If you’re like most IT pros, chances are that you occasionally turn to Task Manager when troubleshooting a problem in Windows 2000 or Windows XP. When you launch Task Manager, it normally opens to the Applications tab, which gives detailed information about the programs and processes on your system. However, when you switch to the Processes tab, you’ll see that there are many more processes running than there are applications.
Some of the processes are easy to identify—especially if they represent an application. For example, it’s easy to tell that the notepad.exe process corresponds to Notepad.
However, other processes, such as Lsass.exe or svchost.exe, are much more difficult to identify, with some corresponding to portions of the operating system while others correspond to applications or utilities that run in the background.
Wouldn’t it be nice if you could point to a process on Task Manager’s Processes tab and simply click a button to reveal the identity of the process? Unfortunately, that’s not the way Task Manager was designed. If you want to identify a process, you’re left to a manual operation that involves either tracking down the process’s actual executable file and investigating its properties dialog box or using the Services tool.
Having found that the former manual operation usually produces good results, I decided that it was high time that I sat down and developed a script with VBScript and Windows Script Host that would automate the gathering of information from the properties dialog box. Furthermore, I really wanted to experiment with using data from Windows XP’s new WMIC (Windows Management Information Command-line) tool in scripts. WMIC can provide you with a lot of details on running processes—it doesn’t identify them, however.
In this Daily Drill Down, I’ll show you several sources that you can use to go about identifying the processes that Task Manager displays on the Processes tab. I’ll then introduce you to my Process Explorer script and show you how you can use it to identify processes. Along the way, I’ll provide you with information about some of the standard processes you’re likely to encounter as well as tips on how to determine which processes can be safely stopped to solve problems or free up system resources.
Download the Windows XP Processes Explorer script
You can download the Windows XP Processes Explorer script by following this link or clicking on the Downloads link in the navigation bar on the left of this page. TechProGuild and TechRepublic have many useful documents, templates, and applications available for download, so be sure to check out our other offerings.
Using Task Manager’s Go To Process command
Before we get started with some of the more elaborate means of identifying processes, let’s start at the beginning and look at a feature built into Task Manager that can, on a basic level, help you identify processes associated with running applications. When you’re looking at the Applications tab, you can right-click on any application, or task, to bring up a context menu that contains a command titled Go To Process, as shown in Figure A. When you select this command, Task Manager immediately switches to the Processes tab and highlights the main process that corresponds to that application.
|Using the Go To Process command will help you to identify processes associated with running applications.|
Once you’ve linked a process to an application, you can return to the application and shut it down as you normally would. You can then check the Processes tab to make sure that the process associated with that application has shut down as well.
Keeping track of multiples
As you’re using the Go To Process method of tracking down processes, keep in mind that some applications spawn multiple processes. For example, if you’re running Windows XP and launch the Help and Support Center, when you right click on the corresponding task on the Applications tab and select the Go To Process command, Task Manager highlights the Helpctr.exe process. However, launching the Help and Support Center also launches another process called Helpsvc.exe. And, if you use the Help and Support Center’s Search feature, another process called HelpHost.exe is launched.
Another thing to keep in mind is that more than one task on the Applications tab can be linked to a single process. For example, if you’re using Outlook as your e-mail client and have several messages open, you’ll see a task for each message as well as for the main program; if you use the Go To Process command on any of these tasks, they’ll all point back to a single process—Outlook.exe.
Using the process file’s properties
While Task Manager provides you with a method for identifying processes associated with applications, there’s no built in method for identifying processes associated with the operating system or other utilities that run in the background or even on the notification area of the taskbar. To identify these files, you’re left to a manual procedure.
To perform the manual procedure, you begin by launching the Search tool and searching for the executable filename of the process you’re interested in identifying. Once Search locates the file, you’ll right-click on the file and select the Properties command. When you see the Properties dialog box, select the Version tab. There you’ll find all sorts of information that can help you to identify the process.
For example, Figure B shows the Properties dialog box for the Smss.exe process. Right off the bat, you can tell that this is an operating system file (according to the Description field near the top of the tab), which identifies Smss.exe as the Windows NT Session Manager. In the Other Version Information section, you can select the various Item Names to find out more about the file. As you can see, in this case, the Product Name item specifically identifies this file as being part of the operating system.
|Using the version tab of a file’s Properties dialog box, you can learn a lot about a file that is listed as a process.|
If you still require more detailed information, using the information supplied on the Version tab of the properties dialog box, you can launch a more knowledgeable search on the Internet, newsgroups, or on the Microsoft Knowledge Base.
Using the Services tool
As you study the list of items on the Processes tab, you’ll definitely see several Svchost.exe processes. Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). You’ll also see a process titled Services.exe, which hosts several essential Windows operating system services.
As such, you can learn more about specific services that are running as Svchost.exe or Services.exe processes, by using the Services tool. To do so, launch the Control Panel, open Administrative Tools, and double-click on Services. Once you see the Services tool, click on the Status column header to sort the services so that those that are started are at the top of the list. Then, double-click on one of those services and check the Path To Executable text box. If it lists Svchost.exe or Services.exe, then you’ve identified a specific service that is associated with a running process.
You can then check the Description panel to learn more about the service and decide if you can safely stop or pause the service or even change it’s startup type. When you do so, you’ll reduce the memory usage of one of the Svchost.exe processes and free up some system resources.
