In general, this is the executable name that was invoked to start the process, including the file extension usually. There is no way to specify an image name that contains a space. When ImageName is specified, Process must be zero. For information about processes in kernel mode, see Changing Contexts. In the final entry in the preceding example, the process address is 0xE0.
The hexadecimal number after the word Cid. In the final entry in the preceding example, the PID is 0x44, or decimal The hexadecimal number after the word Peb is the address of the process environment block.
In the final entry in the preceding example, the parent process PID is 0x26, or decimal The name of the module that owns the process. In the final entry in the preceding example, the owner is spoolss. In the first entry, the owner is the operating system itself.
The hexadecimal number after the word ObjectTable. In the final entry in the preceding example, the address of the process object is 0xc To display full details on one process, set Flags to 7. The process itself can be specified by setting Process equal to the process address, setting Process equal to the process ID, or setting ImageName equal to the executable image name. Here is an example:. Note that the address of the process object can be used as input to other extensions, such as!
Lists the amount of time that has elapsed since the process was created. This is displayed in units of Hours:Minutes:Seconds. Lists the amount of time the process has been running in user mode. If the value for UserTime is exceptionally high, it might identify a process that is depleting system resources.
Units are the same as those of ElapsedTime. Lists the amount of time the process has been running in kernel mode. Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services. Privacy policy. Download Process Monitor 3. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon , and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such as session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more.
Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit. Process Explorer shows you information about which handles and DLLs processes have opened or loaded. The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded.
Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded. The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work.
The help file describes Process Explorer operation and usage. DLL supporting the server paths used.
0コメント