PID & Process Name
We can use a tool from PStool Suite called as pslist.exe to obtain CPU Time and the amount of time since the process has started.
c:\Tools>PsList.exe
pslist v1.29 - Sysinternals PsList
Copyright (C) 2000-2009 Mark Russinovich
Sysinternals
Process information for BALA-PC:
Name Pid Pri Thd Hnd Priv CPU Time Elapsed Time
Idle 0 0 1 0 0 0:44:19.103 0:00:00.000
System 4 8 92 380 0 0:01:06.645 0:52:29.643
smss 384 11 4 28 248 0:00:00.250 0:52:29.633
csrss 452 13 11 487 1528 0:00:01.772 0:52:25.607
wininit 496 13 3 97 1064 0:00:00.530 0:52:23.394
csrss 504 13 9 242 2472 0:00:25.857 0:52:23.374
winlogon 532 13 3 133 1976 0:00:01.141 0:52:22.532
services 568 9 5 225 1880 0:00:03.485 0:52:21.471
lsass 580 9 10 569 2916 0:00:02.824 0:52:21.321
We can also user PrcView from the following link to get similar information.
http://www.teamcti.com/pview/prcview.htm
c:\Tools>pv
taskeng.exe 2556
Dwm.exe 728
Explorer.EXE 2840
MSASCui.exe 2956
VBoxTray.exe 2960
sidebar.exe 2792
wuauclt.exe 2872
cmd.exe 3660
wsqmcons.exe 3312
PrcView.exe 3652
pv.exe 3960
c:\Tools>PrcView.exe
Memory Usage
We can see the memory usage of the system by using the tasklist command.
c:\Tools>tasklist
pstat can also give a similar information in a more detailed manner.
http://support.microsoft.com/kb/927229
Linking running Processes with Executables.
This is very well accomplished with the PRCView with the -e switch. We can also do the same with CurrProcess tool.
http://www.nirsoft.net/utils/cprocess.html
Linking Process on computer with User's on computer
We can use a simple little command such as tasklist -V or pulist to accomplish this.
c:\Tools>tasklist -V > c:\Tools\out.txt
We can alternatively use pulist from http://207.46.19.190/downloads/details.aspx?FamilyID=9b9da78d-f7d1-4b8a-8a31-3bb725c7a069&displaylang=en
c:\Tools>pulist.exe
Process PID User
Idle 0
System 4
smss.exe 384
csrss.exe 452
wininit.exe 496
csrss.exe 504
winlogon.exe 532
services.exe 568
lsass.exe 580
SearchIndexer.exe 208
eeyeevnt.exe 2296
taskeng.exe 2556 Bala-PC\Bala
dwm.exe 728 Bala-PC\Bala
explorer.exe 2840 Bala-PC\Bala
MSASCui.exe 2956 Bala-PC\Bala
VBoxTray.exe 2960 Bala-PC\Bala
sidebar.exe 2792 Bala-PC\Bala
wuauclt.exe 2872 Bala-PC\Bala
cmd.exe 3660 Bala-PC\Bala
cmd.exe 2596
wsqmcons.exe 3312 Bala-PC\Bala
PrcView.exe 3652 Bala-PC\Bala
WmiPrvSE.exe 2604
pulist.exe 3136 Bala-PC\Bala
c:\Tools>
Child Processes
If we need to see all the child processes spawned by another process we can use the pslist with the -t switch.
Command Line Switches to an executable
If we want to see the command line switches provided to an executable we can use the tools such as PRCView with -l as a switch or cmdline tool developed by diamondcs.com.au
Dependencies Loaded by Running Processes.
We can make use of a tool called as listdlls.exe from Microsoft to accomplish the same.
http://technet.microsoft.com/en-us/sysinternals/bb896656.aspx./
Even pv command can pull out the same details with a -m switch.
c:\Tools>pv -m cmd.exe
Module information for 'cmd.exe'(3660)
MODULE BASE SIZE PATH
cmd.exe 4a750000 327680 C:\Windows\System32\cmd.exe
ntdll.dll 76f80000 1212416 C:\Windows\system32\ntdll.dll
kernel32.dll 76cd0000 897024 C:\Windows\system32\kernel32.dll
ADVAPI32.dll 76b60000 811008 C:\Windows\system32\ADVAPI32.dll
RPCRT4.dll 76220000 794624 C:\Windows\system32\RPCRT4.dll
msvcrt.dll 76760000 696320 C:\Windows\system32\msvcrt.dll
apphelp.dll 75430000 180224 C:\Windows\system32\apphelp.dll
USER32.dll 76c30000 643072 C:\Windows\system32\USER32.dll
GDI32.dll 770e0000 307200 C:\Windows\system32\GDI32.dll
IMM32.DLL 770b0000 122880 C:\Windows\system32\IMM32.DLL
MSCTF.dll 76810000 819200 C:\Windows\system32\MSCTF.dll
LPK.DLL 76440000 36864 C:\Windows\system32\LPK.DLL
USP10.dll 76540000 512000 C:\Windows\system32\USP10.dll
We can use a tool from PStool Suite called as pslist.exe to obtain CPU Time and the amount of time since the process has started.
