Top Ten Tips and Troubleshooting with Process Explorer Tool

Process Explorer tool from SysInternals, will give you a complete overview on what processes are currently running in your PC along with the details on who invoked it and how much system resources it is consuming. This tool will be very essential, if you want to identify which file or directory has a particular program opened. In this article, you will learn 10 best practices and tips which will help to use this tool better.

A process is a container for a set of resources, including one or more threads. A process never consumes a CPU. Its the thread inside the process which consumes the system resources like CPU, Memory etc. Each process at-least has one Thread.  Using this tool, you can also determine which thread of a process is consuming CPU.

Some of the benefits, this Tool gives you are..

  • Displays the Parent/Child Relationships of the Processes
  • Highlighting of different process based on their source and states.
  • Customize Columns to suit specific needs to analyze CPU performance, Threads, etc
  • Tons of Options to play around with..!

Tip 1:Process Explorer Parameters – Create a Startup Shortcut / Desktop Shortcut to this executable (procexp.exe) and add a parameter /t /e to it.

Process Explorer - Parameters

/t makes this executable run minimized and /e will make it run elevated. As most of the times, you want the system processes also.. it makes sense to run the tool elevated.

Process Explorer - System TrayWhen you invoke this shortcut, the Process Explorer will run in the System Tray as shown below. You can just double click to invoke them.

Tip 2: Configuring the Options – Goto Options Menu Item and Select Hide When Minimized and Allow only one instance. This will help you to just minimize the program, even when you click on the X close button. Sometimes, you tend to invoke the shortcut more than once, thinking that the Process Explorer is not running, selecting the Allow only one instance will help you not have multiple entries of Procexp inside the process explorer window.

Process Explorer - Hide When MinimizedTip 3: Configure Symbols – When you invoke any process and go-to the Threads Tab, you will observe a hexadecimal weird address in the Start Address Tab. These will not be helpful for you while troubleshooting. You will need to convert it to a meaninful message and thats where configuring the symbols will be useful.

Process Explorer - Hexa Thread DefinitionsGoto Options Tab, and click on Configure Symbols item.

Process Explorer - Configure Symbols

You will need to install the Windows Debugging Toolkit, so that you can configure the path of the dbghelp.dll file. Also, configure the Symbols path as both local and internet. For more information read here – http://www.microsoft.com/whdc/devtools/debugging/debugstart.mspx

Process Explorer - Configure Symbol PathsOnce you do this, the hexa-decimal code will be converted to more meaningful message for effective understanding and troubleshooting. You can see in the Start Address column now.

Process Explorer - Meaningful Thread Definitions

Tip 4: Highlighting Colors – Goto Options Menu Item and Select, Configure highlighting. Using this option, you can customize the colors which you would like to assign for certain roles of processes. By default Pink color is associated for processes with one or more – win32 services, Yellow color for processes which uses .NET Framework, Light blue color for processes which are running with the same user account as the process explorer.

Configure Highlighting of ProcessesTip 5: Configure Difference highlighting Duration: Set the Duration to 5 or more seconds. This is an important tip, which will help you distinguish in the difference of the events. The color associations and the process will exist and run for 5 seconds. For example, every process which starts new is associated a green color and every process that stops gets a red. the processes will exist in the Process Explorer for at-least 5 seconds with the same color code, so that you can see them and diagnose the same.

Configuring highlighting DurationTip 6: Verifying Processes – When you double-click on any process it opens the properties dialog; this will give you the complete information of that particular process. Its Parent process, Who invoked it, At what time, What OS version is it (32/64 bit) etc. Just observe that, this executable is not verified no matter it comes from Microsoft Corporation. Verifying the processes will help you to determine whether this process is signed to run on this particular edition of the OS. For example, if your machine performance is sluggish, you might run the verify process and see if any of the executables like antivirus are not suited for your PC.

Analyzing a Process Image

Goto Options Tab and select on Verify Image Signatures. This will start the verification process. Now you click on any column and add a new column for Verified Signer. You will start seeing all the process along with the verified status.

Verified Processes

Tip 7: Process Identification – Sometimes, there could be many processes running on your PC (for example, many instances of a same application), In this case it would be difficult to identify the associated process entry in Process Explorer. Thats where exactly, this magnifier comes to your help. Hold the magnifier button, and that will show you all the other windows executing on your PC. Just drop the magnifier on a window which you wanted to identify and that appropriate process would get high-lighted in the Process Explorer.

Magnifier Process Identifier

Tip 8: DLL/Header View – Selecting a Process, and pressing Cntl+D will show the DLL view in the hidden tab. Cntl + H will show the headers which are currently accessed by the process. This will be helpful to understand the components used by a process. You can also choose to search a dll or a Header using the Search option. For eg: If you ever encountered a failed delete action by your process, searching for ‘delete’ will give you more information on what gets called and which file did your process try to delete. You can hover over any process in Process explorer, this will get you all the win32 services running in it.

