Home > Debugging, Microsoft, Winternals > Windows: Internals – Visibility into processes

Windows: Internals – Visibility into processes

Any Windows Administrator worth their salt will eventually have a requirement to use Microsofts Debugging Tools for Windows (Unless their employers don’t mind them squashing & redeploying machines in the event of a BSOD/ASR).

A quick search on your favourite search engine or the Microsoft site for Debugging Tools for Windows will provide you with a link to the debugging tools download page where you can select current or previous versions depending on the platform you’re troubleshooting.

I have often needed to examine certain processes while performing analysis of resource issues.  I’ll cover quite a few utilities that I use for this in the future, but this post will be dedicated to the Task List Viewer utility: TList.exe.

TList is a CLI utility (I much prefer working in the CLI rather than the GUI) that can be used to gather information about processes running on a computer.

The following TList option displays a process tree that shows processes as the children of the process that created them.

c:\>tlist /t
System Process (0)
System (4)  
  smss.exe (404)    
    csrss.exe (452)    
    winlogon.exe (476) NetDDE Agent      
      services.exe (520)        
        svchost.exe (700)        
        svchost.exe (724)        
        svchost.exe (864)        
        svchost.exe (888)        
        spoolsv.exe (996)        
        scardsvr.exe (1040)        
        alg.exe (1172)        
        tievxx.exe (1200) ATI video bios poller        
        InoRpc.exe (1248)        
        InoRT.exe (1264)        
        InoTask.exe (1308)        
        mdm.exe (1392)        
        dllhost.exe (2780)      
  lsass.exe (532)      
  rundll32.exe (500)
explorer.exe (328) Program Manager  
  WLANMON.exe (1728) TI Wireless LAN Monitor  
  ISATRAY.EXE (1712) IsaTray
  cmmon32.exe (456)  
  WINWORD.EXE (844) Tlist.doc - Microsoft Word
  explore.exe (2096) Platform SDK - CreateThread

TList can search for processes by name, PID or even patterns if you’re not sure of the process name.  It can also provide a wealth of information about processes such as which DLL or which module was loaded by which processes.

A full listing of TList command line switches can be found here.

NB: It should be noted that processes are not programs.  In Windows Internals 4th edition Mark Russinovich & David Solomon (men who know!) state that a process is a container for a set of resources, specifically:

  • Private virtual address space,
  • An executable program,
  • A list of open handles to system resources,
  • An access token and
  • A process ID.
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: