Menu
homeWindows 7

Windows XP Task Manager - standard processes. Managing processes from the command line

Process management from command line

There are plenty of ways to manage processes in Windows, and the command line is far from the first place in them. However, sometimes there are situations when all other tools except the command line are unavailable, for example some malware may block launch Task Manager and similar programs. Yes and just for general development It's useful to know how to control your computer from the command line.

To manage processes on the command line, there are two utilities - tasklist And taskkill. The first one shows a list of processes on local or remote computer, the second allows you to complete them. Let's try...

If you just type the command tasklist on the command line, it will list the processes on the local computer.

By default, information is displayed in table form, but the key /fo allows you to set the output as a list or in CSV format, and the key /v shows more detailed information about processes, for example command tasklist /v /fo list will output detailed description all processes in the form of a list.


The list will be quite large, so let's try to clarify the request. To do this we use the key /fi, which allows you to use filters to output data, such as the command tasklist /fi ″username eq user″ /fi ″memusage le 40000″ displays a list of user processes user, which consume no more than 40MB of memory.


Having found the processes that need to be terminated, we use the command taskkill. You can terminate processes by name, process identifier (PID), or by setting conditions using filters. For example, let's launch several instances of notepad (notepad.exe) and try to terminate it in different ways.


Key /f terminates the process forcibly, and /t terminates all child processes.

Full help on the tasklist and taskkill commands can be obtained by entering them with the key /?

Now let's use the heavy artillery PowerShell . You can run it without leaving the command line. To get a list of processes, use the cmdlet Get-Process.


In order not to display the entire list of processes, we can use the cmdlet Where-Object, which specifies a filter for the information displayed. For example, let's display a list of processes that load the processor and sort them by increasing load using the command:

Get-Process | where ($_.cpu -gt 0) | sort cpu


WITH using PowerShell we can get any information about any process. Let's take the process as an example cmd and display a list of its properties with the command:

Get-Process -Name cmd | Get-Member -Membertype property


We select those properties that are interesting to us (in the example, the name and ID of the process, the path to the file, the modules used and the startup time) and display them in the form of a list with the command:

Get-Process -Name cmd | Format-List name, id, path, modules, starttime


This way we can see when and by whom the process was started, how many resources it consumes, where it is located executable file and a lot more different information.

There is a cmdlet in PowerShell to terminate a process Stop-Process. It terminates the specified process by its name or ID. However, we will do it differently and pass the result of the cmdlet execution Get-Process along the conveyor:

Get-Process | where ($_.name -match ″notepad″) | Stop-Process


Get-Process cannot show processes on a remote computer, for this we will use the cmdlet Get-WmiObject, for example, let's look at the processes on a remote PC with the command:

Get-WmiObject win32_process -computername PC | ft name, processid, description


To become more familiar with PowerShell, you can use the built-in help; to access help, you need to type Get-Help″cmdlet name″

Well, to complete the review, let’s look at another tool for managing processes from the command line. These are utilities Pslist And Pskill included in the PSTools package from Sysinternals.

These utilities do not require special installation, just copy them to disk. To start, you need to go to the folder with the utilities and enter the required command in the command line.


Terminating a process with pskill is extremely simple, enter the command and the name (or ID) of the process and that’s it.


Help on utilities Pslist And Pskill can be viewed by entering the command with the key /?

And yet, all manipulations with processes must be performed with administrator rights; for this, the command line must be launched with elevated privileges.

Processes in Windows - where to look, description of standard ones

Continuing the “For Beginners” section, today we will talk about processes in Windows. Let's look at what they are, what they affect and how they can be controlled. In an operating system, a "process" is an instance computer program, which is launched in this moment. The program itself is just a set of rules and code, while the process is the actual execution of it all.

Tasks of the same program can be executed in several processes and, naturally, each active process requires a certain amount system resources, and the more of them are running at the same time, the slower the computer starts to work.

Many novice users are of little interest in what hidden processes are running for them, but meanwhile, it makes sense to ask if any are running background programs and services that are not needed and which waste CPU time and memory. But before disabling unnecessary processes to free up computer resources, you need to learn to understand them so as not to accidentally affect, for example, system-related processes, many of which are launched when the computer starts and are critically necessary for the functioning of the operating system and other applications.

It should also be mentioned that most viruses disguise themselves as one of the processes to complicate detection. It is for these reasons that it is important to be able to recognize and identify them.

To see the entire list active processes you need to open the Task Manager. There are three common ways to do this:

Combination ctrl keys+ alt + del
- key combination ctrl + shift + esc
or
- right-click on the taskbar - “Task Manager” item.

While in the Manager window, select the Processes tab.


In the window that opens there are several columns with which we can get the first necessary information about which processes are loaded and how many resources they consume.

1. Image name - process name
2. User - from which account process started
3. CPU - shows processor load as a percentage
4. Memory - allocated volume random access memory
5. Description - short description what program, service or service initiates this process.

At the very bottom of the window, the total number of active processes, the total processor and RAM load as a percentage are shown.

To disable unnecessary process, you must select one of them and click the “End process” button. However, a simple "End Process" will simply disable it until the next reboot Windows. Therefore, if you want to get rid of it forever, you need to disable its launch in the application itself that launches this process, or disable the service that activates it, or remove it from startup, or even completely remove the unnecessary application.

If the standard columns are not enough for you to obtain information about the process, you can add additional ones. To do this, in the main menu of the Task Manager, click “View” and in the menu that opens, select “Select/Add Columns”.

Check the boxes next to “Process ID (PID)” and “Path to image”. Click OK.

Now in the “Image Path” column you can see the location of the file that initiates the running process.

And the information in the “Process ID (PID)” column will be useful if you need to know, for example, which service is running the “Svchost.exe” process.

Looking ahead a little, why we chose it as an example. This is important system process and is needed to turn on and control various services. Confusion among many users with this process arises from the fact that several instances of it can be running simultaneously, but everything depends on different services. And in order to understand which service belongs to a particular process “Svchost.exe”, we need its numeric identifier - PID. Having remembered the number indicated in this column, go to the “Task Manager” to the “Services” tab.
While in this window, left-click on the “Process ID” column heading. The list will be sorted and you can easily find a process by PID by looking at its description in the corresponding column.


Of course, there is very little information in this window, but it allows you to roughly understand which service launched “Svchost.exe”. We have already mentioned this process in the article ""

Another way to see where the file that triggers the process is located is to click right click mouse on one of them and select “Open file storage location”.

Over time, you will learn to easily recognize any processes. In order to make this task a little easier for you, below is a list of the most typical software and system processes, most of which are launched by default along with operating system.

alg.exe- system process. a service that is one of the OS components Windows required to access the Internet and operate the Firewall. If you complete this process, the Internet connection will be interrupted until the next Windows restart.

ati2evxx.exe— is one of the components of drivers for AMD/ATI video cards. Performs hotkeys. Due to high CPU usage, it is recommended to disable this process and its associated service.

BTTray.exe- component bluetooth drivers from Widcomm. Essential for their work.

csrss.exe- a Windows system process that ensures the operation of the client/server component. Cannot be disabled. Most susceptible to virus infection.

ctfmon.exe- a system process responsible for language bar, an indicator that displays the current keyboard layout and provides support for others alternative methods input. Disabling this process is naturally not recommended.

dwm.exe- Windows system process. Integrated into the system starting from Windows Vista and 7. Responsible for the graphic effects of the desktop, windows and menus, as well as normal functioning Aero interface.

explorer.exe- critical required system process Windows Explorer, responsible for displaying the desktop and menu, allowing user navigation. You shouldn't turn it off.

issch.exe- a process that allows you to check for updates in background standard Windows installer and other programs.

jusched.exe- scheduler process for automatic check Java updates components. Disable automatic start This process can be achieved by turning off automatic check for updates in Java settings (Start-Control Panel-Java).

lsass.exe- a necessary system process responsible for the operation local server authentication, security policy and user authorization. Interacts with the winlogon service. Cannot be completed.

lsm.exe- system process that controls remote connections To local system. No need to turn off.

rthdcpl.exe- The process that makes it work control panel Realtek HD Audio. The icon for this program is located in the tray, next to the clock. Completing this process may cause audio problems on the system.

rundll32.exe— A necessary Windows system process launched by a command line utility. Allows you to run functions and commands of DLL files.

services.exe is an important system process responsible for managing all system services.

smss.exe- a necessary system process responsible for starting a user session, as well as launching the Winlogon and Csrss.exe processes. This process cannot be terminated.

spoolsv.exe- system process. Responsible for printing functions (printer, fax, etc.).

svchost.exe- one of the main system processes, responsible for the operation of a number of services. Several copies of it can work simultaneously, because each contains different services.

wininit.exe- necessary system Windows process. Runs in the background to support some of your most important system services and programs, and is also responsible for the timely launch of startup items.

winlogon.exe— Critical system process. Responsible for logging users in and out of the system. Cannot be completed.

wmiprvse.exe— system process, one of the components of the Toolkit Windows management. Disabling is not recommended.

wudfhost.exe- Represents certain functionality to support various drivers in Windows OS. Appears, for example, when connecting a phone via USB.

System utilities, text and editors, browsers and RSS aggregators, ransomware and email clients, all of these, and many other types of programs, have one common function that does not depend on the purpose of the application, namely printing. For programs that somehow deal with content that can be displayed on analog media, the printing function is considered almost mandatory.

But there are also exceptions. Take, for example, the standard . Despite the fact that the information about processes it displays can easily be printed, you will not find the usual “Print” command in it. But what if you suddenly need to print a list of current processes? Don't rewrite them one by one into a text file!

In fact, display a list of processes, services, etc. system information to a file (for printing) is very simple. The easiest way is to use special software, for example, the Procexp utility, well known to every system administrator, or the comprehensive AnVir Task Manager application.

But you can do without any third-party software. All we need is knowledge of two or three commands executed in the command line or its advanced equivalent PowerShell.

In the console, to output a list of current processes to a file, use the command tasklist indicating the path. When the command is executed, the file is created automatically. The existing file will be overwritten. It looks like this:

tasklist > D:processes.txt



In this case, you will receive a list of current processes indicating the name of the session and process, its identifier, as well as the amount of allocated memory used by each process. If you have problems with encoding (in text file kryakozyabra), change the encoding by running the chcp command with the value 1251.

chcp 1251
tasklist > D:processes.txt






The tasklist command has many parameters and filters that allow you to sort the output data. To get detailed help at the command line, use the command tasklist /?

Another method for getting a list running processes to file is to use PowerShell utilities. The principle is approximately the same, but the commands used are different. By the way, commands in PowerShell are called cmdlets. The set of cmdlets for outputting a list of processes to a file will look like this:

get-process | out-file D:process.txt






IN in this example get-process gets a list of processes, and out-file displays it at the specified path. As you can see, the output using PowerShell is much more informative. If you use the out-printer command instead of out-file, you can output data directly to a printer.

You can also perform many other useful operations using PowerShell. This universal tool will certainly be useful not only to programmers and system administrators, for whom knowledge of PowerShell syntax is mandatory, but also experienced users those who want to make their work on the computer faster and more productive.

The basis of everyone's work system administrator is operating system monitoring and provision normal operation of all processes - at least as much as can be expected. Attentive monitoring event logs Helps identify and track problems in applications, security, and critical services. Having discovered or suspected a problem, the administrator must get to the bottom of its cause and fix it. Pinpointing the exact cause of the problem will prevent it from recurring.

Application, process and performance management

Whenever the operating system or user runs a service, application, or command, Microsoft Windows runs one or more processes to control the associated program. Some command line utilities will make it easier for you program monitoring and their management. These utilities include:

  • - Shows performance statistics, including memory and CPU usage, and a list of all processes running on the local system. Allows you to obtain detailed “snapshots” of involved resources and ongoing processes. Pmon comes with the Windows Resource Kit;
  • Tasklist- lists all running processes by name and process ID, reports information about the user session and occupied memory;
  • Taskkill (Task Kill)- stops the execution of a process specified by name or identifier. Using filters, you can stop processes depending on their state, session number, CPU time, memory footprint, user name, and other parameters.

