Mark Russinovich and Bryce Cogswell have released a new version of a real-time process monitor for Windows (tentatively called ‘Process Monitor‘) that combines the features of Regmon and Filemon. There is a whole set of new features too, of course.Process Monitor keeps track of file system, registry, and pocess/thread activity in real-time, allowing you to dive deep into the internals of Windows and gain an insight into what is going on. It runs on Windows 2000 SP4 with Update Rollup 1, Windows XP SP2, Windows Server 2003 SP1, and Windows Vista as well as x64 versions of Windows XP, Windows Server 2003 SP1 and Windows Vista. As the authors describe:
It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more.
It can also give you a list of files currently in use, which may prove to be very useful in case you want to delete a file that Windows says is in use. A similar tool called Sloth is available for the Mac.
Tracing for windows would be very useful and I havent’ yet found a tool that will allow me to do it.
By tracing I mean the level of detail that tracing on Linux/BSD/Solaris allows. This includes:
* what calls what (incl external libraries and systen calls)
* how long did it spend in that call
* what state is it in (sleep, wait_io, etc)
Showing a list of files open or seeing the memory consumption is not enough.
I believe Microsoft doesn’t want to open up too much access but surely something more useful than “list open files, show registry access” is warranted in the 21st century!
Dtrace for windows would be brilliant, and possibly embarassing too. I see that Apple have tried to cripple to save blushes: http://blogs.sun.com/ahl/date/20080118
There were MS tools available which did most of those points – though the tools were only included with Visual Studio AFAIK
I can’t imagine many people (other than developers) would want such a verbose breakdown though
Edited 2008-05-27 13:49 UTC
Tracing for windows would be very useful and I havent’ yet found a tool that will allow me to do it.
By tracing I mean the level of detail that tracing on Linux/BSD/Solaris allows. This includes:
* what calls what (incl external libraries and systen calls)
* how long did it spend in that call
* what state is it in (sleep, wait_io, etc)
You want Windbg, not process monitor.
http://www.microsoft.com/whdc/devtools/debugging/default.mspx
I’ve been using this tool (during the limited time I spend in Windows) for some months now, and I highly recommend to any power user. It’s great – you can even replace the classic Task Manager, so when you do the three finger salute (ctrl+alt+del), up comes this much more useful and informative tool.
It may not have all the features of the CLI tools available to pretty much any *Nix, but it’s definetly a step up.
You’re thinking of Process Explorer, to be found at
http://www.microsoft.com/technet/sysinternals/Security/ProcessExplo…
The post is about Process Monitor. Similar names, different tools with different purposes.
Oh wow, you’re right – I have been completely fooled. Same look, same source, same group of people, no less.
Though I will withdraw my recommendation for ‘Process Monitor’, as I have never used it, I will now extend my recommendation for ‘Process Explorer’.
They do serve somewhat similar purposes, though, and have a similar look and are by the same people, so I wouldn’t really say that they are ‘different tools with different purposes’. An honest mistake?
In my opinion there is no point in having a good process monitor for an operating system that doesn’t manage processes properly, which is the one thing OS’s should do correctly.
Great, a process is hogging the CPU, I want to kill it. How do you start up your process monitor. In Windows every time that happens I hit ctrl-shift-esc to bring up the task manager and it doesn’t show up until the process is done hogging the CPU. That, or it takes 2 minutes for it to come up, then you kill the process 20 times over the next 2 minutes before it actually stops. I’m pretty sure these are fundamental problems in Windows itself and using a different process monitor won’t help. I’ve used process explorer and its nice to find which process has a file handle preventing you from deleting or renaming a directory but its no better at killing processes.
With Linux if anything other than X freezes or is hogging your CPU you can still fire up a terminal and run xkill without waiting much time at all. If X freezes you can ctrl-alt-f1 and kill the process manually and most times you don’t even need to restart X.
So, what I’m saying is that there are fundamental process handling problems with Windows XP that didn’t get fixed in Vista….but ooohh is it shiny!
Both Process Explorer and Task Manager run at the “real time” process priority (ie: it gets scheduled before almost everything else), so it usually takes a few milliseconds to come up even in a heavy load environment, not several minutes.
As for terminating the process, you can use command like tools from sysinternals (see: pskill) or tasklist and taskkill which are built in to XP and newer.
No, they do not run using the Realtime priority class. By default they both run at High priority.
CPU load, yes. I/O load, no. If a runaway process eats up all your disk bandwidth, it can take minutes for the OS to read in the text pages from an executable, be it even the smallish taskmgr.exe.
n my opinion there is no point in having a good process monitor for an operating system that doesn’t manage processes properly, which is the one thing OS’s should do correctly.
Process monitor is not a program you start when you have a hung process. Its a tool you use when you need to investigate what a process may be doing in realtime [not exactly realtime but a trail of what the process has done].
If you have a hung process, its a little late to start process monitor. You might start process monitor and then try to recreate the issue to investigate a possible root cause, but starting process monitor in response to a hanging process will generally yield few results.
Edited 2008-05-27 18:40 UTC
if you try and close things from the applications tab in windows task manager it can take multiple tries. this is because it’s trying to close the program not kill it.
closing from the processes tab is a one time kill.
applications is the junkie with a flick knife and processes is the sniper. i don’t know many people who use the task manager for any more than restarting explorer so this may be a bit of overkill.
not sure why their process monitor app exists separately from their process explorer app
Surprisingly, it does exists:
http://www.k23productions.com/products/process_controller/
🙂