option
-
Auto-open of lower pane when a find result is
clicked
What's new in Version 8.0:
-
.NET tab for .NET processes that shows AppDomains
and .NET performance counters
-
When the .NET Framework is detected a .NET tab
on the column selection dialog for adding .NET performance counters
-
Option to show only .NET processes
-
Option to only show your own processes
-
System Information dialog showing the same memory
counters as Task Manager (when symbols are configured, also shows maximum
paged and nonpaged pool values)
-
Better symbol configuration guidance
-
Difference highlight duration is configurable
-
Tray icon for CPU usage that's yellow when usage
is > 70% and red when > 90%
-
Minimize-to-tray option
-
Highlight color configuration dialog
-
Context switch and context-switch delta columns
-
Run processes using the system Run dialog from
the File menu
-
Replace task manager option so that when you
run Task Manager Process Explorer runs instead
-
Only non-zero CPU usage, .NET counters and context-switch
values are displayed to clearly highlight process activity
-
Search for DLLs or handles regardless of what
mode the lower pane is in
-
Correct icons for MMC windows
-
Mouse hover over process names and DLL names
shows full path of executable or DLL
Other Process Explorer features include:
-
Support for full handle viewing on Win9x/Me
(with the exception of Registry key handles)
-
Process icons
-
Service process highlighting
-
Process tree display
-
Configurable refresh rate
-
Refresh highlighting: new entries in the process,
handle and DLL views are green, and deleted ones red
-
Listview tooltips
-
DLL descriptions in the DLL view
-
Highlights relocated DLLs
-
Jump-to-entry in the find dialog
-
Efficient refresh
-
Runs on Windows 9x/Me
-
Lists all process owners, even on Terminal Server
systems
-
Moveable columns
-
Column selection and a wide variety of configurable
process, DLL and handle columns
-
Asynchronous updates of all views
-
Configurable refresh highlighting effects
-
Save function saves process view and current
bottom view (handle or DLL)
-
Minimize-to-tray option
-
Process suspend/resume
-
Thread details including stacks
-
Fractional CPU usage
-
Job object information
-
Right-justified numeric columns with numeric
formatting
-
Mutex properties shows owning thread if mutex
is owned
-
More information in process properties
-
Start time and CPU time process columns
-
Option to hide the lower pane
-
Kill process tree
-
More accurate Registry key names for profile
unload debugging
-
Extensive help file
-
Service descriptions on services tab of service
process properties dialog
Process Explorer
works on Windows 9x/Me, Windows NT 4.0, Windows 2000, Windows XP, Server 2003,
and 64-bit versions of Windows for x64 processors.
Most UNIX operating systems ship with a command-line
tool called "ps" (or something equivalent) that administrators use to view detailed
information about process CPU and memory usage. Windows NT/2K comes with no
such tool natively, but you can obtain similar tools with the Windows NT Workstation
or Server Resource Kits.
The tools in the Resource Kits, pstat
and pmon, show you different types of information, and will only display
data regarding the processes on the system on which you run the tools.
PsList is utility that shows you a combination of the information obtainable
individually with pmon and pstat. You can view process CPU and
memory information, or thread statistics. What makes PsList more powerful
than the Resource Kit tools is that you can view process and thread statistics
on a remote computer.
Installation
Just copy PsList onto your executable path,
and type "pslist".
PsList works on Windows NT, Windows 2000 and Windows XP.
Usage
See the September 2004 issue of Windows IT Pro
Magazine for Mark's
article that covers advanced usage of PsList.
The default behavior of PsList is to show
CPU-oriented information for all the processes that are currently running on
the local system. The information listed for each process includes the time
the process has executed, the amount of time the process has executed in kernel
and user modes, and the amount of physical memory that the OS has assigned the
process. Command-line switches allow you to view memory-oriented process information,
thread statistics, or all three types of data.
usage: pslist [-?] [-d] [-m] [-x][-t][-s
[n] [-r n]][\\computer [-u username] [-p password]] [name | pid]
| -? |
Displays the supported options and the units
of measurement used for output values. |
| -d |
This switch has PsList show statistics for all active
threads on the system, grouping threads with their owning process. |
| -m |
This switch has PsList show memory-oriented information for
each process, rather than the default of CPU-oriented information. |
| -x |
With this switch PsList shows CPU, memory and thread
information for each of the processes specified. |
| -t |
Shows the tree of processes. |
| -s [n] |
Has PsList run in task-manager-like updating mode. You
can optionally specify the number of seconds it runs and abort it
by pressing the escape key. |
| -r n |
Task-manager mode refresh rate in seconds (default is 1). |
| name |
Instead of listing all the running processes in the system,
this parameter narrows PsList's scan to those processes that
begin with the name process. Thus:
pslist exp
would statistics for all the processes that start with "exp", which
would include Explorer. |
| -u |
username If you want to kill a process on a remote system and
the account you are executing in does not have administrative privileges
on the remote system then you must login as an administrator using
this command-line option. If you do not include the password with
the -p option then PsList will prompt you for the password
without echoing your input to the display. |
| -p |
password This option lets you specify the login password on
the command line so that you can use PsList from batch files.
If you specify an account name and omit the -p option PsList prompts
you interactively for a password. |
| \\computer |
Instead of showing process information for the local system,
PsList will show information for the NT/Win2K system specified.
Include the -u switch with a username and password to login to the
remote system if your security credentials do not permit you to
obtain performance counter information from the remote system. |
| pid |
Instead of listing all the running processes in the system,
this parameter narrows PsList's scan to the process that has
the specified PID. Thus:
pslist 53
would dump statistics for the process with the PID 53. |
Copyright © 1996-2007 by Dr. Nikolai Bezroukov.
www.softpanorama.org was
created as a service to the UN Sustainable Development Networking Programme (SDNP)
in the author free time.
Submit
comments This document is an industrial compilation designed and created
exclusively for educational use and is placed under the copyright of the
Open Content License(OPL).
Original materials copyright belong to respective owners. Quotes are made
for educational purposes only in compliance with the fair use doctrine.
Standard disclaimer: The statements, views and opinions presented on
this web page are those of the author and are not endorsed by, nor do they necessarily
reflect, the opinions of the author present and former employers, SDNP or any other
organization the author may be associated with. We do not warrant the correctness
of the information provided or its fitness for any purpose.
Last modified:
March 15, 2008