Examples of process management via the command line

Analyzing running processes on the command line

With help Tasklist command line utilities you can check processes running on a local or remote system. Tasklist allows you to:

  • obtain the process identifier, its state and other important information about processes in the system;
  • see dependencies between running processes and services configured in the system;
  • view the list of DLLs used by processes running on the system;
  • use filters to include or exclude processes shown by Tasklist.

Example: tasklist - the command displays a list of processes running in the operating system.

Monitoring processes and system resource usage

Process Resource Monitor (Pmon) Shows a “snapshot” of system resources being used and processes running. Once launched (by entering pmon at the command line), this utility collects information about resource usage and running processes on the local system and displays the results in a console window. Statistics are automatically updated every five seconds. Pmon continues to run until you press Q to exit; pressing any other key updates the information.

Stopping processes on the command line

To stop processes on a local or remote system, use command line utility Taskkill. A process can be stopped by its ID using the /Pid parameter or by image name

Example: taskkill /IM notepad.exe - stops the notepad program.

System and user processes

Typically, a process started by the operating system is called a system process, and a process started by the user is called a user process. Most user processes run interactively. That is, the user starts the process directly using the keyboard or mouse. When a program is active, its associated interactive process controls the keyboard and mouse until you change control by ending that program or selecting another. A process that gains control of the keyboard and mouse is called active.

Processes can also run in background regardless of registered user sessions. Background processes have no control over the keyboard, mouse or other input devices and are usually launched by the operating system. But with Task Scheduler, users can also run processes in the background, and these processes can run regardless of whether the user is logged in or not.

Introduction

Have you ever wanted to know which program opened a particular file or directory? Now you have this opportunity. Program Process Explorer displays information about handles opened by a process and DLLs loaded by it.

Program work area Process Explorer consists of two windows. The top window displays a list of active processes, including the names of the accounts that own those processes. The information that is displayed in the lower window depends on the selected operating mode of the program. In the handle mode, the lower window displays all open handles of the process selected in the upper window, and in the DLL mode, all loaded by the process dynamic libraries and memory-mapped files. In addition to this, the program Process Explorer There are also powerful search capabilities that let you quickly find out which process has a specific handle open or a specific DLL loaded.

Thanks to your unique opportunities, program Process Explorer Useful for resolving problems with DLL versions and handle leaks, and for understanding how Windows and applications work.


Installation

Run the program Process Explorer(procexp.exe).

The help file provides information about the available operations and how to use the program. If you have questions or problems, visit the Sysinternals Process Explorer forum.

Additional materials

The following is a list of other handle and DLL tracking programs available on the Sysinternals Web site:

    a program for viewing information about open descriptors, executed on the command line;

    a program for viewing information about loaded DLLs, executed on the command line;

    a program for displaying a list of processes on a local or remote system, executed on the command line;

    a program to shut down processes on a local or remote system, executed on the command line.

Microsoft Knowledge Base articles about
Process Explorer
The following Microsoft Knowledge Base articles mention using Process Explorer to diagnose or resolve various errors:
  • 319034: FIX: Stream handle leak in PrintReport method of Data Reports
  • 242131: How to display a list of processes that have open files
  • 216368: PRB: Access violation during application installation if file is busy
  • 166112: PRB: A conflict occurs with the EOF property when using the #import directive on ActiveX data objects
  • 301357: PRB: DLLs are not unloaded after calling CoFreeUnusedLibraries
  • 247957: SAMPLE: Using DUPS.exe to resolve DLL compatibility issues
  • 313735: XCON: Memory leak in MTA process with large number of open handles
  • 276525: The computer stops responding when monitoring open handles

Installation

Just run the program Process Explorer(procexp.exe).

The help file provides information about using the program Process Explorer and about available operations. If you have questions or problems, visit