Softpanorama
(slightly skeptical)
Open Source Software Educational Society
May the source be with you, but remember the KISS principle ;-)
Softpanorama Search
|
Softpanorama |
May the source be with you, but remember the KISS principle ;-)
Softpanorama Search
|
Process viewers are very useful in detection and removing spyware. Here the ability to show path from which a particular component is loaded is very important. Windows build in process viewer is useful and can show additional columns that display the number of bytes read/written or transmitted by the process. This is very useful information that helps to analyze spyware and detect what process is doing what.
Unfortunately Microsoft cut corners in the design of the built-in process viewer and it has severe limitations:
It is impossible to save process information to file. Here Igor Nys PrcView shines as it has command line variant pv.exe.
There is not information about exact path for a file from which the process was created.
There is no way to view properties of the process like organization who created executable, whether executable is signed or not, version and so on. Mark Russinovich's Process Explorer, Process Monitor and PsList shine here.
There is no information about registry entries associated with particular process, if any.
That's one reason that explains why alternative process viewers proliferated and became an indispensable additional tool for Windows.
There are several reasonable choices among free process viewers:
I generally recommend PrcView for complex tasks like Spyware search. PrcView consists of two independent components:
GUI utility prcview.exe
command line utility, pv.exe. Option -e provides extended information. For example, pv -e produces the baseline for running process that includes both PID and the path to the executable.
What it important it can give you the full list of DLLs for
each running application, including full path, version information,
vendor and other information from the header (Right click on each application
produces menu with more then a dozen options).
Important: You can write the list of processes
to the file creating a baseline. “Before” and “after” snapshots
of the processes after boot when compared to one another—for example,
using the Windiff.exe utility included
in the Windows 2000 Resource Kit or in the Windows XP Support Tools
(or other diff
tools) —can reveal exactly what happens
HijackThis is a utility which proved to be very useful in
searching for Spyware. It includes built-in process viewer, but standalone
process viewers like PrcView are
more comprehensive as for information about running processes.
Hijack this does not provide much useful information about running processes
and there is no way to run it in command line mode.
PsList by Mark Russinovich also can be used. This is a high
quality tool that now is distributed by Microsoft. Mark Russinovich
continues to maintain it after joining Microsoft.
FAR contain a primitive
process explorer plug-in. That might be useful in some situations.
Other free command line tool is Microsoft
PViewer ( Process Viewer from Microsoft Resource Kit). It also displays
information about a running process and allows you to stop (kill) processes
and change process priority.
Microsoft antispyware tool includes process viewer.
|
|||||||
February 4, 2009
Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.
The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work.
November 3, 2009
Download Process Monitor (1.24 MB)
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit. Overview of Process Monitor Capabilities Process Monitor includes powerful monitoring and filtering capabilities, including:
- More data captured for operation input and output parameters
- Non-destructive filters allow you to set filters without losing data
- Capture of thread stacks for each operation make it possible in many cases to identify the root cause of an operation
- Reliable capture of process details, including image path, command line, user and session ID
- Configurable and moveable columns for any event property
- Filters can be set for any data field, including fields not configured as columns
- Advanced logging architecture scales to tens of millions of captured events and gigabytes of log data
- Process tree tool shows relationship of all processes referenced in a trace
- Native log format preserves all data for loading in a different Process Monitor instance
- Process tooltip for easy viewing of process image information
- Detail tooltip allows convenient access to formatted data that doesn't fit in the column
- Cancellable search
- Boot time logging of all operations
The best way to become familiar with Process Monitor's features is to read through the help file and then visit each of its menu items and options on a live system.
09/22/2008... ... ...
Autoruns
Unnecessary services and applications that run whenever you start your PC or log in to it are a big cause of system slowdowns. Unfortunately, it's tough to identify every item that starts up, because nothing in Windows gives you such information. That's why you need this free tool. It displays every program and service running and offers a great deal of detail about each, such as associated .dll files, the program or service name, and its location on your PC. With that knowledge, you can decide what you don't want to run on startup.
Download Autoruns | Price: Free
Security Task Manager
Similar to Autoruns, this excellent tool shows you every running program and process. The utility also indicates whether the program is likely malicious, its type, how it launched (for example, upon startup or from within Windows Explorer), and the file name. It lets you delete any program and process with a single click. It also rates files according to how harmless or dangerous they may be. To stop a program, highlight it, click Remove, and you're done.
