Monitoring Windows NT Processes, Services, and Security

Article
02/20/2014

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

By William R. Stanek

Archived content - No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

from Chapter 3, Windows NT Administrator's Pocket Consultant .

As an administrator, it's your job to keep an eye on the network systems. Over time, the status of system resources and usage can change dramatically. Services may stop running. File systems may run out of space. Applications may throw exceptions, which in turn can cause system problems. Unauthorized users may try to break into the system. The techniques discussed in this chapter will help you find and resolve these and other system problems.

Managing Applications, Processes, and Performance

Anytime you start an application or enter a command on the command line, Microsoft Windows NT 4.0 starts one or more processes to handle the related program. Generally, processes that are started by the user in this manner are called interactive processes. That is, the processes are started interactively via the keyboard or mouse. If the application or program is active and selected, the related interactive process has control over the keyboard and mouse until you switch control by selecting a different program or by terminating the program. When a process has control, it is said to be running in the foreground.

Processes can also run in the background. With processes started by users, this means that programs that aren't currently active can continue to operate—only they generally aren't given the same priority as the current active process. Background processes can also be configured to run independently of the user login session; such processes are usually started by the operating system. An example of this type of background process is a batch file started with an At command. The At command tells the system to run the file at a specified time and (if permissions are configured correctly) the At command can do so regardless of whether a user is logged on to the system.

Task Manager

The key tool you'll use to manage system processes and applications is Task Manager. You can access Task Manager using any of the following techniques:

Press Ctrl+Shift+Esc
Press Ctrl+Alt+Del, and then select the Task Manager button
Enter taskmgr into the Run utility or a command prompt
Right-click on the taskbar and select Task Manager from the pop-up menu

Techniques you'll use to work with the Task Manager are covered in the sections that follow.

Administering Applications

Task Manager's Applications tab is shown in Figure 3-1. This tab shows the status of the programs that are currently running on the system. You can use the buttons on the bottom of this tab as follows:

Stop an application by selecting the application and then clicking End Task.
Switch to an application and make it active by selecting the application and then clicking Switch To.

Figure 3-1: The Applications tab of the Windows NT Task Manager reveals the status of programs currently running on the system.
Start a new program by selecting New Task and then enter a command to run the application. New Task functions like the Start menu's Run utility.

Tip Application status tells you if the application is running normally or if the application has gone off into the ozone. A status of Not Responding is an indicator that an application may be frozen and you may want to end its related task. However, some applications may not respond to the operating system during certain process-intensive tasks. Because of this, you should be certain the application is really frozen before you end its related task.

Right-Clicking on a Listing

Right-clicking on an application's listing displays a pop-up menu that allows you to

Switch to the application and make it active
Bring the application to the front of the display
Minimize and maximize the application
Tile or end the application
Go to the related process in the Processes tab

Note: Go To Process is very helpful when you are trying to find the primary process for a particular application. Selecting this option highlights the related process in the Processes tab.

Administering Processes

Task Manager's Processes tab is shown in Figure 3-2, on the following page. This tab provides detailed information on running processes. As you examine processes, note that although applications have a main process, a single application may start multiple processes. Generally, these processes are dependent on the main application process and are normally stopped when you terminate the main application process or use End Task. Because of this, you will usually want to terminate the main application process or the application itself rather than dependent processes.

The fields of the Processes tab provide lots of information about running processes. You can use this information to determine which processes are hogging system resources such as CPU time and memory. Additional uses for the tab include

Stopping a process by selecting it and then choosing End Process
Setting a process's priority by right-clicking on it and then choosing Set Priority from the pop-up menu

Figure 3-2: The Processes tab provides detailed information on running processes.

Note: If you examine processes running in Task Manager, you'll note a process called System Idle Process. You can't set the priority of this process. Unlike other processes that track resource usage, System Idle Process tracks the amount of system resources that aren't used. Thus, a 99 in the CPU column for the process means 99% of the system resources currently aren't being used.

Priority determines how much of the system resources are allocated to a process. Most processes have a normal priority by default. To increase priority, set the priority to high. To decrease priority, set the priority to low. The highest priority is given to real-time processes.

Viewing System Performance

Task Manager's Performance tab provides an overview of CPU and memory usage. As shown in Figure 3-3, the tab displays graphs as well as statistics. This information provides a quick check on system resource usage. For more detailed information, use Performance Monitor.

Graphs on the Performance Tab

The graphs on the Performance tab provide the following information:

CPU Usage The percentage of processor resources being used
CPU Usage History A history graph on CPU usage plotted over time
Mem Usage The amount of memory currently being used on the system
Memory Usage History A history graph on memory usage plotted over time

Figure 3-3: The Performance tab provides a quick check on system resource usage.

Tip To view a close-up of the CPU graphs, double-click within the Performance tab. Double-clicking again returns you to normal viewing mode.

Customizing and Updating the Graph Display

To customize or update the graph display, use the following options on the View menu:

Update Speed Allows you to change the speed of graph updating as well as to pause the graph.
CPU History On multiprocessor systems, allows you to specify how CPU graphs are displayed.
Show Kernel Times Allows you to display the amount of CPU time used by the operating system kernel.

Beneath the graphs you'll find several lists of statistics. These statistics provide the following information:

Commit Charge Provides information on the total memory used by the operating system. Total lists all physical and virtual memory currently in use. Limit lists the total physical and virtual memory available. Peak lists the maximum memory used by the system since bootup.
Kernel Memory Provides information on the memory used by the operating system kernel. Critical portions of kernel memory must operate in RAM and cannot be paged to virtual memory. This type of kernel memory is listed as Nonpaged. The rest of kernel memory can be paged to virtual memory and is listed as Paged. The total amount of memory used by the kernel is listed under Total.
Physical Memory Provides information on the total RAM on the system. Total shows the amount of physical RAM. Available shows the RAM not currently being used and available for use. File Cache shows the amount of memory used for file caching.
Totals Provides information on CPU usage. Handles shows the number of I/O handles in use. Threads shows the number of threads in use. Processes shows the number of processes in use.

Note: For detailed information on paged memory usage, refer to the Memory tab of Windows NT Diagnostics. This utility is discussed in the "Diagnosing System Problems" section of this chapter.

Click to order