Introduction

Processes are a fundamental component of the Windows operating system. Anything you do on a system, whether it is deleting a file, starting a service, or writing text in Notepad, has a process behind it. Since processes are so important, it is critical that administrators understand how to manage, monitor, and troubleshoot them.

Processes use system resources, such as CPU and memory, in order to run. But not all processes are created equal. Some use more resources than others and often you'll run into situations where you need to identify processes that are using more resources than they should, which may make it difficult for other processes to do work. Processes also frequently open files, DLLs, and Registry keys and values. These resources are known as handles and often when a process has one open, no other process can modify or delete the resource. This can make it problematic if you need, for example, to rename a file that a process has locked.

In Appendix E, I include a list of the default processes used in Windows. There are several processes that start by default whenever a Windows server boots. Any applications you've installed that run at system startup will also have one or more processes running, all without you doing a thing. It is for this reason that you need to be able to create, query, suspend, and terminate processes on demand or else it is very easy for you to lose control over how your system performs.

In this chapter, I'll review how to identify process-related issues and cover many of the process-related tasks you should be familiar with. Now you may not need to use some of these tasks, but it is important to understand what is possible so if you run into a certain situation where, for example, you need to suspend a process, you know how to do it.

Using a Graphical User Interface

When it comes to the GUI, there are only two tools you need to be familiar with to manage processes. Task Manager (taskmgr.exe) is a native Windows tool that lets you view and kill any running applications or processes, and lets you view the performance of processes including CPU and memory utilization. Task Manager was updated in Windows Server 2003 to include a new Networking tab and Users tab. The Networking tab lets you view the current network activity of the system (although it doesn't show network information by process). The Users tab lets you see which users are currently logged on and lets you disconnect or log them off.

You can type the Ctrl-Shift-Esc sequence to launch Task Manager quickly.

The other tool is Process Explorer (procexp.exe) from Sysinternals, and it is very similar to Task Manager except it provides much more process management functionality. It lets you view all the associated handles and DLLs of a process and even lets you search for specific processes, handles, and DLLs. Neither tool lets you manage processes on a remote server. To do that, you'll need to use one of the available command-line tools, of which there are many.

Using a Command-Line Interface

There are several process-related command-line tools, many of them from Sysinternals. Windows 2000 didn't provide any good process management utilities natively, but there were a few in the Resource Kit. In Windows XP and Windows Server 2003, Microsoft added the tasklist and taskkill utilities, which are installed with Windows and are very powerful. For advanced process manipulation and query tools, look no farther than Sysinternals. See Table 6-1 for a complete list of command-line tools used in this chapter along with where they can be found and what Recipes they are used in.

Table 6-1. Command-line tools used in this chapter
Tool	Windows Server 2003	Windows 2000	Recipes
handle	Sysinternals	Sysinternals	6.11
listdlls	Sysinternals	Sysinternals	6.9
netstat	%SystemRoot%\system32	%SystemRoot%\system32	6.12
netstatp	Sysinternals	Sysinternals	6.12
portqry	MS KB 310099	MS KB 310099	6.12
pslist	Sysinternals	Sysinternals	6.4, 6.5, 6.8
pskill	Sysinternals	Sysinternals	6.3, 6.14
pssuspend	Sysinternals	Sysinternals	6.2
taskkill	%SystemRoot%\system32	N/A	6.3, 6.14
tasklist	%SystemRoot%\system32	N/A	6.4, 6.5, 6.6, 6.7, 6.13
tlist	N/A	Resource Kit Supplement 1	6.5, 6.6
top	N/A	Resource Kit Supplement 1	6.4
wmic	%SystemRoot%\system32	N/A	6.1, 6.4, 6.7

Using VBScript

The Win32_Process WMI class represents individual processes and is the only class I use extensively in this chapter. With it, you can create, terminate, and set the priority of a process. Additionally, you can get very detailed information about each process using the properties of Win32_Process objects. For your convenience, I've included the complete list of methods and properties available with Win32_Process in Table 6-2 and Table 6-3.

Table 6-2. Win32_Process methods
Name	Description
AttachDebugger	Launches the registered debugger for the process.
Create	Creates a new process.
GetOwner	Returns the user name that is running the process.
GetOwnerSid	Returns the user security identifier (SID) that is running the process.
SetPriority	Changes the priority of the process.
Terminate	Kills the process.

Table 6-3. Win32_Process properties
Name	Description
Caption	Name of the process executable (e.g., notepad.exe).
CommandLine	Command line used to start the process.
CreationDate	Date the process was initially executed.
CSName	Name of the computer running the process.
Description	Name of the process executable (e.g., notepad.exe).
ExecutablePath	Path to the process executable.
Handle	Process ID (PID) of the process.
HandleCount	Total number of handles currently open by the process.
KernelModeTime	The amount of time (in 100 nanosecond units) the process has spent in kernel mode.
MaximumWorkingSetSize	Maximum working set size of the process.
MinimumWorkingSetSize	Minimum working set size of the process.
Name	Name of the process executable (e.g., notepad.exe).
OtherOperationCount	Number of I/O operations performed by the process that were neither read nor write operations.
OtherTransferCount	Amount of data transferred (in bytes) by the process that were neither read nor write operations.
PageFaults	Number of total page faults the process has generated.
PageFileUsage	Amount of page file space (in kilobytes) that the process is using.
ParentProcessId	Process ID (PID) of the parent process.
PeakPageFileUsage	Peak amount of page file space (in kilobytes) that the process has used.
PeakVirtualSize	Peak virtual address space (in bytes) that the process has used.
PeakWorkingSetSize	The peak working set of a process (in kilobytes).
Priority	Current priority of the process ranging from 0 to 31 (0 is the lowest and 31 is the highest).
PrivatePageCount	Number of pages allocated to the process.
ProcessId	Process ID (PID) of the process.
QuotaNonPagedPoolUsage	Quota usage of nonpaged pool for the process.
QuotaPagedPoolUsage	Quota usage of paged pool for the process.
QuotaPeakNonPagedPoolUsage	Quota usage of peak nonpaged pool for the process.
QuotaPeakPagedPoolUsage	Quota usage of peak paged pool for the process.
ReadOperationCount	Number of read operations performed by the process.
ReadTransferCount	Amount of data read (in bytes) by the process.
SessionId	Session ID that initiated the process.
TerminationDate	Date the process was terminated. A handle to the process must be held open in order to get this.
ThreadCount	Number of threads the process has opened.
UserModeTime	The amount of time (in 100 nanosecond units) the process has spent in user mode.
VirtualSize	Current size of the virtual address space (in bytes) that a process is using.
WorkingSetSize	Amount of memory (in bytes) used for the working set of the process.
WriteOperationCount	Number of write operations performed by the process.
WriteTransferCount	Amount of data written (in bytes) by the process.

Another process-related WMI class that may be of interest to you is Win32_ProcessStartup. While I don't cover it in this book, you may find it useful if you need control over how processes are created. You can pass an instance of the Win32_ProcessStartup class as a parameter when you invoke the Win32_Process.Create method. It allows you to specify various window settings and the priority of the new process. Search for Win32_ProcessStartup at http://msdn.microsoft.com/ for more information.

Using a Graphical User Interface

Using a Command-Line Interface

Table 6-1. Command-line tools used in this chapter

Using VBScript

Table 6-2. Win32_Process methods

Table 6-3. Win32_Process properties