Ms process explorer11/23/2023 ![]() The first column displayed is the handle value, and the second column is the type of handle (see the explanation in Chapter 8 in the discussion of lhandle). In Process Explorer, press Ctrl+H to change the bottom half of the display to handle viewing. The final trick with Process Explorer lets you see which handles are currently open for any process! I've utilized this feature to track down many different handle problems in the past. In using the Security and Environment tabs, I've tracked down some very interesting problems related to security programming because Process Explorer is about the only tool that makes this information easy to see. The final tab, Environment, lists the environment variables active for that process. If the process is a Microsoft Win32 service or host, the Services tab shows you the name of the particular services running in that process. The third tab, Security, shows you the security information such as groups for the process and granted access. ![]() The second tab, Performance, shows you the important performance data information related to the CPU, memory, I/O, and GDI handles. The first tab, Image, shows you information such as the path and current directory for the process, as well as offers a button to let you kill the process. The dialog box that pops up shows you four or five tabs depending on the process. Process Explorer's second trick lets you peek at all sorts of excellent information about a process simply by double-clicking it. ■įigure 14-2: DLL view for Process Explorer showing new DLLs added to the Notepad process dll WINDOWS^stem32\netui1.dli r- \ wi M n nw nar.m. dll WIND SVsiis -■ 32\ ¡ml J WIND GWSVsjJStem32\ntlanman. nls Wl Ni VS \R egis tration^R 00000000002-1 ■ WIND OWS \system32\notepad.exe WIND GWS \sjjstenn32^ jxthenne. nls WIND GWS \system32\s WIND GWS \systenn32\ctype. ![]() Rocess Explorer ■■ Sysinternals: File View Process DLL Options Search Help jnjxj y m i] & H *įile View Process DLL Options Search Help An added benefit is that the color highlighting showing what's been loaded and unloaded also applies to the EXE listing in the upper half of the Process Explorer display. This ability to quickly see what's coming into and out of your processes is very helpful in determining what's causing module loads and unloads. All DLLs that have left the address space are shown in red. Of course, you can also see which DLLs leave the address space by switching back to Notepad and closing the Open dialog box, returning to Process Explorer, and refreshing the display with F5. The green indicates which DLLs came into the address space since the last refresh. Press F5 to refresh Process Explorer's display and you'll see a bunch of lines appear in green in NOTEPAD.EXE's DLL view, as shown in Figure 14-2. Leave the Open dialog box open in Notepad and switch back to Process Explorer. Activate Notepad and select Open from Notepad's File menu. In Process Explorer, press F5 to refresh the display, select the instance of NOTEPAD.EXE you started up a moment ago, and then press Ctrl+D to change the view to show the DLLs for Notepad. The first trick you can perform with Process Explorer is determining which DLLs are coming into your address space because of a particular operation. Set Process Explorer to manual updating by selecting the View menu, and then setting Update Speed to Paused. The first step is to start Process Explorer followed by NOTEPAD.EXE because I'll use it for the demonstration. ![]() You might want to follow along so that you can see the tool in action. Probably the best way to show you the power of Process Explorer is to run through a little demonstration. It's best to set Process Explorer to manual updating by selecting the View menu, and then setting Update Speed to Paused. Although this updating is great for general monitoring, it can make you miss some details when debugging. However, there's so much more to Process Explorer-such as being an outstanding debugging tool-and I want to take a moment to discuss some of its excellent features.īy default, Process Explorer updates periodically, just like Task Manager. I've already mentioned that Mark Russinovich's wonderful Process Explorer program makes it trivial to find which instance of DLLHOST.EXE has a particular DLL loaded and to determine whether you have relocated DLLs in a process.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |