Regardless of how well you maintain your PC, some problems will crop up again and again. The hard drive may start thrashing even though you're not running any applications, for instance. You may find your PC suddenly slows to a crawl for no apparent reason, or maybe it's become unreliable, locking up or crashing and you don't know why. A good first place to look is Task Manager, which delivers a quick overview of the processes running on your PC and what they're doing. But we think there's an even better option. Process Hacker is a free, open-source tool that's packed with features to help you monitor your PC, uncover problems, detect malware and more. We think it deserves a place in every PC user's troubleshooting toolkit ? read on to find out why. Basic monitoring Launch Process Hacker and you'll immediately see a long list of everything running on your system. (Well, almost everything: click 'Hacker | Show Details For All Processes' to get the security rights for full access). The program can display up to 40 details for each process, too, although we'd recommend you're a little more selective. Right-click a column header, click 'Select Columns' and pick at least one of the following: Name, PID (Process ID), Pvt Memory, Working Set, CPU, I/O Total, Username, Description, Handles, Start Time (Relative), CPU History and I/O History. Click 'OK' when you're done. Viewing these columns alone can be enough to diagnose many PC problems. I/O History, for instance, features a tiny graph that shows how each process is reading from and writing to your system's devices. If there's a lot of hard drive or network activity then these graphs should immediately identify the culprit. Checking the CPU History does a similar job for processor use, showing you what's been making heavy demands on your CPU over the past few minutes. The Pvt Memory (Private Memory) column is generally the best measure of how much RAM a particular program is using. Click its header to sort the list into ascending or descending order. This is a quick way to identify what's gobbling up most of your valuable RAM. The Handles column is a measure of how many Windows objects a process has open (windows, files, Registry keys and so on). If this value keeps increasing for a particular process then it may have a resource leak, where it's grabbing new handles but not closing the old ones. If this carries on then your PC will start behaving oddly and eventually crash. The precise point of failure will vary greatly depending on your Windows version and how it's configured, but we'd pay extra attention to anything using more than 20,000 handles and be highly suspicious of a total that has passed 100,000. Clicking the Network tab reveals all the internet connections that your processes have open right now. If your internet connection seems slow then look for connections with a state marked 'Established' ? these are the ones that are open. If you're worried about malware then look for 'Listening' connections ? these are programs that are waiting to hear from someone else. Don't jump to conclusions, though; lots of programs have listening TCP/IP connections for perfectly legitimate reasons. Detective work The main Process Hacker interface might have told you that a particular program is making heavy use of the hard drive or network, for example, but if you don't recognise its name, you'll want to know more. What is this program, and what is it doing? There are several techniques you can apply to find out more. An obvious starting point is to search for the program's name using Google. There's no need to do this manually; just right-click the process and select 'Search Online', and a browser window will open with search results. If the web tells you nothing useful, right-click the process name, select 'Properties' and click the General tab. The 'Image File Name' box will give you the folder name where the process is located, which might give you a clue as to its purpose. Be aware, however, that malware authors may replace an existing executable or save their creation in the Windows folder to try to avoid suspicion. Clicking the Handles tab (still within the Properties box) will display all the files, Registry keys and other Windows objects that the process has open, which is often a useful clue as to what it's doing. The Threads tab can be even more informative. It'll show you all the threads that the process has open (a thread being a Windows object that runs executable code), and the Start address will often tell you the functions it's using. Even if the process 'iTunesHelper.exe' on our test PC had an anonymous name, for instance, the fact that its Threads tab showed QuickTime and 'iTunesMobileDevice.dll' would give you a good idea about where it belonged. In addition, going to 'Process | Inspect Image File | Imports' displays a list of Windows functions that the program may be using. This can be very technical, but not always. Do this with iTunesHelper.exe, say, and you'll see it references 'WININIT.DLL', along with functions such as 'internetOpenA', 'internetConnectA' and 'internetReadFile'. Even if you've never done any Windows programming, it's obvious