continued from pt.1
In the previous posting, I covered the installation of Process Explorer and setting things up so that it runs automatically at startup time with its icon permanently displayed in the system tray (a.k.a. notification area). In and of itself, the system tray icon is a gateway to useful information, even without the main Process Explorer window.
The default Process Explorer icon is a dynamic graph of recent cpu usage. It looks like a mountain range sliding to the left and I have come to think of it as the heartbeat of the computer.
The huge difference between Process Explorer and Task Manger is evident even in their system tray icons (shown below).
For one, Task Manager only indicates current cpu usage while Process Explorer provides a recent history. The tooltip (the yellow pop-up balloon produced by hovering the mouse pointer over the icon) from Task Manager shows the current cpu usage as a number. The Process Explorer tooltip also shows the process currently using the largest percentage of cpu cycles.
We see this in the screen shot above - the cpu was 47% busy overall, with Notepad++ accounting for 36% of the overall cpu usage. Everything else running in the system made up the remaining 11%.
The screen shot also shows that Process Explorer displays cpu usage in red and green, whereas Task Manager uses a single color. Red represents kernel mode cpu usage, green is the sum of both kernel mode and user mode. I haven't found the distinction particularly useful.
Right clicking on the Process Explore icon and selecting "System Information" opens up a window somewhat analagous to the Performance tab in Task Manager (full size image).
http://i49.tinypic.com/3038ora.jpgThe CPU Usage History graph at the top offers the same trick as the system tray icon: hover the mouse over it and it displays not only the cpu usage, but also the program using the most cpu cycles at that point in time. In the screen shot below we see that at 2:39:16PM Firefox was using the most cpu cycles.* Anyone investigating why a Windows machine is running slowly would be well served to start here.
On a Windows 7 machine withe Process Explorer version 12, this cpu history graph went back about 35 minutes. On an XP machine with version 11, it went back 28 minutes. Others have reported that this history went back 12 minutes (
http://www.watchingthenet.com/how-to-identify-processes-that-cause-high-cpu-utilization-spikes-in-windows.html) or 5 minutes (
http://www.brightrev.com/how-to/windows/53-five-uses-for-sysinternals-process-explorer.html). Perhaps it has something to do with refresh interval.
I find the cpu history icon meets my needs, but Process Explorer can display additional system tray icons that offer a running history of I/O activity and memory usage. To experiment with the additional icons, click on the current tray icon to open the main user interface, click on Options on the menu bar, then Tray icons.
TWEAKING THE USER INTERFACE
Out of the box, the main Process Explorer window leaves something to be desired. Here are my suggested changes.
Most likely you will just see one window, which is the configuration that makes sense for new users and those not familiar with the internal workings of the operating system. Process Explorer has an optional lower pane that offers additional information on the currently selected process. This lower pane used to be on by default, but now it seems to be off on new installations. There is an icon on the toolbar that toggles the lower pane display on/off. Another icon controls whether the lower pane displays Handles or DLLs.
I suggest starting off without the lower pane. The only time I've needed it was for researching where the portable edition of Firefox was picking up plugins.
Processes are identified with both a name and a number. The name is useful, the number rarely is. But Process Explorer insists on displaying the number (PID column) so the first thing I do is move the column to the far right to get it out of sight. Re-arranging the sequence of columns is easy, just click and drag on the column name.
Clicking on a column title sorts the display by that column. Click again, and it re-sorts in the reverse sequence. Clicking on the CPU column (it defaults to the last ordering used for that column, ascending or descending) can put the processes currently hogging the CPU at the top of the display. I often do this to see which processes are having the most impact on the system.
But what if a process was consuming mass quantities of CPU cycles but is now doing nothing? The CPU History column (shown below) is invaluable for spotting processes that have been recently feeding at the CPU trough.
To enable it, click on View in the menu bar, then Select Columns, go to the Process Performance tab and turn on checkbox for CPU History.
The green spikes in the CPU History show periods where the process was doing a lot of computing. Like all columns, the CPU History can be made any width you prefer.
