Process explorer help please

[Gerard Verhoef]

Windows Task Managers shows that the system process takes up 80+ % of
the CPU-time. I read on several internet sites that a program called
"process explorer" is able to analyze the processes and threads the cpu
is working on. So I ran this utility.
I have a seemingly stupid question:
The process tree starts with the system Idle process as a root. One of
the branches atarts with the system process. In the CPU column it says
that system is talking up say 70.32 CPU (I interpret that as 70.32%).
The system branch splits up in sub branches. Some of the processes
mentioned there also have a number in the CPU column. I would expect
that those numbers would add up to the system CPU number, but is
doesn't. Not even close.
How do I interpret the numbers in the CPU column? How can I see which
process of the system process is taking all the cpu time?

Thanks for any help

Gerard Verhoef

 

[Newbie Coder]

Gerard,

Is this the application you are talking about? If so, take a look on the
developers site

http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx

 

[Gerard Verhoef]

Gerard,

Is this the application you are talking about? If so, take a look on the
developers site

http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx

That indeed is the utility is am talking about. I read the site you
mentioned, but somehow I seem to miss the obvious. Also the Help tells
me that the numbers in the mentioned CPU column show the fractional CPU
usage process takes. But adding the branches doesnt make any sense to
me. And why would the system idle process be the root process of the
tree. I feel kinda stupid. Nothing is mentioned about that in help files
or whatever.

Thanks for your efforts though!

Gerard

 

[Dennis McCunney]

That indeed is the utility is am talking about. I read the site you
mentioned, but somehow I seem to miss the obvious.

Yes. See below.

Also the Help tells
me that the numbers in the mentioned CPU column show the fractional CPU
usage process takes. But adding the branches doesnt make any sense to
me. And why would the system idle process be the root process of the
tree. I feel kinda stupid. Nothing is mentioned about that in help files
or whatever.

*All* CPU time is owned by *something*. The System Idle Process is what
runs when nothing *else* is running. It's the idle loop Windows sits in
while waiting for something to do, which is why it shows as system root.
If you aren't doing anything else, Process Explorer may show it taking
95% - 98% of the CPU. That just means you aren't doing anything.

Process Explorer is far more useful used to look at other things you run
to see what they are doing. and if you haven't discovered it yet, note
that you can sort any column by clicking on the column header, so you
can sort the CPU column by the processes that are taking up the most cycles.

Thanks for your efforts though!
Gerard

______
Dennis

 

[Gerard Verhoef]

Yes. See below.


*All* CPU time is owned by *something*. The System Idle Process is what
runs when nothing *else* is running. It's the idle loop Windows sits in
while waiting for something to do, which is why it shows as system root.
If you aren't doing anything else, Process Explorer may show it taking
95% - 98% of the CPU. That just means you aren't doing anything.

Process Explorer is far more useful used to look at other things you run
to see what they are doing. and if you haven't discovered it yet, note
that you can sort any column by clicking on the column header, so you
can sort the CPU column by the processes that are taking up the most cycles.

______
Dennis

Excuse me for my ignorence, perhaps i wasn't clear enough. It isn't the
system Idle process I'm worries about. It is the system process.

I copied part of the process tree that process explorer provided.
Behind all processes there is a PID and a CPU-number

something like this:


- system idle
o interrupts
o DPCs
 System
smss.exe
csrss.exe
winlogon.exe
Services.exe
• Svchost.exe
o FxSrv2.exe
o NmIndexStoreSvr.exe
This tells met that everything that branches out of the system process
is a child process of system.

Sometimes the system process has a high CPU number (98 or something),but
none of the children processes are taking up much CPU time. Not
individually, nor as a whole.

I'd like to find out which child op system is causing the cpu hog.

Thanks!

Gerard

 

[Dennis McCunney]

Dennis McCunney wrote:

Excuse me for my ignorence, perhaps i wasn't clear enough. It isn't the
system Idle process I'm worries about. It is the system process.

Which version of Process Explorer are you running? I'm at 10.2. You
may be seeing something different than what I do.

I copied part of the process tree that process explorer provided.
Behind all processes there is a PID and a CPU-number

something like this:

- system idle
o interrupts
o DPCs
 System
smss.exe
csrss.exe
winlogon.exe
Services.exe
• Svchost.exe
o FxSrv2.exe
o NmIndexStoreSvr.exe
This tells met that everything that branches out of the system process
is a child process of system.
Correct.