Download Security Task Manager | Price: $29 (Trial)
WinPatrol
This very good all-around system optimizer frees your PC of unnecessary programs that run on startup and keeps it clean of spyware and other malware. Whenever a program tries to start automatically, WinPatrol sends you an alert so you can block it. In addition, it shows details about the program, including the creator, when the program was added, the file name, and so on. The Delayed Start feature allows you to put off the launch of certain programs for up to an hour. That way, you'll still have access to the program when you need it.
Download WinPatrol | Price: Free
Trend Micro has acquired HijackThis, the freeware spyware-removal program created by Merijn Bellekom.
Financial terms of the deal, believed to be all-cash, were not released. This is the second transaction between Trend Micro and Bellekmom, following the company's purchase of CWShredder, a standalone utility used to remove the virulent Cool Web Search spyware program.
HijackThis is the de-facto standard for spyware removal from Windows systems. The tool generates a plaintext logfile detailing all entries — registry and file settings — it finds and offers tech-savvy users the ability to remove or disable files associated with malware.
November 1, 2006. Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.
The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work.
Process Explorer works on Windows 9x/Me, Windows NT 4.0, Windows 2000, Windows XP, Server 2003, and 64-bit versions of Windows for x64 processors, and Windows Vista.
This GUI tool displays information about a running process and allows you to stop processes and change process priority.Note
- Process Viewer is similar to Pview.exe, but it can view processes on remote computers.
Security Task Manager shows all active processes on your computer. You can easily recognize the endangering potential of each process. No other Task Manager or Process Viewer has this feature. Furthermore you can put a process into quarantine or search the internet for information about that process.
Small command line utility to view, kill, suspend or set the priority and affinity of processes, perhaps from a batch file? . . Has a virus disabled your Task Manager? . . or perhaps your Administrator has?
The Command Line Process Utility will function even when the task manager is disabled and/or the dreaded "Task Manager has been disabled by your Administrator" dialog box appears.
Works on remote machines with the Microsoft Telnet Server (tlntsvr) found on Windows 2000 and XP or with BeyondExec for Windows NT4/2000/XP.
View processes, owners, and CPU time . .
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.01 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org ImageName PID Threads Priority CPU% [System Process] 0 1 0 100 Error 0x6 : The handle is invalid. System 8 43 8 0 Error 0x5 : Access is denied. SMSS.EXE 180 6 11 0 NT AUTHORITY\SYSTEM CSRSS.EXE 204 11 13 0 NT AUTHORITY\SYSTEM WINLOGON.EXE 224 16 13 0 NT AUTHORITY\SYSTEM SERVICES.EXE 252 33 9 0 NT AUTHORITY\SYSTEM LSASS.EXE 264 16 9 0 NT AUTHORITY\SYSTEM svchost.exe 436 10 8 0 NT AUTHORITY\SYSTEM spoolsv.exe 468 15 8 0 NT AUTHORITY\SYSTEM CrypServ.exe 496 3 13 0 NT AUTHORITY\SYSTEM svchost.exe 512 28 8 0 NT AUTHORITY\SYSTEM hidserv.exe 532 4 8 0 NT AUTHORITY\SYSTEM jtagserver.exe 560 3 8 0 NT AUTHORITY\SYSTEM mdm.exe 584 6 8 0 NT AUTHORITY\SYSTEM nvsvc32.exe 628 2 8 0 NT AUTHORITY\SYSTEM regsvc.exe 664 2 8 0 NT AUTHORITY\SYSTEM mstask.exe 704 6 8 0 NT AUTHORITY\SYSTEM stisvc.exe 728 4 8 0 NT AUTHORITY\SYSTEM WinMgmt.exe 804 3 8 0 NT AUTHORITY\SYSTEM mspmspsv.exe 876 2 8 0 NT AUTHORITY\SYSTEM svchost.exe 896 5 8 0 NT AUTHORITY\SYSTEM explorer.exe 616 15 8 0 NEPTUNE\Administrator mixer.exe 1092 3 8 0 NEPTUNE\Administrator PRISMSTA.exe 1048 1 8 0 NEPTUNE\Administrator rundll32.exe 952 2 8 0 NEPTUNE\Administrator DIRECTCD.EXE 960 3 8 0 NEPTUNE\Administrator internat.exe 1180 1 8 0 NEPTUNE\Administrator OSA.EXE 1192 2 8 0 NEPTUNE\Administrator Icq.exe 1200 11 8 0 NEPTUNE\Administrator devenv.exe 1324 4 8 0 NEPTUNE\Administrator IEXPLORE.EXE 1140 7 8 0 NEPTUNE\Administrator CMD.EXE 1340 1 8 0 NEPTUNE\Administrator Process.exe 1132 1 8 0 NEPTUNE\AdministratorAdditional switches can be used to display User and Kernel Times (-t) or the Creation Time of processes (-c).