Cntl+D for DLL View –

Process Explorer - DLL View

Cntl+H for Header View –

Process Explorer - Headers View

Tip 9: Performance Graphs – Double-clicking the graph in the icon bar, will open the performance graph. The red color showcases the kernel mode and the green signifies the transition of Kernel and User mode. If you are running a multi-core PC, choose to ‘show One Graph per CPU’. This will help you manage tasks and also enables you to take a decision to set affinity for a process to a single CPU. (You can right click on a process, Set Affinity to just any of the CPU)

Set Processor Affinity

System Information - Performance Graph

Tip 10: Configure Columns – In the explorer window, Right click on a column header and add new columns. To identify an executable or a process performance, you need to add Threads, CPU Usage, Context Switch Delta and CPU Cycles Delta. This will help you identify which process has more threads and is consuming high CPU usage. Based upon your analysis, you can choose to terminate it for system performance.

Process Performance

Are you aware of any other worthwhile tip on this tool? If yes, drop in as a comment here and I shall feature it in this article appropriately!

Also read about the other SysInternals Tools here  –

How to Enable Data Collection (RACTask) for Reliability Monitor Tool

Reliability Monitor is an advanced tool that measures hardware and software problems and other changes to your computer. Reliability Analysis Component (RAC) aggregates, analyzes and correlates problems at the operating system and application levels. The location of Reliability Monitor data files is stored in the registry. If the monitor does not show data to you, then you will need to Enable the Data Collection Task.

To learn more on How you can measure Hardware and Software problems using Reliability Monitor in Windows 7 – Read this article

Reliability Monitor uses data provided by the RACTask scheduled task. Reliability Monitor will start displaying a Stability Index rating and specific event information 24 hours after system installation.

The RACTask scheduled task runs by default after the operating system is installed. If it is disabled, it must be enabled manually from the Task Scheduler snap-in for Microsoft Management Console (MMC).

Step 1: Start the Task Scheduler. you can run taskschd.msc in the searchbox, and then press ENTER (or) Right click on the My Computer, and then select the Manage option. Choose Task Scheduler.

Computer Management

Step 2: In the navigation pane, expand Task Scheduler Library, expand Microsoft, expand Windows, and click RAC.
Choose RAC in Task Scheduler
Step 3: Right-click RAC, click View, and click Show Hidden Tasks.
Show Hidden Tasks for RAC - Task Scheduler
Step 4: Click RACtask in the results pane. On the Action menu, click Enable.
How to Enable Data Collection for Reliability Monitor Tool

To learn more on How you can measure Hardware and Software problems using Reliability Monitor in Windows 7 – Read this article

Analyze Hardware and Software problems in Windows 7

Reliability Monitor is an advanced tool that measures hardware and software problems and other changes to your computer. This helps IT professionals better manage the stability of machines in their organization. Reliability Analysis Component (RAC) aggregates, analyzes, and correlates problems at the operating system and application levels. It calculates a stability index that indicates overall system stability over time. RAC also keeps track of any important changes to the system that are likely to affect stability, such as Windows updates, application installations, and driver installations.

The Reliability Monitor is intended for advanced computer users, such as software developers and network administrators.

You can Invoke Reliability Monitor perfmon /rel and pressing ENTER in the command prompt.

Invoking Reliability Monitor in Windows 7 using Command Prompt

You can also search for Reliability monitor in the Control Panel.

When you click on the ‘View Reliability history’, you will get this below dialog. This is actually refreshing and generating the report.

Reliability Monitor in Windows 7 - Report Being Generated

This will open the Reliability Monitor. Users can view RAC data via the Reliability Monitor, which displays data collected from RAC in a stability chart and correlates the computer’s stability index with important events that are likely to affect stability, such as driver failures and software installation.

Reliability Monitor in Windows 7

When you double click on any of the events, it would give you the detailed information on how that event occured. For eg: I  see a WindowsExplorer event, which gives the Summary information that the ‘User canceled a hung navigation’. When I double-click it, you can see this below detailed information.

WindowsExplorer Hung Error Information

Another example for an Successful Message – Let us look the details of the VirtualBox USB Driver Installation message.

Reliability Monitor in Windows 7 - View Technical Details and Summary

Reliability Monitor in Windows 7 - View Technical Details of Virtual Box ErrorIf some applications events triggers an error, you can check for a solution online and also send the report to Microsoft. If the solution is not found online, they will appear in the Action Center when the information in available later.

In Windows 7, Reliability Monitor uses data provided by the RACTask (Reliability Analysis Component scheduled task). Once enabled, This tool will start displaying a Stability Index rating and specific event information 24 hours after system installation. Find the detailed instruction on how to enable this task.