This is a continuation of my previous posting (Using Process Explorer to tame svchost.exe - Advanced topics) which introduced the excellent Process Explorer program, a souped up version of Task Manager. According to the author, "Process Explorer works on Windows 9x/Me, Windows NT 4.0, Windows 2000, Windows XP, Server 2003, and 64-bit versions of Windows for x64 and IA64 processors, and Windows Vista." And, it's free.
When a computer is running slow, people sometimes guess at the underlying problem. An experienced Process Explorer user doesn't have to guess.
Below is the main Process Explorer window. There's a lot going on here, you may want to, click here for a larger version of the image.
As computers go, the one in the picture is pretty boring, it's a Windows XP virtual machine with next to nothing installed. Chances are, a similar display on your computer will reveal two or three times as many processes.
The Process Explorer window is extremely configurable, the next posting will cover installing and configuring the program. The screen shot shows eight data fields, those I find the most useful. I also like to include I/O counts but left them out here for space reasons. This is one application that really benefits from a wide screen display.
The columns in the middle are what first attracted me to Process Explorer - the description of the process, the name of the company that created the process and, most importantly, the executable file running in the process. Just knowing the directory that a program is running out of has been useful in and of itself. The CPU History column is also vital, with spikes of green showing processes consuming large amounts of the processor over the last few minutes.
Properties of a Process
To get information on a running process in Process Explorer, double click on the process name. This opens a properties window (see below) with nine tabs.
Earlier I noted the difficulty in pinpointing a performance problem to a Windows service* running inside an instance of the svchost.exe process. This is because Process Explorer breaks down processes by thread rather than by service. Even when a process hosts a single service, there can can be multiple threads. But all is not lost.
Go to the Threads tab, expand the CPU column and click on the column heading to sort the list of threads by their current CPU usage.
To see more information about a thread highlight it and click on the Module button just below the list of threads. This displays the properties of the file underlying the thread (see below). The properties window opens in the General tab, go to the Version tab. This isn't foolproof, but you may get lucky, as in the example below, where the file/module is obviously the DNS Caching Resolver Service.
Another useful tab is Services, which, as you can see below, provides information on the services, if any, running inside the target process.
Setting Priorities
Sometimes a necessary program on your computer can get in the way. If, for example, you're facing a deadline and the computer is running a full hard disk scan, it may become so slow as to interfere with your work. Such was the problem Peter Butler faced. While your knee jerk reaction may be to cancel the interfering software, on a corporate computer this can be problematic. Process Explorer offers a couple less intrusive options - it can slow down or freeze a program in its tracks.
Slowing down a running program/process is something Task Manager can also do. In both Task Manager (from the Processes tab) and Process Explorer, right click on the name of the process and select "Set priority" from the pop-up menu (see below). The default priority is "Normal", changing it to "Below Normal" lowers the priority one notch. Changing it or "Low" (in Task Manager) or "Idle" (in Process Explorer) lowers it two notches, and should let you get your work done with a minimum of interference.
Freezing a process is something Task manager can not do. In Process Explorer click on "Suspend" after right clicking on the process name. By default, Process Explorer displays suspended processes as dark gray. If a suspended processes was running a visible application, the application window can't be minimized, resized or even re-painted when another window covers it up. To resume the application, right click on the process name again and select "Resume".
There is one caveat however, some processes do not allow their priority to be changed. I don't know a way around that.
Next Up...
Next time, installing and configuring Process Explorer.
*A service is a special type of Windows program. Most services are part of Windows, the previous posting discussed the Automatic Updates service and the Task Scheduler service. Applications can also install their own services. In Windows XP services are managed from the Administrative Tools applet in the Control Panel.
Note: This posting is based on Process Explorer version 11.04, which was current at the time this posting was written. The screen shots were taken on a machine running Windows XP.
See a summary of all my Defensive Computing postings.
On February 5th, Peter Butler of CNET wrote a blog posting about using the free Process Explorer program to prevent an instance of the svchost.exe process from hogging the CPU on his CNET-provided* computer. This is a follow-up, a more advanced look at Process Explorer.
To people unfamiliar with Process Explorer, I usually call it Task Manager on steroids. But comparing Process Explorer to Task Manager is like comparing humans to amoebas. It's that far up the evolutionary scale.
Let me say up front that I am prejudiced. I think Process Explorer is an excellent program. I'd go so far as to say that it might be my favorite Windows software of all time. It's free, portable and comes from a trusted source. Although, technically the program is from Microsoft, the author, Mark Russinovich, worked at a software company, Sysinternals, with an outstanding reputation when he developed Process Explorer. Microsoft eventually bought Sysinternals. Highly recommended (this coming from the curmudgeon behind computergripes.com).
Dissecting an Svchost.exe Process
Svchost.exe is a most annoying process as it "hosts" multiple underlying components of Windows called services. Thus narrowing down a performance problem to a particular svchost process is far from the end of the detective work.
As Peter pointed out in his posting, Process Explorer can dissect an svchost processes, something that Task Manager can not. You can see an example of this below which shows the yellow pop-up window that Process Explorer displays when the mouse is hovered over an svchost.exe process. In Windows XP there are multiple instances of the svchost process and each hosts a different group of services. The example below is a worst case scenario, there are 18 different services sharing a single process. Must get crowded in there.
Peter is not correct, however, when he says, referring to this list of services, that we "... can then use that list to determine which, if any, of the Windows services is killing their productivity." Process Explorer** does not break down CPU usage, or anything else for that matter, by service. The closest it comes, is displaying information about the individual threads in the process (see below). The problem is that there isn't a one to one correspondence between a thread and a service. A service is a logical thing and a thread is a physical thing.
Task Scheduler and Automatic Updates
Somehow Peter tracked down the excessive CPU usage on his computer to two services, Task Scheduler and Automatic Updates. He says "Both of these services are critical to the health of my PC ...". This not true.
The Automatic Updates service is Windows Update, that is, it's the part of Windows that applies bug fixes. Even when you use the GUI in Windows XP to turn off Automatic Updates, the underlying Automatic Updates service remains running at all times. Think of it like a car with the engine running, but in Park rather than Drive. Microsoft has abused the running engine to silently install updates, even on a computer where the owner told them not to. (See my Windows is Spyware posting from September 13, 2007).
Thus, I previously argued (Defending yourself against Microsoft) that the Automatic Updates service is best turned off (disabled) all the time. That's what I've done personally for quite a while with no regrets. Once a month I turn it on, run Windows Update manually and then off it goes.
The Task Scheduler does nothing more than run programs on a schedule. In and of itself, it is not critical to the health of a Windows machine. Peter was referring to anti-malware software that is scheduled using the Task Scheduler on his machine. This is not always the case. Much anti-malware software is capable of scheduling its own activities without assistance from the Windows scheduler.
Next up...
Next, more about using Process Explorer: Process Explorer Part 2.
*From the posting it sounds like Peter Butler is a CNET employee. Members of the CNET Blog Network, such as myself, are paid by CNET but we are not employees of CNET. I don't know Peter Butler.
**This discussion is based on version 11.04 of Process Explorer, which was the latest as of this writing.
See a summary of all my Defensive Computing postings.
- prev
- 1
- next
