Using Process Explorer

Posted by wadehatler on 08.27.2012

Part 4 of Make your Computer Fit to Use (Introduction - Contents)

Note: This is one of the more technically advanced posts in this series, so if you find it rough going, move onto the next post which will be easier to understand.

About 10 o'clock last night, I sat down to write my next post and ran into a problem that I thought I could turn into an opportunity to show another useful tool. The kids were in bed and I was writing the next post while my wife Amalia went to the airport to pick up her brother, who's visiting from Spain. Fernando is a world-renowned urologist with a large practice in Madrid. He travels all over the world to operate and teach how to use a green-light laser system for the treatment of BPH (enlarged but non-cancerous Prostates).

My machine was humming along as normal. The only thing I really had going on was a download of Windows 7, along with the usual half-dozen other windows I usually have opened (Microsoft Word to write this post, 4NT, Visual SlickEdit, Visual Studio, and a couple of Firefox windows). After a dinner break, I found that my machine had slowed to a crawl. I could make an educated guess about what the problem was, but I thought it might be better to get some snapshots of how to use some of the tools I've included to find out definitively. Besides that, my educated guesses aren't always right :(

Process Explorer to the Rescue

Process Explorer is one of the most useful utilities in your toolbox. I've been using it for years, and I still find new ways for it to be useful all the time.

Before moving forward, you'll need to have at least version 1.3 of Wade's Toolbox. You can see the version by simply opening the folder from your start menu. It will always show you the current version.

So back to my computer -- it was running super-slow, which usually means there's a rogue process doing something I may or may not actually need. If your box is running slow, it's usually because it's:

Doing something that requires a lot of disk or processor activity
Struggling to read or write data across some kind of network connection (including the Internet sometimes)
Waiting for something that's just not working, like a CD-ROM or floppy drive
Just trying to do more things than it has the hardware to support

All of these problems leave footprints, and Process Explorer is the tool to find most of them. A Process is like a sandbox that the machine gives the program to do some type of work. What a user thinks of as a Program is one type of process, but there are many others. For example, a Word Processor, Explorer Window and Browser are all processes. There are also a lot of hidden processes running all the time, and most users are completely unaware of them. For example, in the next post, I'll talk about Services, which are processes that provide support for the operating system. There are services to communicate with your printer and keyboard, services to manage your network connections, virus and malware scanners, etc. A typical computer usually has between 60 and 100 processes running at any given time. It may not look like your computer is doing a whole lot, but it is.

Windows keeps track of a fair amount of information about each process for as long as it runs, and discards it when the process exits. Process Explorer gathers the information, shows it to you in an easy-to-read fashion, and tracks some of the information over time to help you find processes that are killing your performance, even if they're not doing so right at the moment. Of course, Process Explorer can't tell you much about a process that has already terminated, but it will take you everything you ever wanted to know about all of the processes that are running right now.

Start Process Explorer with

Programs |Wade's Toolbox | SysInternals | Process Explorer.

If you followed the last blog post you saw some of the things you can get from this tool, and now we'll dive deeper.

Performance View

Process Explorer can display a ton of information about all the processes that are currently running, but most of the time you don't really want to see all of the detailed columns. Process Explorer lets you define Column Sets, which are collections of columns that you might want to use for a particular purpose. When you first start Process Explorer after installing the toolbox, you get a general-purpose view that I use for day-to-day tasks. When you're performance tuning, you need a completely different set of columns.

In the View menu, you'll see a selection for Load Column Set and Save Column Set. These allow you to build up a sophisticated collection of display columns, and then get back to that collection at any time. For this particular example, I want you to select the Performance View. This set of columns shows nearly everything you need to determine how any particular process is affecting performance, and it makes it easy to sort the display to find different things, such as which processes using the most processor time or generating the most disk activity. This view includes:

Amount of processor time this process is consuming
Amount of I/O this process is doing
Amount of resources the system is consuming (memory, etc.)

With this information, you can usually figure out what process is killing your system - not always, but usually. You can click on any column to sort by that column, and if you click again to toggle between ascending or descending order. A small triangle in the right edge of the column header tells you if you're sorting by that column, and if so which direction.

