I suppose that many sysops already know Sysinternals Process Explorer. Although I often meet system administrators who never used it. As it is one of my favorite tools, I'd like to introduce it now. Yesterday, I used the Process Explorer to find out which program used ntuser.dat.

I must admit that Process Explorer was not so helpful in this case. You can search for files and the tool will tell you which process uses them, but all I got was that "System" was using ntuser.dat. At least this gave me hint that it was probably a service which caused my problem.

Process Explorer basically does the same as the Windows Task-Manager, although it is much more powerful. You get running processes' hierarchical display that shows detailed information on how certain applications work. Usually I use Process Explorer when I am troubleshooting malfunctioning programs.

Of course, you can also kill processes or even complete process trees. But be careful! Process Explorer is not as cautious as Task-Manager. If you don't understand what you are doing, you will end with a blue screen.

Process ExplorerThere are two modes: handle mode and DLL mode. You can switch between the two using CTRL+H and CTRL+D. In handle mode you get information about the opened handles of the process selected and in DLL mode about the DLL files.

Process Explorer - TCP-ConnectionsAnother nice feature of Process Explorer is that it shows what TCP/IP connection a certain process opened. This is very useful if you're worried that there's a Trojan hoarse running on your machine that contacts its master. Right click on a process and then select "Properties". One of the tabs will show the TCP/IP connections. The others have other useful information about the process, like CPU/memory usage or threads etc.

If you have no idea about the function of a certain process, right click the process and select Google. In most cases, you will find out about the process' purpose this way.

Process Explorer - Performance MonitorProcess Explorer also has a performance monitor which I prefer to that of Windows Task Manager's. A small version of the performance monitor is visible in the toolbar. Double click on it and a more detailed version will open.

If you like Process Explorer, you can replace Windows Task-Manager with it. Select "Replace Task Manager" under Options, Process Explorer will then open instead of the Windows Task-Manager. Don't worry; if you want to have your old Task-Manager back, you only have to disable this feature.

Subscribe to 4sysops newsletter!

By the way, there is a simpler version of Process Explorer for the command line called Handle It can be downloaded for free at Sysinternals just like Process Explorer.

  1. jj 16 years ago

    There is no way to know private bytes used for dll’s

  2. Bazz 13 years ago

    Don’t worry; if you want to have your old Task-Manager back, you only have to disable this feature.

    Well in XP Pro 64bit I have permanently lost my old task manager. The file is still there at
    but windows cannot find it to run.
    Have rebooted many times, with and without process exporer running, there is no checkmark next to “replace task manager” but taskmgr.exe still will not run.

  3. bboldi 13 years ago

    I have the same problem… lost C:\windows\system32\taskmgr.exe … any solution?

  4. Hmm that is odd. Doesn’t the Process Explorer Option menu have the menu point “Restore Task Manager”? I just tried it and it worked fine.

  5. Kimosabe 13 years ago

    The solution to restore taskmanager on x64 here:

  6. bboldi 13 years ago

    thanks 🙂

  7. Dave Kimble 12 years ago

    I use PE a fair bit, especially the TCP/IP tab to follow what is connecting to what.

    On one XP machine, MySQL’s TCP/IP tab is blank, while on a similar machine it shows it listening on :3306 and established connections to the mail server on localhost. In both cases the mail server is working correctly.

    “netstat -an” shows one listening on while the other shows [::]:3306 listening.

    My question is: where does PE pick up the TCP/IP data it displays (or doesn’t) ?

  8. Dave Kimble 12 years ago

    The answer is “[::]” is IPv6’s version of IPv4’s “”, and “[::1]” is the IPv6 version of “”.

    Clearly Process Explorer cannot handle IPv6 connections.
    By uninstalling IPv6 from TCP/IP Properties and restarting Win XP, the connections become visible in PE.

Leave a reply

Please enclose code in pre tags

Your email address will not be published.


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account