Peek in on Your Processes
Get to know the ins and outs of your system's processes with ProcPeek.
I've always been the curious type, eager to find out what's happening behind
the scenes and under the hood. Microsoft Windows always piques my curiosity,
as it has a lot of moving parts hidden from view.
As a Windows administrator, every now and then you need to pull back the curtain
and check out the action, especially when something isn't working right. More
often than not, this means getting your hands dirty with processes.
In Windows, the Task Manager has always been used to examine system processes.
Windows XP introduced a command-line version called Tasklist.exe. This added
some much needed functionality, such as support for checking memory and CPU
utilization and checking processes on remote systems.
Even though I prefer the command line, many of you still like to use a graphical
tool, so I'm happy to oblige. I've written my own process management tool called
Process Peeker, affectionately known as ProcPeek. This tool is an HTML application
(HTA) that uses Windows Management Instrumentation (WMI) to gather information
about processes. It also lets you kill a process if needed.
Because I'm using WMI, ProcPeek can connect to remote systems. It can also
use alternate credentials. The utility is available for free download at www.jdhitsolutions.com/scripts.
Extract the contents of the zip file to a folder of your choice.
ProcPeek requires Windows XP or later and administrative credentials. On Windows
Vista, you'll need to manually create an application shortcut so you can run
ProcPeek as an administrator. When you create the shortcut, use MSHTA.EXE c:\path\procpeek.hta
as the property. To run the utility in Vista, right-click the shortcut and select
"Run As Administrator." For all other versions of Windows, simply
double-click on the HTA.
You can only manage processes that you have permission to manage, so be sure
to check the alternate credentials box and enter credentials for the specified
remote machine. You can't use alternate credentials for the local machine. The
username should be in the format domain\username.
Take a Look
When you first launch ProcPeek, it will default to localhost. Then you can enter
another computer name. Click the "Get Processes" button and in a moment
you should see a list showing information on all processes. Hover your mouse
pointer over a process, and it will display the process name with detailed information.
To kill a process, click on the process ID and follow the prompts.
To prevent someone from accidentally stopping system processes, you can configure
a list of critical and restricted processes. If a user tries to stop a process
on this list, they'll get a second warning and confirmation dialog box. The
user can still terminate the restricted process, but at least they'll be sufficiently
warned of the consequences. When anyone kills a process using ProcPeek, it writes
an entry into the computer's application log, so there will be an audit trail.
To add your own restricted processes, use the "ShowConfig" button.
Edit the list of restricted process names as needed and it'll be written to
the registry under HKCU\Software\MrRoboto\ProcPeek. The list will load the next
time you run ProcPeek. The "Quit" button will write the current configuration
to the registry. If you close the HTA any other way, any changes you've made
won't be saved or re-used.
You can also configure the tool to enable tracing. This will launch Internet
Explorer and write trace debug messages to the window. Click the "Reload"
button to restart the tool and begin tracing.
There are several other graphical process management tools as well, some more
complicated and detailed than others. I encourage you to explore and add these
types of tools to your toolbox. Start with the SysInternals Process Explorer
from Microsoft (www.sysinternals.com),
which you can also download for free.
What I like most about the ProcPeek tool is its small footprint -- plus, everything
you really need is available through one easy-to-use interface. Sometimes a
simple utility like this is all you need.
Jeffery Hicks is a Microsoft MVP in Windows PowerShell, Microsoft Certified Trainer and an IT veteran with over 20 years of experience, much of it spent as an IT consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He works today as an independent author, trainer and consultant. Jeff writes the popular Prof. PowerShell column for MPCMag.com and is a regular contributor to the Petri IT Knowledgebase and 4SysOps. If he isn't writing, then he's most likely recording training videos for companies like TrainSignal or hanging out in the forums at PowerShell.org.
Jeff's latest books are Learn PowerShell 3 in a Month of Lunches, Learn PowerShell Toolmaking in a Month of Lunches and PowerShell in Depth: An Administrators Guide.
You can keep up with Jeff at his blog http://jdhitsolutions.com/blog, on Twitter at twitter.com/jeffhicks and on Google Plus (http:/gplus.to/JeffHicks)