You'll also notice in the screen shot above that Firefox was using 38.58% of the CPU. Chances are you won't need this level of detail. If you can live with integers, click on View in the menu bar and turn off the option to "Show Fractional CPU". Displaying an extra couple digits may not seem like a big deal, but I always try to cram as much data as possible into the main display so that I don't have to scroll horizontally.
Often, I've found it useful to run Process Explorer with the display maximized and just stare at it. This can provide an overall feel for the activity on the system. But the default refresh interval of one second can be too fast, by the time I spot something of interest, it's gone. To change the refresh interval, click on View, then Update Speed.
Process Explorer displays much more information than Task Manager, and back when I started using it, the most important field, to me, was the Image Path. This is name of the currently running program in the process, plus the full path to the executable. To add it to the display, click on View, then Select Columns, go to the Process Image tab (probably the default) and turn on the checkbox for Image Path. You'll be glad to you did.
If the field Private Bytes is displayed you can probably remove it or drag it over to the far right, out of view. The help file says that it can pinpoint applications with a memory leak problem. This should be rare. To remove it from the display, click on View, then Select Columns and go to the Process Memory tab.
In contrast, the Working Set column should prove useful, it shows how much RAM the process is currently using. Unfortunately this information is only available for the whole process, not individual threads and it's reported in kilobytes rather than megabytes.
Processes are colored based on certain attributes. This makes for a cool looking display but too many colors can be distracting and some of the attributes are unlikely to be important. The coloring can be adjusted with Options -> Configure Highlighting. I turn off the brown for jobs and the yellow for .NET. You may also want to turn off the purple for packed images.
Two colors that I often find helpful are green for newly started processes and red for those that are terminating. New processes are colored green only briefly, then they revert to their mature color. Likewise, terminating processes are colored red only briefly, before they disappear. The ability to see processes come and go is a big reason to slow down the refresh interval.
Often Process Explorer is used to investigate why a computer is running slowly. The full picture of the performance impact of a process on the system is provided by not only its cpu and ram usage, but also by its I/O profile. Process Explorer offers fifteen I/O related counters on the Process Performance tab of the Select Columns window. The two counters that I suggest enabling by default are I/O Reads and I/O Writes.
You may have seen another I/O counter called I/O Other. It's offered by both Task Manager and Process Explorer. If you are wondering what this means, join the club. I did performance monitoring for years and never ran across "other" I/Os. Cache hits that avoided I/Os, yes, but no others.
Microsoft has a writeup on their website called What do the Task Manager memory columns mean (
http://windows.microsoft.com/en-us/windows-vista/What-do-the-Task-Manager-memory-columns-mean)? which offers this definition: "The number of input/output operations generated by the process that are neither a read nor a write, including file, network, and device I/Os. An example of this type of operation is a control function." Whoever wrote that didn't know what it meant either.
An I/O related field that can come in handy is Page Fault Delta (PF Delta is the column name). A page fault occurs when a chunk of referenced virtual storage is on the hard drive rather than in memory. Page faults are perfectly normal but an excessive number distracts the hard drive from reading and writing files and databases. Sorting the display by PF Delta shows the processes currently experiencing the most faults and may offer up some surprises.
After finding a process of interest, the real exploring comes when you double-click on it. This opens a new window with eight tabs that really shows what Process Explorer is capable of. For example, if you think the process is malicious, check the TCP/IP tab to see if it's communicating with another computer over the Internet.
To learn more about Process Explorer, see the included documentation available from the menu bar with Help -> Help.
Process Explorer runs just fine under Windows XP as a limited user and under Windows 7 as a standard user. It is part of the Sysinternals (
http://technet.microsoft.com/en-us/sysinternals/default.aspx) suite of software. You may well find other programs in the collection of value too. Personally, I'm a big fan of Autoruns (
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx) and PageDefrag (
http://technet.microsoft.com/en-us/sysinternals/bb897426.aspx).
Windows users owe it to themselves to spend some time getting familiar with Process Explorer.
source:computerworld end
