Читаем Windows® Internals, Sixth Edition, Part 1 полностью

Although the Task Manager Processes tab shows a list of processes, what the Applications tab displays isn’t as obvious. The Applications tab lists the top-level visible windows on all the desktops in the interactive window station you are connected to. (By default, there is only one interactive desktop—an application can create more by using the Windows CreateDesktop function, as is done by the Sysinternals Desktops tool.) The Status column indicates whether or not the thread that owns the window is in a window message wait state. “Running” means the thread is waiting for windowing input; “Not Responding” means the thread isn’t waiting for windowing input (for example, the thread might be running or waiting for I/O or some Windows synchronization object).

On the Applications tab, you can match a task to the process that owns the thread that owns the task window by right-clicking on the task name and choosing Go To Process as shown in the previous tlist experiment.

Process Explorer, from Sysinternals, shows more details about processes and threads than any other available tool, which is why you will see it used in a number of experiments throughout the book. The following are some of the unique things that Process Explorer shows or enables:

Process security token (such as lists of groups and privileges and the virtualization state)

Highlighting to show changes in the process and thread list

List of services inside service-hosting processes, including the display name and description

Processes that are part of a job and job details

Processes hosting .NET applications and .NET-specific details (such as the list of AppDomains, loaded assemblies, and CLR performance counters)

Start time for processes and threads

Complete list of memory-mapped files (not just DLLs)

Ability to suspend a process or a thread

Ability to kill an individual thread

Easy identification of which processes were consuming the most CPU time over a period of time (The Performance Monitor can display process CPU utilization for a given set of processes, but it won’t automatically show processes created after the performance monitoring session has started—only a manual trace in binary output format can do that.)

Process Explorer also provides easy access to information in one place, such as:

Process tree (with the ability to collapse parts of the tree)

Open handles in a process (including unnamed handles)

List of DLLs (and memory-mapped files) in a process

Thread activity within a process

User-mode and kernel-mode thread stacks (including the mapping of addresses to names using the Dbghelp.dll that comes with the Debugging Tools for Windows)

More accurate CPU percentage using the thread cycle count (an even better representation of precise CPU activity, as explained in Chapter 5)

Integrity level

Memory manager details such as peak commit charge and kernel memory paged and nonpaged pool limits (other tools show only current size)

An introductory experiment using Process Explorer follows.

EXPERIMENT: Viewing Process Details with Process Explorer

Download the latest version of Process Explorer from Sysinternals and run it. The first time you run it, you will receive a message that symbols are not currently configured. If properly configured, Process Explorer can access symbol information to display the symbolic name of the thread start function and functions on a thread’s call stack (available by double-clicking on a process and clicking on the Threads tab). This is useful for identifying what threads are doing within a process. To access symbols, you must have the Debugging Tools for Windows installed (described later in this chapter). Then click on Options, choose Configure Symbols, and fill in the path to the Dbghelp.dll in the Debugging Tools folder and a valid symbol path. For example, on a 64-bit system this configuration is correct:

In the preceding example, the on-demand symbol server is being used to access symbols and a copy of the symbol files is being stored on the local machine in the c:\symbols folder. For more information on configuring the use of the symbol server, see http://msdn.microsoft.com/en-us/windows/hardware/gg462988.aspx.

When Process Explorer starts, it shows by default the process tree view. It has an optional lower pane that can show open handles or mapped DLLs and memory-mapped files. (These are explored in Chapter 3 in Part 1 and Chapter 10, “Memory Management” in Part 2.) It also shows tooltips for several kinds of hosting processes:

The services inside a service-hosting process (Svchost.exe) if you hover your mouse over the name

The COM object tasks inside a Taskeng.exe process (started by the Task Scheduler)

The target of a Rundll32.exe process (used for things such as Control Panel items)

The COM object being hosted inside a Dllhost.exe process

Internet Explorer tab processes

Console host processes