Process Explorer

Last updated
Process Explorer
Original author(s) Winternals Software
Developer(s) Microsoft
Stable release
v17.06 / May 28, 2024;41 days ago (2024-05-28)
Operating system Windows 8.1 / Windows Server 2012 and later
Type Task manager and system monitor
License Freeware
Website learn.microsoft.com/en-us/sysinternals/downloads/process-explorer

Process Explorer is a freeware task manager and system monitor for Microsoft Windows created by SysInternals, which has been acquired by Microsoft and re-branded as Windows Sysinternals. It provides the functionality of Windows Task Manager along with a rich set of features for collecting information about processes running on the user's system. [1] It can be used as the first step in debugging software or system problems.

Contents

Process Explorer can be used to track down problems. For example, it provides a means to list or search for named resources that are held by a process or all processes. This can be used to track down what is holding a file open and preventing its use by another program. As another example, it can show the command lines used to start a program, allowing otherwise identical processes to be distinguished. Like Task Manager, it can show a process that is maxing out the CPU, but unlike Task Manager it can show which thread (with the callstack) is using the CPU – information that is not even available under a debugger. [2]

History

Process Explorer began in the early Sysinternals days as two separate utilities, HandleEx and DLLView, which were merged in 2001. [3] Until 2008, Process Explorer worked on Windows 9x, Windows NT 4.0 and Windows 2000. Versions of Process Explorer up to 12.04 work on Windows 2000; versions 14.0 and higher do not require credui.dll (which is only available since Windows XP/2003). Windows XP is supported up to version 16.05, Windows Vista until verison 16.42. [4] [5] The current version runs on Windows 10 and upwards. The open source software "Process Hacker" has been developed with the aim to replicate its functionality. [6]

Features

See also

Related Research Articles

NTLDR is the boot loader for all releases of Windows NT operating system from 1993 with the release of Windows NT 3.1 up until Windows XP and Windows Server 2003. From Windows Vista onwards it was replaced by the BOOTMGR bootloader. NTLDR is typically run from the primary storage device, but it can also run from portable storage devices such as a CD-ROM, USB flash drive, or floppy disk. NTLDR can also load a non NT-based operating system given the appropriate boot sector in a file.

<span class="mw-page-title-main">File Explorer</span> File manager application that is included with releases of the Microsoft Windows operating system

File Explorer, previously known as Windows Explorer, is a file manager application and default desktop environment that is included with releases of the Microsoft Windows operating system from Windows 95 onwards. It provides a graphical user interface for accessing the file systems, as well as user interface elements such as the taskbar and desktop.

<span class="mw-page-title-main">Control Panel (Windows)</span> Component of Microsoft Windows and Windows Server

Control Panel is a component of Microsoft Windows that provides the ability to view and change system settings. It consists of a set of applets that include adding or removing hardware and software, controlling user accounts, changing accessibility options, and accessing networking settings. Additional applets are provided by third parties, such as audio and video drivers, VPN tools, input devices, and networking tools.

<span class="mw-page-title-main">Architecture of Windows NT</span> Overview of the architecture of the Microsoft Windows NT line of operating systems

The architecture of Windows NT, a line of operating systems produced and sold by Microsoft, is a layered design that consists of two main components, user mode and kernel mode. It is a preemptive, reentrant multitasking operating system, which has been designed to work with uniprocessor and symmetrical multiprocessor (SMP)-based computers. To process input/output (I/O) requests, it uses packet-driven I/O, which utilizes I/O request packets (IRPs) and asynchronous I/O. Starting with Windows XP, Microsoft began making 64-bit versions of Windows available; before this, there were only 32-bit versions of these operating systems.

Svchost.exe is a system process that can host one or more Windows services in the Windows NT family of operating systems. Svchost is essential in the implementation of shared service processes, where a number of services can share a process in order to reduce resource consumption. Grouping multiple services into a single process conserves computing resources, and this consideration was of particular concern to NT designers because creating Windows processes takes more time and consumes more memory than in other operating systems, e.g. in the Unix family. However, if one of the services causes an unhandled exception, the entire process may crash. In addition, identifying component services can be more difficult for end users. Problems with various hosted services, particularly with Windows Update, get reported by users as involving svchost.

As the next version of Windows NT after Windows 2000, as well as the successor to Windows Me, Windows XP introduced many new features but it also removed some others.

ntoskrnl.exe, also known as the kernel image, contains the kernel and executive layers of the Microsoft Windows NT kernel, and is responsible for hardware abstraction, process handling, and memory management. In addition to the kernel and executive layers, it contains the cache manager, security reference monitor, memory manager, scheduler (Dispatcher), and blue screen of death.

In Windows NT operating systems, a Windows service is a computer program that operates in the background. It is similar in concept to a Unix daemon. A Windows service must conform to the interface rules and protocols of the Service Control Manager, the component responsible for managing Windows services. It is the Services and Controller app, services.exe, that launches all the services and manages their actions, such as start, end, etc.