Sometimes the system process has a high CPU number (98 or something),but
none of the children processes are taking up much CPU time. Not
individually, nor as a whole.

I'd like to find out which child op system is causing the cpu hog.

See my commentary above. The system process and the system idle process
are the *same* thing! The top level *is* the idle loop, which is what
Windows is in when nothing else is going on. If you see a high CPU
percentage there, the system is spending most of its time in the idle
loop. If a child process was taking up cycles, Process Explorer would
display it.

Thanks!
Gerard

______
Dennis

 

[Gerard Verhoef]

Which version of Process Explorer are you running? I'm at 10.2. You
may be seeing something different than what I do.



See my commentary above. The system process and the system idle process
are the *same* thing! The top level *is* the idle loop, which is what
Windows is in when nothing else is going on. If you see a high CPU
percentage there, the system is spending most of its time in the idle
loop. If a child process was taking up cycles, Process Explorer would
display it.

______
Dennis

I'm using the latest version (10.21) of process explorer.
I really don't understand in what way system idle and systen are the
same processe. They have different PID's and when the computer is busy,
system Idle has practically no CPU time. If system Idle is taking up
many cpu time, then the rest of the processes are low. For me that
implies that system idle and system are different and system isn't a
true part of system idle as well.

But then again: I guess I'm still missing something in understanding how
it all works.

To get my head cleared up: should the cpu time of sub processes add up
to the cpu time of the parent process? Should process explorer show
these numbers in that way?

Well.. thank again.

Gerard

 

[Daave]

I'm using the latest version (10.21) of process explorer.
I really don't understand in what way system idle and systen are the
same processe. They have different PID's and when the computer is
busy, system Idle has practically no CPU time. If system Idle is
taking up
many cpu time, then the rest of the processes are low. For me that
implies that system idle and system are different and system isn't a
true part of system idle as well.

But then again: I guess I'm still missing something in understanding
how
it all works.

Why don't you take a snapshot and post it to ImageShack?

Tomorrow I'll look at Process Explorer on my XP PC, but when I run it on
my 98 machine, there are no "children processes" under Idle. (And I
don't understand why it would be any other way.)

 

[Gerard Verhoef]

Why don't you take a snapshot and post it to ImageShack?

Tomorrow I'll look at Process Explorer on my XP PC, but when I run it on
my 98 machine, there are no "children processes" under Idle. (And I
don't understand why it would be any other way.)

Learnt something: I wasn't aware of ImageShack. That really is convinient.

I posted it at
http://img63.imageshack.us/img63/1326/processexplorergvno9.jpg

As you see: System Idle seems to be the root process;
System process has now (only) 1.09 CPU
csrss.exe seems to be a child of system, but uses more cpu than system
itself.
In general: cpu values of child processes seem to have no relation with
cpu values ofthe parent process
So i cannot check why system process is taking up so much of the cpu
time (often, but apparently not now)


I think I am starting to grab my misconception. The cpu values are not
supposed to add up to the cpu value of the parent. They are taken
separately. I can understand that, but I started using process explorer
because I read on the net that it could help you to find out which of
the many child processes of "system" is responsible for my cpu hog.
That, as it seems now, I cannot find out, because it isn't a child
process, but the parent process itself (system) that every now and than
hogs my system.
There is no way looking inside the system process. At least not using
the process explorer.


Thanks for taking the time helping me

Gerard

 

[Daave]

Tomorrow I'll look at Process Explorer on my XP PC, but when I run it
on
my 98 machine, there are no "children processes" under Idle. (And I
don't understand why it would be any other way.)

Sure enough, instead of "Idle," it's called "System Idle Process" and it
indeed has three entities underneath:

Interrupts, DPCs, and System.

I stand corrected.

 

[Daave]

Sometimes the system process has a high CPU number (98 or
something),but none of the children processes are taking up much CPU
time. Not individually, nor as a whole.

If you right-click on System and select Properties, do you notice
anything of interest in the CPU Usage History?

I did look at the image you posted, by the way. As it was a snapshot in
time, I didn't notice anything hogging CPU memory. My understanding of
why all the CPU percentages don't add up to 100% exactly is that the CPU
is in constant flux.

What I would do is take a look at the CPU Usage History following a time
you notice a problem.