Note that these views aren't cast in stone. The only reason you have these views and all is because I saved them and installed them with the toolbox. You can add as many views as you want, change any of my views to suit your purposes, or delete my views altogether. I only install them once, and all I did was save you a couple of steps. (Note: If you already had Process Explorer, I may not have installed these views).

When I selected the Performance View, I got a display that looks something like this (you'll probably have to scroll to see all of the columns, but you don't need to do that quite yet):

CPU History

The Performance View starts out sorted by CPU History descending, which means the entries at the top are the ones that have used the most processor time since they started of the processes that are currently running. Some other process may have been killing your machine right up until 10 seconds ago and terminated. You can tell this column is sorted descending because the small arrow is pointing down.

Tip: I use a little rule to remember what the triangle means. The top of the triangle is wider than the bottom, so that means the data at the top will be larger than the data at the bottom. I find this a lot easier to remember than trying to remember what ascending and descending mean, and which direction of the triangle means which. When you click from one column to the next, the first sort is descending which is usually what you want.

The CPU History column is a small line graph called a sparkline that shows you how much processing time each process has used in the last few minutes. You can see two processes that seem to be consuming most of the processor's time recently.

Scan32.exe seems to be the top dog right now, so this could be the culprit.
System Idle Process comes next. This is usually near the top of the list. It's an indication of how much processor power the system is not using. If it's high, your machine isn't very busy, and if it's very low, it means the machine is working very hard. Most of the time, you can disregard it as long as it's somewhere near the top of the list. If it's not near the top of the list, your machine is really working.

The next few bars below those only show a few blips, and then all you see are blank graphs. This means that these few processes are consuming the lion's share of the Processing Power, and the rest are insignificant? At least as far as this measure is concerned.

The discovery of Scan32.exe at the top of the list makes it a leading candidate based on the graph. The next column, Cycles Delta gives the total amount of processor cycles that this process has consumed since the last display update. I usually keep the update speed at 5 seconds, which means that Process Explorer rebuilds this whole graph based on a new snapshot of what's happening every 5 seconds. In this case, that column indicates how many cycles this process used during the last 5 seconds. As you can see, it's significant. When you're running Process Explorer, you can sit and watch this column over time and you will see the numbers go up and down. You don't usually have to do that since there's a nice graph available, but it is interesting to watch nonetheless. Now we have two bits of information that says Scan32.exe is probably using a lot of processing time. This doesn't automatically mean that it's our culprit, but it makes it more and more likely.

The next two columns, Cycles and CPU Time show the total number of computer cycles, and that the amount of processor time that this process has consumed since it started. You have to scroll way to the right to see it, but you can see the start time for this process in a column clear out of the edge. If you scroll over, you will see that this process started at 8:00 PM. It has consumed 51 minutes of CPU time since it started, so you can bet it's a significant consumer of resources. This is almost enough to implicate this as the culprit, but let's go ahead and look and a few other factors because not all performance vampires will be this cut-and-dried.

I/O History

The next sparkline over is I/O History. This shows a graph of how much I/O this process did over the same time span as the CPU History. I/O is a measure of how much data is being read or written from disk, printers, networks, etc. In this case, you can see that this process is doing a fair amount of I/O, but not enough to make it really stand out all that much. The reason that you look at both columns is that a lot of processes are slow because they're doing a lot of processor work, and others are slow because they're beating your hard disk to death, even if the processor isn't working all that hard. In this particular case, the CPU is doing a lot of work, while the I/O is doing a small to medium amount of work. Some programs are the opposite, with lots of disk use and very little CPU. Depending on what you're trying to do, this might affect you quite a bit, so you can't just look at processor time and quit looking.

As with the previous graph, the next set of columns give you additional information. In this case, the next column I/O Delta Total Bytes tells the total amount of bytes that this process is written in the last 5 seconds. As you can see, it's written over a megabyte in the last 5 seconds, which could be a little or a lot depending on how fast your hard disk and computer are. As usual, you can click on the column to sort by it, and that will tell you which process is using the most I/O over the last few seconds.

