I suppose that many sysops already know Sysinternals Process Explorer. Although I often meet system administrators who never used it. As it is one of my favorite tools, I'd like to introduce it now. Yesterday, I used the Process Explorer to find out which program used ntuser.dat.
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
- Automatically mount an NVMe EBS volume in an EC2 Linux instance using fstab - Mon, Feb 21 2022
I must admit that Process Explorer was not so helpful in this case. You can search for files and the tool will tell you which process uses them, but all I got was that "System" was using ntuser.dat. At least this gave me hint that it was probably a service which caused my problem.
Process Explorer basically does the same as the Windows Task-Manager, although it is much more powerful. You get running processes' hierarchical display that shows detailed information on how certain applications work. Usually I use Process Explorer when I am troubleshooting malfunctioning programs.
Of course, you can also kill processes or even complete process trees. But be careful! Process Explorer is not as cautious as Task-Manager. If you don't understand what you are doing, you will end with a blue screen.
There are two modes: handle mode and DLL mode. You can switch between the two using CTRL+H and CTRL+D. In handle mode you get information about the opened handles of the process selected and in DLL mode about the DLL files.
Another nice feature of Process Explorer is that it shows what TCP/IP connection a certain process opened. This is very useful if you're worried that there's a Trojan hoarse running on your machine that contacts its master. Right click on a process and then select "Properties". One of the tabs will show the TCP/IP connections. The others have other useful information about the process, like CPU/memory usage or threads etc.
If you have no idea about the function of a certain process, right click the process and select Google. In most cases, you will find out about the process' purpose this way.
Process Explorer also has a performance monitor which I prefer to that of Windows Task Manager's. A small version of the performance monitor is visible in the toolbar. Double click on it and a more detailed version will open.
If you like Process Explorer, you can replace Windows Task-Manager with it. Select "Replace Task Manager" under Options, Process Explorer will then open instead of the Windows Task-Manager. Don't worry; if you want to have your old Task-Manager back, you only have to disable this feature.
Subscribe to 4sysops newsletter!
By the way, there is a simpler version of Process Explorer for the command line called Handle It can be downloaded for free at Sysinternals just like Process Explorer.
There is no way to know private bytes used for dll’s
Don’t worry; if you want to have your old Task-Manager back, you only have to disable this feature.
Well in XP Pro 64bit I have permanently lost my old task manager. The file is still there at
C:\windows\system32\taskmgr.exe
but windows cannot find it to run.
Have rebooted many times, with and without process exporer running, there is no checkmark next to “replace task manager” but taskmgr.exe still will not run.
I have the same problem… lost C:\windows\system32\taskmgr.exe … any solution?
Hmm that is odd. Doesn’t the Process Explorer Option menu have the menu point “Restore Task Manager”? I just tried it and it worked fine.
The solution to restore taskmanager on x64 here:
http://forum.sysinternals.com/forum_posts.asp?TID=20869
thanks 🙂
I use PE a fair bit, especially the TCP/IP tab to follow what is connecting to what.
On one XP machine, MySQL’s TCP/IP tab is blank, while on a similar machine it shows it listening on :3306 and established connections to the mail server on localhost. In both cases the mail server is working correctly.
“netstat -an” shows one listening on 0.0.0.0:3306 while the other shows [::]:3306 listening.
My question is: where does PE pick up the TCP/IP data it displays (or doesn’t) ?
The answer is “[::]” is IPv6’s version of IPv4’s “0.0.0.0”, and “[::1]” is the IPv6 version of “127.0.0.1”.
Clearly Process Explorer cannot handle IPv6 connections.
By uninstalling IPv6 from TCP/IP Properties and restarting Win XP, the connections become visible in PE.