What is the best way to identify unknown processes on windows?

windows process task-manager

How do you typically identify processes in windows' task manager when trouble shooting a problematic system?

It's easy enough to get a list of tasks via the task manager but how do you determine which ones should stay and which are candidates for removal?


Solution 1:

I typically use a combination of two tools when I doing this.

First Process Explorer, which is basically Task Manager on crack. I really don't know why Micorsoft doesn't just replace one for the other. this application will tell what processes are running, whether they are a sub process of another, who the owner of the process is, what files are in use by that process, the time in which it started, its path, etc. There is very little that this tool won't tell you from a basic level. It even has built-in Google searching for looking up further info on the internet about a process.

Second is the Process Explorers close cousin, Process Monitor. Process Monitor is similar to process explorer, only it shows you much more verbose information about what a process is doing. This tool will show what files and registry keys a process is try read/delete/modify, what is being written to registry/file system whenever changes are made. Because this one is so much more verbose, I have to warn you with caution that if you are trying to use it on a older/weaker computer as it may crash the system do to system overload. You can however apply filters to help limit the amount of input which comes out of it, which is probably the preferred way since this tool really shows you too much when the view is not filtered to hide whatever is not related to your troubleshooting.

Solution 2:

  1. Google
  2. Hijackthis take the log to Hijackthis.de
  3. Process Monitor
  4. Process Explorer this has a host of information including if it's packed

Solution 3:

Start with anything using a lot of memory or CPU time.

Solution 4:

For any new server, take time to work out what happens during normal use. Only then will you be able to identify what's not right.

Most server-affecting issues are visible on the Performance tab, so start there and then drill down. Alternatively, start at the top of the Application and System event logs. Until you become familiar with them, you may have to Google these to determine if they're extraordinary.

As a general rule, most failing processes will not be in %systemroot%\system32, except dllhost.exe (which hosts IIS objects). It's better to trace the problem than guess it from the process, so map network usage and locked files to processes using Process Explorer. If that's impossible, become familiar with these:

netstat -ano
netstat -e
tasklist
openfiles

These have the advantage of working over telnet/psexec. If you find something has gone mad, try to use the services tab to stop the related service before killing the process. And never close handles, no matter how tempting it is.

Also, don't neglect Performance Monitor. It takes a little more work than other sources, but will allow you to start logging candidates if you missed the spike.

Related

OSSEC integrity checksum alert - what caused the change?
Postgres cannot start on lion due to missing server configuration file
Checkpoint VPN on Linux
Why can a user grant themselves the Log On As A Service right?
Linux Software RAID1: How to boot after (physically) removing /dev/sda? (LVM, mdadm, Grub2)
Copying huge files between two remote machines - Efficiently
Can someone explain this GlusterFS setup?
HAProxy route https SNI and http over the same port
Software vs. Hardware RAID1 (Mirror)
How should I setup DNS when all I have is a VPS with a static IP? [closed]
Why put a reverse proxy in front of a WSGI server?
Iptables not persisting after reboot on CentOS 6.2