Mr. Roboto

Peek in on Your Processes

Get to know the ins and outs of your system's processes with ProcPeek.

• By Jeffery Hicks
• 08/01/2007

As a Windows administrator, every now and then you need to pull back the curtain and check out the action, especially when something isn't working right. More often than not, this means getting your hands dirty with processes.

In Windows, the Task Manager has always been used to examine system processes. Windows XP introduced a command-line version called Tasklist.exe. This added some much needed functionality, such as support for checking memory and CPU utilization and checking processes on remote systems.

Even though I prefer the command line, many of you still like to use a graphical tool, so I'm happy to oblige. I've written my own process management tool called Process Peeker, affectionately known as ProcPeek. This tool is an HTML application (HTA) that uses Windows Management Instrumentation (WMI) to gather information about processes. It also lets you kill a process if needed.

Because I'm using WMI, ProcPeek can connect to remote systems. It can also use alternate credentials. The utility is available for free download at www.jdhitsolutions.com/scripts. Extract the contents of the zip file to a folder of your choice.

ProcPeek requires Windows XP or later and administrative credentials. On Windows Vista, you'll need to manually create an application shortcut so you can run ProcPeek as an administrator. When you create the shortcut, use MSHTA.EXE c:\path\procpeek.hta as the property. To run the utility in Vista, right-click the shortcut and select "Run As Administrator." For all other versions of Windows, simply double-click on the HTA.

You can only manage processes that you have permission to manage, so be sure to check the alternate credentials box and enter credentials for the specified remote machine. You can't use alternate credentials for the local machine. The username should be in the format domain\username.

Take a Look
When you first launch ProcPeek, it will default to localhost. Then you can enter another computer name. Click the "Get Processes" button and in a moment you should see a list showing information on all processes. Hover your mouse pointer over a process, and it will display the process name with detailed information. To kill a process, click on the process ID and follow the prompts.

To prevent someone from accidentally stopping system processes, you can configure a list of critical and restricted processes. If a user tries to stop a process on this list, they'll get a second warning and confirmation dialog box. The user can still terminate the restricted process, but at least they'll be sufficiently warned of the consequences. When anyone kills a process using ProcPeek, it writes an entry into the computer's application log, so there will be an audit trail.

To add your own restricted processes, use the "ShowConfig" button. Edit the list of restricted process names as needed and it'll be written to the registry under HKCU\Software\MrRoboto\ProcPeek. The list will load the next time you run ProcPeek. The "Quit" button will write the current configuration to the registry. If you close the HTA any other way, any changes you've made won't be saved or re-used.

You can also configure the tool to enable tracing. This will launch Internet Explorer and write trace debug messages to the window. Click the "Reload" button to restart the tool and begin tracing.

There are several other graphical process management tools as well, some more complicated and detailed than others. I encourage you to explore and add these types of tools to your toolbox. Start with the SysInternals Process Explorer from Microsoft (www.sysinternals.com), which you can also download for free.

What I like most about the ProcPeek tool is its small footprint -- plus, everything you really need is available through one easy-to-use interface. Sometimes a simple utility like this is all you need.