The next three or four columns will give you a lot of details about what particular type of I/O this process is doing, but most of the time you don't really care about that. A developer might care about it when you're trying to do performance tuning, but if you're just trying to figure out why your computer is going slow it's not as useful as you might think.

Virtual Size

The Virtual Size column tells you how much memory your computer has allocated and committed. You don't usually need to pay a lot of attention to this because you will have found the problem before you get to it. However, you should at least be aware of what it means.

Windows computers use a Virtual Memory system to allow for each program or process to think it has more memory than it actually does. When I write software, I can assume that I have nearly unlimited memory. When my program runs out of physical memory, Windows automatically writes the least recently used block of memory to disk and then reads it back automatically when it's needed. For example, suppose that you start up Outlook and do a bunch of work. Then you start up Word and do a bunch more work. If you have a machine with limited physical memory (RAM), it's quite likely that parts of the memory that Outlook uses will be written out to disk. When you switch back to Outlook, it might take a while because it will have to read that information back from disk, and that takes time. That's why if you start a bunch of programs at once; switching back and forth between two of them is fast, but when you go to one you haven't used in a while it's slow to restore.

This is a classic case where we trade off a little bit of performance for a lot of capability. Most windows computers wouldn't run at all without Virtual Memory, because we expect a lot more of them then they are capable of providing with the physical memory. The Virtual Memory column gives you an indication of how much memory your program is trying to use. Sometimes, you end up with performance problems because a background process is simply too big to fit in available memory, and it has to spend a lot of time moving information back and forth from the disk just to do its job. For example, if you managed to start a recent version of Microsoft Word on a Windows 95 machine with just a few megabytes of RAM (unlikely, but stick with me), it would be so slow it would be unusable. It's a very large program, so it would spend all of its time spooling memory back and forth to disk for the most basic operations. In the same way, a program that allocates a lot of Virtual Memory can have a big impact on the rest of your system, so Virtual Size gives you an idea of how much a particular program is using.

Note that using a lot of Virtual Memory is not automatically a problem. For example, if I started an application that uses a tremendous amount of memory, and then minimize it and forget it; most of its memory will eventually be spooled out to disk. As long as most of the memory is out on disk, there's a good chance it won't affect the programs that I'm actually using. It might take a while to get back to it when I want to use it, but it won't necessarily affect other programs all that much. On the other hand, if it had a timer that read a bunch of information back in every 30 seconds to do some kind of processing, it could have a tremendous impact.

You need to be aware of how this column works, but don't obsess about it because most of the time that's not where you find your problem.

So What's Scan32.exe Anyway

By now, you've probably guessed what was going on with my machine, but let me finish the story anyway.

Now that we know the name of the program that's probably causing the slowdown, Right-Clicking on that line and selecting Properties will give us the same information display we used in the last post. This gives us a bunch of information about that particular process.

In this case, the key information in the Image Tab shows that this is my virus scanner going about its daily business. For some reason, I had it in my head that the daily scan ran about 3:00 AM, but when I went and checked the configuration, I found that it actually starts automatically at 8:00 PM. This exactly corresponds with the start time of my process, so clearly what happened is this scanner started at 8:00 PM and was still running when I sat down to do my work.

Rant: This particular example was something that should've been obvious to me without investigation, because McAffee has been such a pain in the neck to me. When you first install the virus scanner, they have the incredibly boneheaded default of doing a full scan at 4:00 PM. That means everybody in our company has their machine go into thrash-and-crash mode right at the end of the workday. They first have to become aware what's causing the problem, and then they have to happen to know how to do battle with the McAffee configuration system to figure out how to change it to a different time or disable it. Quite a few people in our company have been putting up with this for years because they don't know that they can change it.

In the realm of default settings for a virus scanner, this could arguably being the most boneheaded default I'd ever seen. However, most software has some kind of boneheaded default, so there is likely to be something in your system that's just as egregious. It's up to you to find and fix them.

