Performance issues in Microsoft Windows system can be fixed by finding the running process at given time and also it will help to understand how our CPU and other resources are being used . Process Explorer is the most popular tool and it can be downloaded from sysinternals.

Windows has always included the task manager to find the processes that are running on our system but it often doesn’t provide the deep enough information but in Process Explorer we have so many key features which helps to drill in to what was happening on a windows system from a process perspective.As a Windows Administrator we should know the features of the tool and I have described below some key features which was taken from the  Windows Sysinternals Administrator’s Reference book by Mark E. Russinovich, Aaron Margosis and I hope it will give some idea about the functionality of the tool and I would highly recommend this book for the more information.

.

Key Features.

Tree view shows parent\child process relationships

Color coding to identify the process type ,such as services,.Net process, process running as the same user as procexp, process that are related to job and packed images.

Tooltips show Command line and other information

Highlights to call attention to new and recently exited process.

More Accurate indication of CPU consumption based on CPU cycle.

Identify which process owns any visible window.

Identifies all dynamic-link-library (DLL ) and mapped files loaded by a process and all handles to keneral obj opened by a process

Detailed metrics of memory usage and I/o and TCP/IP endpoints.

Graphical representation of CPU activity, memory usage and I\O activity, both system wide and per-process.

Create process dumps.

Main Windows:

Process list is a table in which each row represents a process on the system and the column represent continually updated attributes of those process.

Process Highlighting:

Light blue :: process that run on same user group account as Procexp.

Pink : Designates services , process containing one or more windows services

Violet:: it denotes “ packed images” tool uses simple rule to identify program files that might contain executable code in compressed form ,encrypted form or both. Ex malware

Brown: it indicates jobs. Job is a windows construct that allows one or more process to be managed as a unit.jobs it is not highlighted by default

Yellow: Indicates .Net process , process which uses .NET framework

Dark gray : indicate suspended process. These are process in which all threads are suspended and cannot be scheduled for execution.

If the process belongs to more than one categories, the precedence order is packed,.net,jobs,services , .net process because it has higher precedence than services..

Newly process will be in green color for one sec and when it exit it will remain in red color for one second.

We can change the color by selecting configure highlight..

Default Columns:

Each Column in the process represents some static or Dynamic attribute of the process and Dynamic attributes are updated at each automatic refresh interval.

Pls find the default setup.

Process – column shows the name of the exe , along with its icon

PID – process ID

CPU – % of CPU

Private bytes – no of bytes allocated and committed by the process for its own use and that are not shareable with other process. Memory leaks are often exhibited by a continual rise in this value.

Working set – Amount of physical memory assigned to the process by memory manager.

Description and company name : Extracted from the version info resources of the exe image file. Tool will populate only if it identify the path to the file and read from it which also need admin rights.

Process tree- Tool shows all the process in tree format which also includes ascending and descending mode.It shows the process parent\child relationships.Whenever a process creates another process,Windows puts the Process ID ( PID) of the creating process ( the parent ) into the internal data structure of the new process ( the child).

View inside tool – First three process inside the tree is system idle process , system , interrupts…

System ideal process and interrupts are not real OS process

System Ideal process – called IDLE by some utilities and it has one thread per CPU , which is used to account the CPU ideal time when windows are not running any code. Since its not the real process the PID will be 0.

System process – it host only kernel mode system threads which only run in kernel mode , this threads execute operating system code from ntoskrnl.exe and device driver code.

Interrupts – pseudo ( virtual) process represents kernel- mode time spent servicing the interrupts and deferred calls.

Additional Information:

Startup and logon process – from the time windows starts until the first user logs on , there is a well-defined sequence of process.  context

Startup sequence changed between widows XP and vista.

1. System process starts SMSS.exe ( Session manager )
2. Which starts Csrss.exe ( windows )sub system and winlogon.exe
3. Winlogon starts the service.exe ( Service control manager process ),Lsass.exe ( Local security authority subsystem) and two process not in pic logonUI.exe (which displays the logon screen on non-domain-joined systems and userinit.exe (which windows started after the user logged on )
4. exe lanches explore.exe (user shell application) and then exited.
5. Most user application are direct or indirect descendants of explrer.exe

System process starts an instance smss.exe , which remains running until system shutdown ,  that smss.exe launches two new instance one in session 0 and one in session 1.

Reference :