IT admin's guide to the Sysinternals suite
A comprehensive collection of articles, videos and more, hand-picked by our editors
We all lead busy lives, and keeping our Windows systems neat and tidy is usually not on the top of our to-do lists. All too often, we don't get around to cleaning our PCs until they're a real mess -- when users start complaining about websites taking a long time to load and slow startup times.
The tools available with a standard Windows installation to streamline or troubleshoot your systems are very basic. With them, you are limited to browsing your registry entries with Regedit.exe or with the displays in Windows Task Manager that show running applications or processes. But just because a program was removed doesn't mean its footprints have been completely erased from the system, or that they even show up in the Windows processes list.
Sysinternals' Process Monitor and Process Explorer are two free tools that can help with PC cleanup. Recently updated, these products understand how Windows uses processes. They are single executable files that run from the command prompt, and no installation is required.
Anyone can run Process Explorer, but for Process Monitor, you need administrative rights. Both applications work on Windows XP or higher, including the server and 64-bit versions. In addition, they have detailed help files that can serve as tutorials or reference guides, depending on how familiar you are with the internal workings of Microsoft's operating system.
What is Process Explorer?
If you are having dynamic link library (DLL) conflicts, you suspect you have a bad DLL on your PC, or you think you may have a memory leak with one of your applications, then Process Explorer may help.
The tool can answer the following questions:
- Which program has opened a particular file or directory?
- Which DLLs belong to which programs?
- Is a piece of malware masquerading as a legitimate process on your system?
There are three Process Explorer windows, and two of these windows are displayed at all times. The top window always shows a list of the currently active processes. To add or subtract the information displayed in this window, right-click the title bar, and select which columns you want to view, as shown in Figure 1.Figure 1: Select the columns you want to see in your report (click to enlarge).
In the bottom window, you can choose to view either active DLLs or active process handles. The tool can show many details about each process, such as memory usage, user account information and security attributes. For example, a Lexmark network printer runs several processes and uses several DLLs to send print jobs across the network; Process Explorer can determine the DLLs used.
In addition, the built-in search capability, shown in Figure 2, lets you quickly access the processes that have particular handles opened or DLLs loaded.
Process Explorer checks if an image was digitally signed by a root certificate authority trusted by the computer, and it displays the status of the check as "trusted" (signed), "unsigned" or "not verified" (signature has not been checked). To view this information, select the Verify column. The results are displayed in the main window, shown in the figure below.
Unlike Process Explorer, Process Monitor can capture information to a log file for further analysis, and it answers the following questions:
- Is a Windows Registry entry in my startup options causing me problems?
- When did a particular program access my registry, and with what process?
- Which external file systems has the PC connected to?
- What threads and processes are being created on my PC?
- What network activity is happening on my PC?
In other words, Process Monitor captures what goes in and out of a computer on various levels (network, file system, etc). Looking for something specific in this large collection of information can be daunting. However, the data can be filtered by selecting particular operations and Boolean operators, or with the search box. The results can be focused on particular events to help you troubleshoot.
When you first run Process Monitor, a screen appears that displays the time, the process name, a path to a registry entry, if the process was successfully executed, and other details, as shown in Figure 4.
You can add or subtract columns by right-clicking on the title bar and checking the appropriate boxes. You can also drag and drop the columns to reorder them.
When you find an event of interest, double-click it to get more information. This will tell you which other modules have used this process, particular DLLs and their paths, software vendor information, the version and more.
In addition, you can use Process Monitor to see what happens when a PC is booted. Simply select Enable Boot Logging from the Options menu, and then reboot the PC to start the recording process. To stop the recording, bring up Process Monitor or shut down the PC. Open the resulting log file to do further analysis.
For example, uninstalling an application doesn't always eliminate it completely. Sometimes a residue is left behind. But Process Monitor can find these leftovers. Then, you can use Regedit to delete these leftovers.
Process Monitor can save the log files in several formats, including XML or comma-separated files. In addition, Process Monitor includes several other helpful tools, such as summaries of files and network accesses. A process-tree diagram shows the dependencies of particular processes, with processes belonging to the same parent sorted by their start times, as shown in Figure 5.
ABOUT THE AUTHOR:
David Strom is a freelance writer and professional speaker based in St. Louis. former editor in chief of TomsHardware.com, Network Computing magazine and DigitalLanding.com. Read more from Strom at Strominator.com.