And what particular problems have you been noticing? How long has it
been occurring, and do you recall doing anything in particular prior to
these problems?

 

[Gerard Verhoef]

If you right-click on System and select Properties, do you notice
anything of interest in the CPU Usage History?

I did look at the image you posted, by the way. As it was a snapshot in
time, I didn't notice anything hogging CPU memory. My understanding of
why all the CPU percentages don't add up to 100% exactly is that the CPU
is in constant flux.

What I would do is take a look at the CPU Usage History following a time
you notice a problem.

And what particular problems have you been noticing? How long has it
been occurring, and do you recall doing anything in particular prior to
these problems?

I checked the event viewer and sometimes it tells me something like
Hot-key polling is timed out. But that is not synchrone with the system
cpu hug.

Im gonna run explorer and find a moment where system does hog the cpu.
Ik might tell more.

I did consider your explanation of the "not adding up"-problem. Even
tried different update speeds, but the figures were never even close.
That in it selve must be enough for the MS boys to decide not to show
these figures, since they set you on the wrong foot for finding a solution.

I guess the interpretation I posted a couple of hours ago is closer to
reality.

If you consider a parent process as a loop of (say sequential )
programming statements, then some statements are probably simple
statements and some are calls to a child process.

So there are three possible cpu values:
1. the cpu value of the parent process as a whole, including the cpu
values of the child processes.
2. The cpu values of each of the different child processes
3. The cpu value of the parent process, without the time being taken by
the child processes (that is the addition of the cpu values of the
simple statements.

I guess process explorer is giving us the values 2 and 3, not the value
1 (which I thought at first).
In reality it is probably much trickier, since different levels of
programming all will ahve there own meaning of process or call, but
somehow it will make sence.

I'll let you know how I proceed.
BTW: I posted another screen dump, now with 72% cpu time for system
time. Alls children add up to near nothing.

Thanks again.

Gerard

 

[Gerard Verhoef]

Windows Task Managers shows that the system process takes up 80+ % of
the CPU-time. I read on several internet sites that a program called
"process explorer" is able to analyze the processes and threads the cpu
is working on. So I ran this utility.
I have a seemingly stupid question:
The process tree starts with the system Idle process as a root. One of
the branches atarts with the system process. In the CPU column it says
that system is talking up say 70.32 CPU (I interpret that as 70.32%).
The system branch splits up in sub branches. Some of the processes
mentioned there also have a number in the CPU column. I would expect
that those numbers would add up to the system CPU number, but is
doesn't. Not even close.
How do I interpret the numbers in the CPU column? How can I see which
process of the system process is taking all the cpu time?

Thanks for any help

Gerard Verhoef

Just to let you know:

I solved the CPU-hog problem, AND I kinda understand better than before
how the process explorer works.
For the latter, see my last posts in this thread.

After all I didn't use process explorer to solve the problem, but simply
turned off apps and services I had running. I didn't try that in the
first place because turning off the system process isn't really an
option of course. And the system process was the villain (at least
according to both process explorer and task manager). Wrong!

System explorer might have been hogging CPU time, but turning off the
COMODO firewall brought the system process back into control as well. So
I guess that it's the combination of several things and turning off
comodo was sufficient to get it right. Keep my fingers crossed of
course, you never know.

Thanks for responding to my post

Gerard.

 

[Daave]

System explorer might have been hogging CPU time, but turning off the
COMODO firewall brought the system process back into control as well.
So I guess that it's the combination of several things and turning off
comodo was sufficient to get it right. Keep my fingers crossed of
course, you never know.

Glad you figured out your bottleneck. Is it possible you were running
both Comodo and the Windows firewall simultaneously? If so, I can see
why this would cause a conflict!

Do you plan on reconfiguring Comodo? I hear it's a good firewall.

Whatever you do, make sure your firewall (whichever one you use) is
working!

Thanks for responding to my post

You're welcome.

 

[jameshanley39]

Just to let you know:

I solved the CPU-hog problem, AND I kinda understand better than before
how the process explorer works.
For the latter, see my last posts in this thread.

After all I didn't use process explorer to solve the problem, but simply
turned off apps and services I had running. I didn't try that in the
first place because turning off the system process isn't really an
option of course. And the system process was the villain (at least
according to both process explorer and task manager). Wrong!