Kill Processes . . .
Processes can be killed immediately (terminated without saving files or cleaning up) by specifying either the name or the PID (Process IDentifier). In cases where there are multiple processes running with the same name and your desire is to kill a specific process you will need to use the PID.
If an image name such as iexplore.exe is specified, the utility will kill all processes by that name.
Close Processes . . .
On the other hand if you want to gracefully close programs by sending them a WM_CLOSE message first, you can used the -q option. This allows processes to clean up, save files, flush buffers etc. However it can cause deadlocks. e.g trying to close Microsoft Word when a unsaved, but edited document is open will generate a dialog box "Do you want to save changes to document 1?". This will prevent winword.exe from exiting until a user responds to the prompt.
When this option is used a WM_CLOSE message is immediately sent to the process. It then waits up to a default of 60 seconds for the program to clean up and gracefully close before it is killed. The different timeout can be specified as an option after the PID/Image Name.
Suspend & Resume Processes . . .
Processes can be suspended if you need some extra CPU cycles without having to kill the process outright. Once the requirement for the extra CPU cycles has passed you may resume the process and carry on from where you left off. The process is suspended by sleeping all the processes' active threads.
Suspending a process causes the threads to stop executing user-mode (application) code. It also increments a suspend count for each thread. Therefore if a process is suspended twice, two resume operations will be required to resume the process (Decrement the suspend count to zero).
Change the priority of processes . . .
When viewing the list of processes, the 4th column shows the base priority of a process. This is a numeric value from zero (lowest priority) to 31 (highest priority). You may set the base priority of a process by specifying one of the priority classes below.
Low 4
BelowNormal 6
Normal 8
AboveNormal 10
High 13
Realtime 24
Please note Windows NT4 does not support the Above Normal and Below Normal priority classes. Specifying these two parameters on a Windows NT4 machine will result in a " The Parameter is incorrect " error.
Change the affinity of processes . . .
The affinity is a mask which indicates on which processors (CPUs) a process can run. This is only useful on multiprocessor systems. When the -a option is used in conjunction with a process name or PID, the utility will show the System Affinity Mask and the Process Affinity Mask. The System Affinity Mask shows how many configured processors are currently available in a system. The Process Affinity Mask indicates on what processor(s) the specified process can run on.
To set the affinity mask, simply append the binary mask after the PID/Image Name. Any leading zeros are ignored, so there is no requirement to enter the full 32 bit mask.
Download
Version 2.03, 25K bytes. (Freeware)
Now supports Windows NT4 Workstation and Server, plus continued support for Windows 2000/XP in a single executable.
Revision History
- 5th June 2003 - Version 2.03
- Added -c switch which displays the creation times of processes.
- 29th May 2003 - Version 2.02
- Corrected Inaccurate CPU % Times.
- Added -t switch which displays both User Mode and Kernel Mode CPU times.
- 15th May 2003 - Version 2.01
- Fixed memory allocation errors for systems with greater than 100 processes. Application will handle a maximum of 65535 processes.
- Fixed bug in -q, -k when used with PID. Specifying a PID would kill all processes with the same name than the specified process.
- Fixed bug with the -a switch when used with PID.
- 26th April 2003 - Version 2.00pre1 (Pre-Release Beta)
- Caved in to overwhelming demand for support for Windows NT4. Rewrote code to detect operating system and use appropriate API calls plus a couple of undocumented calls to provide all the functionality of previous versions yet across all three NT platforms.
- Added preliminary support for the setting and display of Affinity Masks for multi processor systems.
- Added support for killing multiple processes by name. e.g using -k iexplorer.exe will kill all running instances of Internet Explorer, something previously accomplished by a batch file.
- Added the ability to specify the timeout for the -q option.
- Improved OpenProcess access so CPU time can now be sought from processes we don't have adequate rights too.
- 15th April 2003 - Version 1.03
- Modified string to number conversion to correct problem with strings contain leading numbers. eg process -s 3dsmax.exe would try to suspend the process with PID 3 and not 3dsmax.exe.
- Added -q Send WM_CLOSE message option. This will gracefully issue a WM_CLOSE message to the program and wait for it to close.