So What Do I Do

Once I figured out the problem, there was a question of what to do about it. In this particular case, I needed to make both a tactical decision about how to make this scanner quit annoying me so I could write my blog post in peace, and a strategic decision about how to avoid the problem in the future. For the immediate problem at hand, there are a few things you can do with Process Explorer that will generally make the problem go away for the moment.

Terminate Process

You can Terminate the Process, which would just make the problem go away. Most people will warn you that you shouldn't terminate a process unless you know exactly what you're doing, and that's generally true but not something to obsess about. For example, you should never terminate a defragmenting utility when it's running, because it might be in the middle of doing something critical. A virus scanner like this is probably just reading files and not writing very much, so you could terminate it without any real penalty. It's not guaranteed, but I'm generally less concerned about than best practices might indicate.

Note: Many people developed the habit of not terminating processes back in the Windows 95/98 days when it was an exceedingly bad idea. Modern windows operating systems are a lot more robust than he used to be, and I very rarely run into any real problems from terminating a program as long as I'm sure it doesn't have any data I want saved.

In this case, I decided to terminate this process, but it turned out that McAffee did some tricks that made it essentially impossible for me to terminate it without killing the whole computer. I'm sure that they had a perfectly good reason for doing this, but I found it really annoying anyway.

Priority

You can Right-Click on the process, and change its Priority so that it consumes less resources. I think an automatically started virus scanner should run with Low Priority by default, and this is another bad decision from the McAfee Team in my opinion. I'm sure they thought it was terribly important for their virus scanner to finish its job as quickly as it can, but since I'm not on pins and needles waiting for a daily proactive scan, I'd rather do my real work than sit around waiting for a virus scan. The daily scan should be a background process with as little impact on the user as possible. McAffee made a bad choice, but you can change it. Right-Click on the row in Process Explore, select Set Priority and change it to Idle. It will still have some effect on your machine, but not nearly as severe.

Suspend

In the same Right-Click menu, you'll also find a Suspend command. This tells the processor not to give this process any more time at all. The process will sit in a suspended state until you restart it. This is a good way to stop something when you want to resume later without losing your place. I can suspend this virus scan while I do my work and then restart it when I'm done. That way it knows it's in the middle of the scan and doesn't have to restart as it would if I terminated it. That's what I did in this case.

Of course, that was just a tactical fix. It fixed my problem for the day, but it wouldn't fix it for tomorrow. In this case, I went to the McAffee scheduler and changed it to run at a better time.

More Information

As usual, the best way to find more information about some aspect of Process Explorer is to search for it using a search engine. The best tactic is usually to start with a query that has Process Explorer in quotes, and then the topic you're looking for in quotes. For example, search for s Explorer" "Context Switches" in Google, and you'll find out way more than you really want to know about Context Switches. If that doesn't produce the information you need, then remove the quotes to expand the search out a bit. Sometimes, it's easier to manage the search using a Clustering Search Engine like Clusty, as it will sort the results into groups, and sometimes that's easier than slogging through results by Page Rank in Google. It's worth a shot anyway.

Replacing Task Manager

Most reasonably advanced users have seen Windows Task Manager, which is the built in tool that does some subset of what you've been seen with Process Explorer. Task Manager can actually do quite a few more things than most people know about, but once you have Process Explorer there's really no reason to use it anymore. Almost everybody knows that you can get to Task Manager by right clicking on the task bar, but most people don't know that you can also get it by pressing Ctrl-Shift-Esc, which is a lot handier. If you use a computer a lot, you should keep the shortcut in mind because you'll find that you want to be able to look at what's going on with your machine frequently.

You can also make Task Manger disappear entirely. Start Process Explorer, and execute Options | Replace Task Manager. Once you've done that, Process Explorer will completely take over from task manager, and you'll never see task manager again unless you explicitly re-enable it.

There's a lot more that you can do with Process Explorer and if you're a developer you really owe it to yourself to spend some time learning how to use it. For the moment, I think I'd give it enough to be able to use that to figure out why your computer might not be running as it should, so now's a good time to take a look at your machine and see what it's doing.

In For Everyone, For Geeks, Computer Fitness

Send Feedback