System explorer might have been hogging CPU time, but turning off the
COMODO firewall brought the system process back into control as well. So
I guess that it's the combination of several things and turning off
comodo was sufficient to get it right. Keep my fingers crossed of
course, you never know.

Thanks for responding to my post

Gerard.-

Unfortunately
a)the expertise isn't here
b)at least one person here (telling you to use a firewall) seemed to
not even have the brains to realise from your writing and attitude
e.t.c. that you're a techie (this a common problem in this newsgroup)

You may be interested in the following forum, for future reference.
There is a forum specifically for "process explorer" and other
utilities made by the sysinternals team.
http://forum.sysinternals.com/default.asp?C=2

 

[Gerard Verhoef]

Glad you figured out your bottleneck. Is it possible you were running
both Comodo and the Windows firewall simultaneously? If so, I can see
why this would cause a conflict!

Do you plan on reconfiguring Comodo? I hear it's a good firewall.

Whatever you do, make sure your firewall (whichever one you use) is
working!


You're welcome.

Ghee... you're fast!

I heard good experiences of comodo too. That's why I gave it a try after
using mcafee for a long time.

I had the windows firewall turned off. I know that two firewalls can
interact in a bad way.

I might have suspected comodo earlier, since somehow it kept forgetting
the allowed applications. I had similar problems long time ago with Zone
Alarm and another firewall I tried.
It is quite complicated software these firewalls. They act at a low
system level so it isn't that strange that the system process went nuts.
Afterwards I don't understand why I hadn't it tackled two weeks ago. I
had a "tunnelview" into process explorer.

So now I decided to simply use the windows sp2 firewall. Simple, but not
unsafe, so I have heard. Later I might go for zone alarm again. Haven't
used that one for a long time.

Gerard

 

[Gerard Verhoef]

Unfortunately
a)the expertise isn't here
b)at least one person here (telling you to use a firewall) seemed to
not even have the brains to realise from your writing and attitude
e.t.c. that you're a techie (this a common problem in this newsgroup)

You may be interested in the following forum, for future reference.
There is a forum specifically for "process explorer" and other
utilities made by the sysinternals team.
http://forum.sysinternals.com/default.asp?C=2

Thanks for the link. I'll look into it.
I wasn't sure where to find the right expertise. Since process explorer
is distributed by Microsoft I thought this Ng was as good a place as any
to start.

I am grateful for the guys who took the effort to help me. It's an
advise I can follow or not as I please. And to be honest: the replies
were very helpful because they made me realize that the process explorer
provides other feedback than I expected in the first place. Finally: i
solved the problem and learnt something in between. What more can a guy
want (apart from babes and booze of course)

Gonna check into the other sysinternal utils.

Thanks

Gerard

 

[Jack Doyle]

The SysInternals guys make some great utilities. Two of my favorites
are RegMon (http://urlx.org/microsoft.com/afbdd) and FileMon
(http://urlx.org/microsoft.com/d7f78). Both are great.

I have used them in environments that I have managed where the users are
standard users and may not have any administrative privileges on their
workstation.

You'll run into many applications that won't function of the user is not
an admin. FileMon and RegMon make it very easy to determine which
files/folders and registry keys the users need access to in order for
the application to work. You make those ACL changes and then you are
typically able to run the application as a standard user.

Great tools.

 

[Rock]

Ghee... you're fast!

I heard good experiences of comodo too. That's why I gave it a try after
using mcafee for a long time.

I had the windows firewall turned off. I know that two firewalls can
interact in a bad way.

I might have suspected comodo earlier, since somehow it kept forgetting
the allowed applications. I had similar problems long time ago with Zone
Alarm and another firewall I tried.
It is quite complicated software these firewalls. They act at a low system
level so it isn't that strange that the system process went nuts.
Afterwards I don't understand why I hadn't it tackled two weeks ago. I had
a "tunnelview" into process explorer.

So now I decided to simply use the windows sp2 firewall. Simple, but not
unsafe, so I have heard. Later I might go for zone alarm again. Haven't
used that one for a long time.

The latest release of Zone alarm is quite bloated. If you go with ZA use an
earlier version.

Sunbelt Software's Kerio Personal Firewall is another option. They have a
free and paid versions.

If you are behind a router with NAT and practice safe hex, the XP firewall
should do fine. The reality is that software firewalls, particularly with
respect to monitoring outbound traffic, are more noise than substance.