- 21st December 2002 - Version 1.01
- Corrected problems with exit codes
- 0 = Success (Process found and desired action performed)
- 1 = Miscellaneous Error.
- 2 = Cannot find Process (No processes left my this name)
- 22nd September 2002 - Version 1.00
- First release to public.
Introduction
PrcView is a process viewer utility that displays detailed information about processes running under Windows. For each process it displays memory, threads and module usage. For each DLL it shows full path and version information. PrcView comes with a command line version that allows you to write scripts to check if a process is running, kill it, etc.
What’s new
- Minor bug fixes
- Fixed bug that causes process environment appear corrupted on Win 9x
- Shows process startup directory
- Shows/sets process affinity (UI version only)
- Command line and window title filters in command-line version
What’s new in 3.0
- DLL usage summary - displays all DLL’s currently in use, shows processes which use selected DLL
- Displays complete task tree – parent/child relationships for all processes in the system
- Displays Task list like the standard task manager
- PrcView distribution now includes PV.EXE - a new utility that provides PrcView functionality from the command-line. Use pv –h for more information about available options.
What’s new in 2.0
- Get the full list of DLL’s for each running process including FULL PATH for each loaded module - discover what DLL’s your process really uses and where they are located.
- Double click on any module or process to get the full version information
- Save any view as a tab-separated text file by just pressing F2
- Process Finder Tool - just drag the finder icon and drop it to the process Window to select the desired process
- Smooth update - you don’t need to press the refresh "button" to get the updated list of all processes, PrcView periodically updates the process list for you
- New look and nice icons
Installation
No special installation is required on Windows 95/98. Create a new, empty folder and place the files PRCVIEW.EXE and PRCVIEW.HLP there. For Windows NT4 you will also need a PSAPI.DLL that is part of the PrcView archive.
Main Window
The main window shows you a list of running processes including information process Id, priority, and full path to the process module. You can sort columns by clicking on the column header.
Note that although you don’t need to have administrative privilege on Windows NT to run PrcView, list of task PrcView can access depends on your set of privileges.
Show modules
Information about each loaded module including the module name, the module base address in process space, the module size and full to the loaded module path.
Show version
You can display comprehensive version information by double-clicking the appropriate line in the main or module window
Show threads
Information about all process threads including threads Id and priority. Note that if PrcView uses Performance Data Helper to enumerate threads under Windows NT, it can take a few seconds at the first time to open the list of threads while Windows is loading all necessary libraries.
Show Memory
Information about all memory blocks belonging to the selected process. Contains information about base address, protection, size and state for each memory block.
Show Heaps
Information about all heaps allocated by the selected process. You can display heap memory blocks by double clicking on the appropriate heap in the list box
Show Version
Displays version information about selected module. You can display version information by double-clicking the appropriate line in the main or module window
Kill process
Just another way to kill a selected process. Note that killing a process can cause undesired results including loss of data and system instability. The process will not be given a chance to save its state or data before it is terminated. It is advisable to try the "Notify" button in the "Kill" dialog to close a GUI-based application first (via WM_SYSCOMMAND)
Debug process
Nice way to attach a debugger to a running application. PrcView reads the "AeDebug" key and starts a registered debug application. PrcView allows you not only to select a process to debug but also to associate a particular project with it. This is especially useful while debugging an DLL that has a separate project. Associations are stored in the registry.
Set priority class
Allows you to specify a new priority class for the selected process.
The Process Finder Tool
With the Process Finder Tool you can find the process corresponding to a selected window. To find a process:
- Arrange your windows so that PrcView and the window of the desired process are visible.
- Press the Find Process button on the toolbar.
- Keep left mouse button pressed while dragging the Finder Tool to the desired window.
- Release mouse button. PrcView will select the corresponding process in the main view.
Process Tree
Shows you the process hierarchy for all running processes. You can select the desired task by clicking on the process item in the Process Tree window.
Module Usage
Information about all loaded modules in the system including the module name, the module base address in process space, the module size and full to the loaded module path. Selecting a module from the module list shows only processes witch use a selected module. Selecting "Module Usage" again returns the main window to the original process list. You can display comprehensive version information by double-clicking the appropriate line in the window.
Show Application
Shows all top-level window titles. You can select the desired task by clicking on the process item in this window. Double-click sends the selected application to the front.
Configuration option
- Start Minimized – PrcView starts minimized. This option is useful in combination with the "Use System Tray" option if you plan to place PrcView in the "Startup" folder
- Use System Tray – PrcView places a small icon In the System Tray, hiding itself when minimized
- Allow Multiply Instances – If turned "on", PrcView allows to start more than one instance of the program. If turned "off" the instance of PrcView that is already running will be activated.
