Have you ever walked into Windows Task Manager and clicked on the Process tab only to see that svchost.exe takes up 100% of your CPU? Well, unfortunately, it doesn’t help you figure out which program on Windows is actually using all the processing power.
There are many processes in Windows like SVCHOST that can actually start several different Windows services like Windows Update, DCOM, Remote Procedure Call, Remote Registry, DNS and many more. Or maybe you just need to figure out which DLLs are loaded and which handles are open for a particular process. You may also need this information so that you can disable Windows startup programs
Definitely, if you work in the IT department, there will definitely come a time when you need more information about the Windows process. There are two really useful tools for exploring Windows processes in depth, and I’ll give you a quick overview of both.
Process Explorer is a great free application that allows you to pinpoint the Windows service or program that owns a particular process. For example, if you want to know which service is running for each of the different svchost processes, just hover your mouse over the process name.
You can also use Process Explorer to find out which program a particular file or directory is open and then end the process. This is great if you are trying to delete or move files but they are locked or open by an active Windows process.
You can also see which DLLs are loaded by the process and which files are being processed by the currently open process. This is very useful for identifying problems with DLL versions or for tracking descriptor leaks.
So, Process Explorer is great for examining cryptic processes like svchost, etc., but you can use Process Monitor to get real-time file, registry and process / thread activity. I really like Process Monitor because it is a combination of RegMon and FileMon, two excellent monitoring programs from Sysinternals.
It is a great tool for troubleshooting your system as well as removing annoying malware. Since Process Monitor allows you to see exactly which files and registry keys a process is accessing in real time, it is great for viewing all files and registry entries that were added when a new program was installed.
It also captures more detailed information about the process such as image path, user, session id, and command line.
When you first open Process Monitor it can be pretty daunting because it downloads thousands of records and basically what system processes do. However, you can use advanced filters to find exactly what you are looking for.
In the Filter dialog box, you can filter by process name, event class, PID, session, user, version, time of day, and more. After downloading Process Monitor, it found 800,000 events on my machine! However, I can bring it down to less than 500 by adding filters to hone one process.
It also has many other advanced features such as image monitoring (DLL and kernel mode device drivers), non-destructive filtering, thread stack capture, advanced logging, boot time logging, and more.