c:\Tools>PsList.exe
pslist v1.29 - Sysinternals PsList
Copyright (C) 2000-2009 Mark Russinovich
Sysinternals
Process information for BALA-PC:
Name Pid Pri Thd Hnd Priv CPU Time Elapsed Time
Idle 0 0 1 0 0 0:44:19.103 0:00:00.000
System 4 8 92 380 0 0:01:06.645 0:52:29.643
smss 384 11 4 28 248 0:00:00.250 0:52:29.633
csrss 452 13 11 487 1528 0:00:01.772 0:52:25.607
wininit 496 13 3 97 1064 0:00:00.530 0:52:23.394
csrss 504 13 9 242 2472 0:00:25.857 0:52:23.374
winlogon 532 13 3 133 1976 0:00:01.141 0:52:22.532
services 568 9 5 225 1880 0:00:03.485 0:52:21.471
lsass 580 9 10 569 2916 0:00:02.824 0:52:21.321
We can also user PrcView from the following link to get similar information.
http://www.teamcti.com/pview/prcview.htm
c:\Tools>pv
taskeng.exe 2556
Dwm.exe 728
Explorer.EXE 2840
MSASCui.exe 2956
VBoxTray.exe 2960
sidebar.exe 2792
wuauclt.exe 2872
cmd.exe 3660
wsqmcons.exe 3312
PrcView.exe 3652
pv.exe 3960
c:\Tools>PrcView.exe
Memory Usage
We can see the memory usage of the system by using the tasklist command.
c:\Tools>tasklist
pstat can also give a similar information in a more detailed manner.
http://support.microsoft.com/kb/927229
Linking running Processes with Executables.
This is very well accomplished with the PRCView with the -e switch. We can also do the same with CurrProcess tool.
http://www.nirsoft.net/utils/cprocess.html
Linking Process on computer with User's on computer
We can use a simple little command such as tasklist -V or pulist to accomplish this.
c:\Tools>tasklist -V > c:\Tools\out.txt
We can alternatively use pulist from http://207.46.19.190/downloads/details.aspx?FamilyID=9b9da78d-f7d1-4b8a-8a31-3bb725c7a069&displaylang=en
c:\Tools>pulist.exe
Process PID User
Idle 0
System 4
smss.exe 384
csrss.exe 452
wininit.exe 496
csrss.exe 504
winlogon.exe 532
services.exe 568
lsass.exe 580
SearchIndexer.exe 208
eeyeevnt.exe 2296
taskeng.exe 2556 Bala-PC\Bala
dwm.exe 728 Bala-PC\Bala
explorer.exe 2840 Bala-PC\Bala
MSASCui.exe 2956 Bala-PC\Bala
VBoxTray.exe 2960 Bala-PC\Bala
sidebar.exe 2792 Bala-PC\Bala
wuauclt.exe 2872 Bala-PC\Bala
cmd.exe 3660 Bala-PC\Bala
cmd.exe 2596
wsqmcons.exe 3312 Bala-PC\Bala
PrcView.exe 3652 Bala-PC\Bala
WmiPrvSE.exe 2604
pulist.exe 3136 Bala-PC\Bala
c:\Tools>
Child Processes
If we need to see all the child processes spawned by another process we can use the pslist with the -t switch.
Command Line Switches to an executable
If we want to see the command line switches provided to an executable we can use the tools such as PRCView with -l as a switch or cmdline tool developed by diamondcs.com.au
Dependencies Loaded by Running Processes.
We can make use of a tool called as listdlls.exe from Microsoft to accomplish the same.
http://technet.microsoft.com/en-us/sysinternals/bb896656.aspx./
Even pv command can pull out the same details with a -m switch.
c:\Tools>pv -m cmd.exe
Module information for 'cmd.exe'(3660)
MODULE BASE SIZE PATH
cmd.exe 4a750000 327680 C:\Windows\System32\cmd.exe
ntdll.dll 76f80000 1212416 C:\Windows\system32\ntdll.dll
kernel32.dll 76cd0000 897024 C:\Windows\system32\kernel32.dll
ADVAPI32.dll 76b60000 811008 C:\Windows\system32\ADVAPI32.dll
RPCRT4.dll 76220000 794624 C:\Windows\system32\RPCRT4.dll
msvcrt.dll 76760000 696320 C:\Windows\system32\msvcrt.dll
apphelp.dll 75430000 180224 C:\Windows\system32\apphelp.dll
USER32.dll 76c30000 643072 C:\Windows\system32\USER32.dll
GDI32.dll 770e0000 307200 C:\Windows\system32\GDI32.dll
IMM32.DLL 770b0000 122880 C:\Windows\system32\IMM32.DLL
MSCTF.dll 76810000 819200 C:\Windows\system32\MSCTF.dll
LPK.DLL 76440000 36864 C:\Windows\system32\LPK.DLL
USP10.dll 76540000 512000 C:\Windows\system32\USP10.dll
No comments:
Post a Comment