I suppose that many sysops already know Sysinternals Process Explorer. Although I often meet system administrators who never used it. As it is one of my favorite tools, I’d like to introduce it now. Yesterday, I used the Process Explorer to find out which program used ntuser.dat.

I must admit that Process Explorer was not so helpful in this case. You can search for files and the tool will tell you which process uses them, but all I got was that “System” was using ntuser.dat. At least this gave me hint that it was probably a service which caused my problem.

Process Explorer basically does the same as the Windows Task-Manager, although it is much more powerful. You get running processes’ hierarchical display that shows detailed information on how certain applications work. Usually I use Process Explorer when I am troubleshooting malfunctioning programs.

Of course, you can also kill processes or even complete process trees. But be careful! Process Explorer is not as cautious as Task-Manager. If you don’t understand what you are doing, you will end with a blue screen.

Process ExplorerThere are two modes: handle mode and DLL mode. You can switch between the two using CTRL+H and CTRL+D. In handle mode you get information about the opened handles of the process selected and in DLL mode about the DLL files.

Process Explorer - TCP-ConnectionsAnother nice feature of Process Explorer is that it shows what TCP/IP connection a certain process opened. This is very useful if you’re worried that there’s a Trojan hoarse running on your machine that contacts its master. Right click on a process and then select “Properties”. One of the tabs will show the TCP/IP connections. The others have other useful information about the process, like CPU/memory usage or threads etc.

If you have no idea about the function of a certain process, right click the process and select Google. In most cases, you will find out about the process’ purpose this way.

Process Explorer - Performance MonitorProcess Explorer also has a performance monitor which I prefer to that of Windows Task Manager’s. A small version of the performance monitor is visible in the toolbar. Double click on it and a more detailed version will open.

If you like Process Explorer, you can replace Windows Task-Manager with it. Select “Replace Task Manager” under Options, Process Explorer will then open instead of the Windows Task-Manager. Don’t worry; if you want to have your old Task-Manager back, you only have to disable this feature.

By the way, there is a simpler version of Process Explorer for the command line called Handle It can be downloaded for free at Sysinternals just like Process Explorer.