1 Task Manager: Processes vs Task Manager: Processes vs Applications Tabs Applications Tabs Processes tab: List of Processes tab: List of processes processes “ “ Running” means Running” means waiting for waiting for window messages window messages Applications tab: List Applications tab: List of top level visible of top level visible windows windows Right-click on a Right-click on a window and select window and select “Go to process” “Go to process”
20
Embed
1 Task Manager: Processes vs Applications Tabs Processes tab: List of processes “Running” means waiting for window messages Applications tab: List of top.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Task Manager: Processes vs Task Manager: Processes vs Applications TabsApplications Tabs
Processes tab: List of Processes tab: List of processesprocesses
““Running” means Running” means waiting for window waiting for window messagesmessages
Applications tab: List of top Applications tab: List of top level visible windowslevel visible windows
Right-click on a Right-click on a window and select window and select “Go to process”“Go to process”
A meaningless term at the OS levelA meaningless term at the OS level
Not a list of processesNot a list of processes
Not a list of “tasks” (another meaningless term)Not a list of “tasks” (another meaningless term)
It’s a list of top level visible windows in your It’s a list of top level visible windows in your session that meet certain criteriasession that meet certain criteria
What does the status column mean?What does the status column mean?
Running:Running:
Windows don’t run—threads doWindows don’t run—threads do
Running displayed only when owning thread Running displayed only when owning thread is waiting for a window message (e.g. not is waiting for a window message (e.g. not running!)running!)
Not Responding: not waiting for window Not Responding: not waiting for window messagesmessages
To map a window to a process, right-click on To map a window to a process, right-click on a window and select “Go to process”a window and select “Go to process”
3
Process Explorer (Sysinternals)Process Explorer (Sysinternals)
““Super Task Manager”Super Task Manager”
Shows full image path, command line, environment variables, Shows full image path, command line, environment variables, parent process, security access token, open handles, loaded DLLs parent process, security access token, open handles, loaded DLLs & mapped files& mapped files
4
Process Explorer’s Process ListProcess Explorer’s Process List
1.1. Run Process Explorer & maximize windowRun Process Explorer & maximize window
2.2. Run Task Manager – click on Processes tabRun Task Manager – click on Processes tab
3.3. Arrange windows so you can see bothArrange windows so you can see both
4.4. Notice process tree vs flat list in Task ManagerNotice process tree vs flat list in Task Manager
-- If parent has exited, process is left justifiedIf parent has exited, process is left justified
5.5. Sort on first column (“Process”) and note tree view disappearsSort on first column (“Process”) and note tree view disappears
6.6. Click on View->Show Process Tree (or CTRL+T) to bring it backClick on View->Show Process Tree (or CTRL+T) to bring it back
7.7. Notice description and company name columnsNotice description and company name columns
8.8. Hover mouse over image to see full path of imageHover mouse over image to see full path of image
9.9. Right click on a process and choose “Google”Right click on a process and choose “Google”
5
Process PerformanceProcess Performance
• Click on Performance Tab of process propertiesClick on Performance Tab of process properties Note: all these numbers can be configured as columnsNote: all these numbers can be configured as columns
6
Thread DetailsThread Details
Process Explorer Process Explorer “Threads” tab shows “Threads” tab shows which thread(s) are which thread(s) are runningrunning
Start address represents Start address represents where the thread began where the thread began running (not where it is running (not where it is now)now)
Click Module to get details Click Module to get details on module containing on module containing thread start addressthread start address
7
Thread Start FunctionsThread Start Functions
Process Explorer can map the addresses within a module to the Process Explorer can map the addresses within a module to the names of functionsnames of functions
This can help identify which component within a process is responsible This can help identify which component within a process is responsible for CPU usagefor CPU usage
Requires access to:Requires access to:
Symbol file for that moduleSymbol file for that module
Proper version of Dbghelp.dllProper version of Dbghelp.dll
By default, Process Explorer looks for:By default, Process Explorer looks for:
Dbghelp.dll: in the default Windows Debugging Tools install directoryDbghelp.dll: in the default Windows Debugging Tools install directory
normal process priority class, normal process priority class, normal thread prioritiesnormal thread priorities
Usually only visible in PerfMon if Usually only visible in PerfMon if target app owns foreground target app owns foreground window (hence longer quantum)window (hence longer quantum)
These are showing +2 boost These are showing +2 boost (from 8 to 10) for foreground (from 8 to 10) for foreground apps after wait completionapps after wait completion
19
Priority Boosts on GUI ThreadsPriority Boosts on GUI Threads
Threads that own windows receive an additional Threads that own windows receive an additional boost of 2 when they wake up because of boost of 2 when they wake up because of windowing activity, such as the arrival of window windowing activity, such as the arrival of window messages. messages.
The windowing system (Win32k.sys) applies The windowing system (Win32k.sys) applies this boost when it calls KeSetEvent to set an this boost when it calls KeSetEvent to set an event used to wake up a GUI thread. event used to wake up a GUI thread.
The reason for this boost is similar to the The reason for this boost is similar to the previous one—to favor interactive applications. previous one—to favor interactive applications.
20
CPU Starvation ResolutionCPU Starvation Resolution
CpuStres with two compute-bound CpuStres with two compute-bound threads (“maximum” activity level)threads (“maximum” activity level)
One is at lower priority than the other One is at lower priority than the other