- Set Refresh Times – Allows to specify refresh times for main/thread/module windows. If specified time is greater than zero, PrcView will refresh windows cyclically.
Refreshing Information
Use Menu/Toolbar in the main view or F5 in any view to refresh information in the corresponding window
Save Current View
Use Menu/Toolbar in the main view or F2 in any view to save information in the corresponding window
Reporting Bugs and Feedback
If you encounter a problem while running PrcView, please visit http://www.prcview.com to obtain the latest version. If you still have problems, please send a description of your problem to
Process Monitor By Mark Russinovich and Bryce Cogswell
PrcView by Igor Nys
PrcView by Igor Nys is a very nice freeware process viewer. Can be used for spyware detection. This information shown includes such details as the creation time, version and full path for each DLL used by a selected process, a list of all threads, memory blocks and heaps.
- PrcVIew also allows you to kill and attach a debugger to a selected process. PrcView runs on both Windows 95/98 and Windows NT platforms and includes two versions: Gui based and command-line version of the
program:- PV.EXE - a utility that provides PrcView functionality from the command-line. Use pv –h for more information about available options.
Process Explorer by Mark Russinovich
Process Explorer for Windows v10.21
Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.
The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you’ll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you’ll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.
The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work.What's new in Version 8.50:
- Finder tool for identifying the process that owns a selected window
- Strings listings for process and DLL images
- Google menu item for searching process and DLL information
- Tray tooltip shows highest-CPU consuming process
- Window status column (like Task Manager's Status column on the Applications tab)
- DLL view for System process shows list of loaded device drivers
What's new in Version 8.40:
- TCP/IP process properties page shows active TCP and UDP endpoints
- Display updating code eliminates all flicker
- 64-bit version shows which processes are 64-bit on process properties and adds 64-bit process column
- Additional opacity settings
- Improved symbol support
What's new in Version 8.30:
- Runs in non-admin account
- Treeview functionality to collapse and expand process subtrees
- Can bring process-owned window to the foreground
- System CPU graph shows timestamps and most-active process for any given point
- Per-process graph data tracked even when main window is minimized to tray
- Per-process graph data displays timestamps
- Tray icon has black background
- Can set process CPU affinity
- Process tooltip no longer between mouse pointer and process name
- Ability to add a comment to processes and new comment column
- More system information, including I/O deltas and paging data
- New process columns for I/O delta and page-fault delta
- More process performance information in process properties dialog
- Improved performance
What's new in Version 8.20:
- Can open multiple process properties dialogs simultaneously
- Process properties and thread stack dialogs are resizable
- System information dialog CPU and memory usage graphs like Task Manager
- More performance data on the System Information dialog
- Per-process CPU and memory graph tab in process properties
- Opacity settings
- New tray window context menu options
- More performance information on process properties dialog
- Lock option in shutdown menu
- Reconfigured menu items and highlighting configuration
- New status bar column options
What's new in Version 8.10:
- Status bar information is configurable to show CPU usage, commit charge, # of processes, and more
- Can terminate individual threads
- New Shutdown menu for logging off and shutting down the system
- Only allow one instance option
- Auto-open of lower pane when a find result is clicked
What's new in Version 8.0:
- .NET tab for .NET processes that shows AppDomains and .NET performance counters
- When the .NET Framework is detected a .NET tab on the column selection dialog for adding .NET performance counters
- Option to show only .NET processes
- Option to only show your own processes
- System Information dialog showing the same memory counters as Task Manager (when symbols are configured, also shows maximum paged and nonpaged pool values)
- Better symbol configuration guidance
- Difference highlight duration is configurable
- Tray icon for CPU usage that's yellow when usage is > 70% and red when > 90%
- Minimize-to-tray option
- Highlight color configuration dialog
- Context switch and context-switch delta columns
- Run processes using the system Run dialog from the File menu
- Replace task manager option so that when you run Task Manager Process Explorer runs instead
- Only non-zero CPU usage, .NET counters and context-switch values are displayed to clearly highlight process activity
- Search for DLLs or handles regardless of what mode the lower pane is in
- Correct icons for MMC windows
- Mouse hover over process names and DLL names shows full path of executable or DLL
Other Process Explorer features include:
- Support for full handle viewing on Win9x/Me (with the exception of Registry key handles)
- Process icons
- Service process highlighting
- Process tree display
- Configurable refresh rate
- Refresh highlighting: new entries in the process, handle and DLL views are green, and deleted ones red
- Listview tooltips
- DLL descriptions in the DLL view
- Highlights relocated DLLs
- Jump-to-entry in the find dialog
- Efficient refresh
- Runs on Windows 9x/Me
- Lists all process owners, even on Terminal Server systems
- Moveable columns
- Column selection and a wide variety of configurable process, DLL and handle columns
- Asynchronous updates of all views
- Configurable refresh highlighting effects
- Save function saves process view and current bottom view (handle or DLL)
- Minimize-to-tray option
- Process suspend/resume
- Thread details including stacks
- Fractional CPU usage
- Job object information
- Right-justified numeric columns with numeric formatting
- Mutex properties shows owning thread if mutex is owned
- More information in process properties
- Start time and CPU time process columns
- Option to hide the lower pane
- Kill process tree
- More accurate Registry key names for profile unload debugging
- Extensive help file
- Service descriptions on services tab of service process properties dialog
Process Explorerworks on Windows 9x/Me, Windows NT 4.0, Windows 2000, Windows XP, Server 2003, and 64-bit versions of Windows for x64 processors.