that these functions relate to internet communications, so it's clear that the program may try to go online to send or receive information. Be careful how you interpret this information, though. A program may reference WININIT.DLL functions but never use them, or list internet functions but never go online. Another may not reference them, but make an internet connection in a different way. Thus the Imports list only gives you a rough idea about the program's purpose. Could your mystery program be malware that's found a way through your antivirus defences?To find out, we start with some of the Process Hacker tests we've applied already. Either click the Network tab to see if the process is making a connection online, or right-click the process, select 'Properties | Handles' and check to see which files and Registry keys it's watching. Next, try right-clicking the process, selecting 'Properties' and clicking the Memory tab. This will not only show you the various blocks of RAM owned by the process, but also let you search them. Choose 'String Scan' in the Search box and Process Hacker will browse through each memory block and report any ASCII strings that it finds. If a program has, say, been secretly collecting credit card numbers or reading important files, you may see the results show up here. You may also see interesting blocks of data that are part of the program's code: Registry keys it browses, filenames it's looking for, URLs it may try to reach or even prompts to be displayed later. This catch-all nature makes memory searches handy for exploring legitimate programs, too. Unfortunately, Malware developers can use tricks to conceal information from memory scans. If all else fails, use your antivirus software to scan the file. Right-click the mystery process, select 'Miscellaneous | Upload to VirusTotal' and the program will immediately send the file to www.virustotal.com, where it'll be scanned by around 40 antivirus tools. A browser window will open to let you know the result. Some malware will attempt to avoid detection entirely by hiding its processes, but Process Hacker can be useful here, too. Click 'Tools | Hidden Processes' and then 'Scan', and the program will apply a simple but effective technique to find some hidden processes. If it doesn't find anything, choose the 'Brute Force' option and click 'Scan' again. This isn't particularly advanced technology and is no substitute for a specialist rootkit detection tool, but it's quick and worth a try if you suspect possible infection. Take action So far, we've focused on Process Hacker's monitoring tools, which tell you about the processes running on your PC. However, it also has some useful ways to interact with those processes that can help you manage your PC. If a particular process is consuming an unusually large amount of RAM, for instance, right-click it and select 'Reduce Working Set', and Process Hacker will ask Windows to trim this down to something more manageable. This isn't a magic bullet, and if the process is actively using that RAM then the Working Set figure will start to grow again and quickly be back where it was, but it's worth a try. Sometimes processes do much more than hog memory, grabbing all your CPU time and interfering with other applications. In this case, we'd try right-clicking the process, selecting 'Affinity' and ensuring only one box is checked. This restricts the process to one CPU core, leaving the others available for everything else. You could also try right-clicking the process, selecting 'Priority' and reducing its priority a little ? below Normal is best, but Idle will do if all else fails. The program will continue to run, but Windows will allocate it less CPU time overall, so it shouldn't interfere with other applications. If a program is out of control or is unresponsive, then you may want to close it down. Right-click the process name and select 'Terminate Process' to close the process alone, or select 'Terminate Process Tree' to close it and any other processes it's launched.But be careful! Closing a system process could lock up your PC, and selecting 'Terminate Process Tree' for Explorer.exe will also close all the processes it's launched, including all your Windows start-up programs. Occasionally, a program will lock up so completely that the regular Terminate option won't work. You'll probably have come across similar situations before, when even the Task Manager 'End Process' option won't kill a particular program. Luckily, Process Hacker has an extra function that just might do the job. Right-click the process, select 'Terminator | Run' and Process Hacker will apply up to 16 ingenious methods to close it down and clean up afterwards. It's a powerful feature-set, and if Process Hacker works for you then there's an easy way to ensure it's always quickly available. Click 'Hacker | Options | Advanced', check 'Replace Task Manager with Process Hacker' and click 'OK'. Pressing [Ctrl]+[Shift] +[Esc] will now launch Process Hacker, making it easy to monitor everything running on your PC.Related StoriesOffice 2010 release date: June 2010
Discuss Add this link to... Bury
Discuss Add this link to... Bury
Comments