For example, if you’re running Windows XP and double-click the Themes service, you’ll see that it runs under the Svchost.exe process, as shown in Figure C.
|Many services run under the Svchost.exe process.|
Pinpointing process hosted services
If you want to identify exactly which Svchost.exe process a specific service is running under, open a Command Prompt and use one of the following commands.
In Windows XP:
Tasklist /FI “IMAGENAME eq svchost.exe” /svc
In Windows 2000:
When you see the results, take note of the PID (Process Identifier) number of the Svchost.exe process that is hosting the service you’re interested in. Then, return to Task Manager, select the Processes tab, pull down the View menu, choose the Select Columns command, select the PID check box, and click OK. You can then match up the PID numbers and pinpoint exactly which Svchost.exe process is hosting the service.
In addition to those services that run under a process host, you’ll find some services that exactly correspond to running processes. For example, IPSEC Services corresponds to the Lsass.exe process. Therefore, it’s definitely worth your while traipsing through the Services tool when trying to identify processes.
Using the Process Explorer script
As I mentioned, I wrote the Process Explorer script in VBScript and Windows Script Host to automate the operation of gathering details about a process by investigating the properties associated with the processes’ executable files. I also wanted to experiment with WMIC (pronounced “WeeMek”), which is only available in Windows XP and Windows Server 2003 family.
WMIC is designed to bring the systems management power of WMI (Windows Management Instrumentation) from the Windows Script Host environment to the command line. However, the coolest thing about WMIC is that it uses Aliases to mask the complexity of WMI’s classes and it’s syntax. Furthermore, I discovered that WMIC could very quickly and easily provide me with the kind of details on processes—executable name and path—that I needed for the script with a simple command line consisting of the command:
process get Caption, ExecutablePath.
I experimented with straight WMI and was eventually able to get similar information, but it wasn’t consistent. Anyway, to make a long story short, since the Process Explorer script relies on WMIC, it will only run on Windows XP—it won’t run on Windows 2000.
If you’ve never used WMIC before, you should initiate it before you run the script for the first time. To do so, log on as a local administrator, open a command prompt, type WMIC and press [Enter]. You’ll then see a message indicating that the WMIC environment is being initiated. When you see the WMIC command prompt, you can type the command process get Caption, ExecutablePath to see the raw data used by the Process Explorer, or you can type quit to exit the WMIC window and begin using the Process Explorer script.
That said, let’s take a look at how the script works. To begin, just download the script package ProcessExplorer.zip. Once you do, you must create a folder in the root directory called ProcessExplorer and then unzip the following six files into the new folder:
(If you don’t place the files in a folder called ProcessExplorer off the root directory, the script will fail to run correctly.)
Of course, ProcessExplorer.vbs is the main file and the one that you’ll use to launch the utility. You can create a shortcut to this file on your desktop if you want. The 1.cnt, 3.cnt, and Process.ico files are support files that are used to create the user interface for the Process Explorer, which by the way is implemented as an HTA (HTML Application). The Progress.htm and Progress.gif files are used to create a progress indicator.
Before launching the script make sure that Windows associates VBS files with the Windows-based version of the Windows Script Host (WSH)–Wscript.exe. Windows provides two versions of the WSH: a Windows-based version (Wscript.exe) that provides Windows-based properties for setting script properties, and a command prompt-based version (Cscript.exe) that provides command line switches for setting script properties. Check out Microsoft Knowledge Base article 232211 for more information about the WSH.
You must also make sure that the Hide Protected Operating System Files folder option is unchecked. If this advanced folder setting is checked, the script will not work. To configure this setting, open Windows Explorer, click Tools | Folder Options, and select the View tab. Under Advanced settings, make sure the check box for Hide Protected Operating System Files is unchecked.
When you launch the script, it first displays the animated progress indicator while in the background the script goes to work. To begin, the script accesses WMIC and obtains a list of processes that it then saves to a text file. It then sorts alphabetically and parses the contents of the text file. The script then locates each file on the hard disk and gathers the identification information that you find on the Version tab in the properties dialog box.
Once all the background work is done, the script shuts down the progress indicator and then displays its user interface, as shown in Figure D.
|The Process Explorer’s main user interface simply contains a drop-down list of all the currently running processes.|
At this point, all you have to do is click the Choose A Process drop-down list and select a process. When you do, you’ll immediately see, the Process Details dialog box, as shown in Figure E.
|The Process Details dialog box provides you with the description properties associated with the processes’ executable files.|
If you compare the list of processes displayed by the Process Explorer with those displayed on Task Manager’s Processes tab, you’ll notice some extra processes in both lists. In Process Explorer, you’ll find four extra processes that are created by the actual running of the script itself.
In Task Manager, you’ll find two extra processes that are also created by the actual running of the script:
Using WinTasks 4 Professional
If you really want an industrial strength task/process management utility, I suggest that you head on over to the LIUtilties Web site and check out WinTasks 4 Professional. This excellent utility garnered an Editor’s Choice award by the CNET Reviews team. Not only does WinTasks 4 Professional make it easy to identify processes, but it also helps you to remove unnecessary processes, eliminate problem processes, change process priority, create customized environments containing certain processes, and even has a small scripting language that you can use to manage processes. Best of all, you can purchase it online for under $50.