<span class="mw-page-title-main">Task Manager (Windows)</span> Task manager application included with the Windows NT family of operating systems

Task Manager, previously known as Windows Task Manager, is a task manager, system monitor, and startup manager included with Microsoft Windows systems. It provides information about computer performance and running software, including name of running processes, CPU and GPU load, commit charge, I/O details, logged-in users, and Windows services. Task Manager can also be used to set process priorities, processor affinity, start and stop services, and forcibly terminate processes.

The Microsoft Windows operating system supports a form of shared libraries known as "dynamic-link libraries", which are code libraries that can be used by multiple processes while only one copy is loaded into memory. This article provides an overview of the core libraries that are included with every modern Windows installation, on top of which most Windows applications are built.

The Client/Server Runtime Subsystem, or csrss.exe, is a component of the Windows NT family of operating systems that provides the user mode side of the Win32 subsystem. In modern versions of Windows, it is primarily involved with process and thread management, console window handling, side-by-side assembly loading and the shutdown process. Historically, it had also been responsible for window management and graphics rendering, however, these operations have been moved to kernel mode starting with Windows NT 4.0 to improve performance.

In computing, tasklist is a command available in Microsoft Windows and in the AROS shell.

The booting process of Microsoft Windows varies between different releases.

<span class="mw-page-title-main">Performance Monitor</span> System monitoring program

Performance Monitor is a system monitoring program introduced in Windows NT 3.1. It monitors various activities on a computer such as CPU or memory usage. This type of application may be used to determine the cause of problems on a local or remote computer by measuring performance of hardware, software services, and applications. The program can define thresholds for alerts and automatic actions, generate reports, and view past performance data.

Windows Vista contains a range of new technologies and features that are intended to help network administrators and power users better manage their systems. Notable changes include a complete replacement of both the Windows Setup and the Windows startup processes, completely rewritten deployment mechanisms, new diagnostic and health monitoring tools such as random access memory diagnostic program, support for per-application Remote Desktop sessions, a completely new Task Scheduler, and a range of new Group Policy settings covering many of the features new to Windows Vista. Subsystem for UNIX Applications, which provides a POSIX-compatible environment is also introduced.

<span class="mw-page-title-main">Process Monitor</span> Is a free tool from Windows Sysinternals, part of the Microsoft TechNet website.

Process Monitor is a tool from Windows Sysinternals, part of the Microsoft TechNet website. The tool monitors and displays in real-time all file system activity on a Microsoft Windows or Unix-like operating system. It combines two older tools, FileMon and RegMon and is used in system administration, computer forensics, and application debugging.

In computing on Microsoft platforms, WoW64 is a subsystem of the Windows operating system capable of running 32-bit applications on 64-bit Windows. It is included in all 64-bit versions of Windows, except in Windows Server Server Core where it is an optional component, and Windows Nano Server where it is not included. WoW64 aims to take care of many of the differences between 32-bit Windows and 64-bit Windows, particularly involving structural changes to Windows itself.

Server Core is a minimalistic Microsoft Windows Server installation option, debuted in Windows Server 2008. Server Core provides a server environment with functionality scaled back to core server features, and because of limited features, it has reduced servicing and management requirements, attack surface, disk and memory usage. Andrew Mason, a program manager on the Windows Server team, noted that a primary motivation for producing a Server Core variant of Windows Server 2008 was to reduce the attack surface of the operating system, and that about 70% of the security vulnerabilities in Microsoft Windows from the prior five years would not have affected Server Core. Most notably, no Windows Explorer shell is installed. All configuration and maintenance is done entirely through command-line interface windows, or by connecting to the machine remotely using Microsoft Management Console (MMC), remote server administration tools, and PowerShell.

<span class="mw-page-title-main">ProcDump</span> Command-line application

ProcDump is a command-line application used for monitoring an application for CPU spikes and creating crash dumps during a spike. The crash dumps can then be used by an administrator or software developer to determine the cause of the spike. ProcDump supports monitoring of hung windows and unhandled exceptions. It can also create dumps based on the values of system performance counters.

References

  1. How to use Process Explorer, Microsoft's free, supercharged Task Manager alternative
  2. Process Explorer, Part 2
  3. RTM’d today: Windows Sysinternals Administrator's Reference
  4. "Process Explorer - Windows Sysinternals". Archived from the original on 11 December 2015. Retrieved 26 January 2021.{{cite web}}: CS1 maint: bot: original URL status unknown (link)
  5. "Process Explorer - Windows Sysinternals | Microsoft Docs". Archived from the original on 25 July 2021. Retrieved 30 June 2024.
  6. Arntz, Pieter (9 November 2018). "Advanced tools: Process Hacker". Malwarebytes Labs. Retrieved 22 January 2022.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.