PsList
Sysinternals Freeware - Information for Windows NT and Windows 2000 - PsList
Most UNIX operating systems ship with a command-line tool called "ps" (or something equivalent) that administrators use to view detailed information about process CPU and memory usage. Windows NT/2K comes with no such tool natively, but you can obtain similar tools with the Windows NT Workstation or Server Resource Kits.
The tools in the Resource Kits, pstat and pmon, show you different types of information, and will only display data regarding the processes on the system on which you run the tools.
PsList is utility that shows you a combination of the information obtainable individually with pmon and pstat. You can view process CPU and memory information, or thread statistics. What makes PsList more powerful than the Resource Kit tools is that you can view process and thread statistics on a remote computer.Installation
Just copy PsList onto your executable path, and type "pslist".
PsList works on Windows NT, Windows 2000 and Windows XP.Usage
See the September 2004 issue of Windows IT Pro Magazine for Mark's article that covers advanced usage of PsList.
The default behavior of PsList is to show CPU-oriented information for all the processes that are currently running on the local system. The information listed for each process includes the time the process has executed, the amount of time the process has executed in kernel and user modes, and the amount of physical memory that the OS has assigned the process. Command-line switches allow you to view memory-oriented process information, thread statistics, or all three types of data.
usage: pslist [-?] [-d] [-m] [-x][-t][-s [n] [-r n]][\\computer [-u username] [-p password]] [name | pid]
-? Displays the supported options and the units of measurement used for output values. -d This switch has PsList show statistics for all active threads on the system, grouping threads with their owning process. -m This switch has PsList show memory-oriented information for each process, rather than the default of CPU-oriented information. -x With this switch PsList shows CPU, memory and thread information for each of the processes specified. -t Shows the tree of processes. -s [n] Has PsList run in task-manager-like updating mode. You can optionally specify the number of seconds it runs and abort it by pressing the escape key. -r n Task-manager mode refresh rate in seconds (default is 1). name Instead of listing all the running processes in the system, this parameter narrows PsList's scan to those processes that begin with the name process. Thus:
pslist exp
would statistics for all the processes that start with "exp", which would include Explorer.-u username If you want to kill a process on a remote system and the account you are executing in does not have administrative privileges on the remote system then you must login as an administrator using this command-line option. If you do not include the password with the -p option then PsList will prompt you for the password without echoing your input to the display. -p password This option lets you specify the login password on the command line so that you can use PsList from batch files. If you specify an account name and omit the -p option PsList prompts you interactively for a password. \\computer Instead of showing process information for the local system, PsList will show information for the NT/Win2K system specified. Include the -u switch with a username and password to login to the remote system if your security credentials do not permit you to obtain performance counter information from the remote system. pid Instead of listing all the running processes in the system, this parameter narrows PsList's scan to the process that has the specified PID. Thus:
pslist 53
would dump statistics for the process with the PID 53.
Copyright © 1996-2009 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Site uses AdSense so you need to be aware of Google privacy policy. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
Disclaimer:
- The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with.
- We do not warrant the correctness of the information provided or its fitness for any purpose
- In no way this site is associated with or endorse cybersquatters using the term "softpanorama" with other main or country domains (e.g. softpanorama.com) with bad faith intent to profit from the goodwill belonging to someone else.
Last modified: November 15, 2009