Published
Jun 26 2019 11:12 PM
2,150
Views
First published on TechNet on Apr 06, 2005
If you’ve replaced Task Manager and run Process Explorer at all times in your tray (like you should) and you’ve run Regmon you probably have noticed Services.exe repeatedly querying the entire HKLM\System\CurrentControlSet\Services branch of the Registry:
The Regmon trace indicates that Services.exe is querying the ObjectName value of each service. The ObjectName value stores the name of the user account in which the service executes. If the account is not specified the services runs in the local system account.
This polling by the Service Control Manager stops when you exit Process Explorer so there’s clearly a connection. One of Process Explorer’s features is its services-process highlighting. By default, it highlights in a beautiful pink color (I think anyway – I chose it :) ) any processes that host Windows services. It also displays a services tab in the process properties dialog for those processes that shows you which services the process contains along with the descriptions of the services (if descriptions are available). Process Explorer gets this information by using the EnumServiceStatusEx function, which is the only way to obtain a mapping of services to their processes.
Unfortunately, the Service Control Manager for some reason queries the services Registry database (HKLM\System\CurrentControlSet\Services) to retrieve some of the other information returned by the API, rather than relying on its in-memory copy of the database - thus the polling. Attaching to Services.exe with Windbg results in a hang of both Windbg and Services.exe (if you use the symbol server) since Windbg relies on APIs implemented by Services.exe, so the only way to get a stack trace of one of the polling Registry queries is with a kernel debugger. This is a screenshot of the Compuware Numega Softice kernel debugger showing the stack of Services.exe when it’s querying the database in response to Process Explorer’s call to EnumServiceStatusEx.
Originally by Mark Russinovich on 4/6/2005 12:56:00 PM
Migrated from original Sysinternals.com/Blog
# re: Services Polling when Process Explorer is Running
Mark, any possibility of getting Regmon to accept an unlimited "exclude" list? I tend to use the right-click->Exclude Process option a lot and, quite frequently, hit the limit of processes I can exclude.
4/6/2005 1:23:00 PM by Thomas Hruska
# re: Services Polling when Process Explorer is Running
The next update to Regmon supports 1024-character filters. I'm looking at unlimited filters in the future.
4/6/2005 1:27:00 PM by Mark Russinovich
# re: Services Polling when Process Explorer is Running
On demand registry access does not qualify as "polling".
You always have to fight with the integrity issue with a cache.
4/6/2005 2:38:00 PM by Junfeng Zhang
# re: Services Polling when Process Explorer is Running
How did you get a screenshot for softice?
Was in running in a VM or what?
4/6/2005 4:16:00 PM by Anonymous
# re: Services Polling when Process Explorer is Running
You should be able to debug services.exe with a user mode debugger, as long as you use a local symbol path. For example, this works for me:
C:\Debuggers>set _NT_SYMBOL_PATH=srv*c:\symbols
C:\Debuggers>cdb -pn services.exe
0:017> bp ntdll!NtOpenKey "k;g"
0:017> g
Normally I have _NT_SYMBOL_PATH pointing to the MS symbol server, with c:\symbols as the local cache. So using srv*c:\symbols as the sympath allows debugger to find locally cached symbols without hitting the network.
4/6/2005 10:36:00 PM by Pavel Lebedinsky
# re: Services Polling when Process Explorer is Running
As for replacing Task Manager with Process Explorer, I'd happily do if only PE had a Network Activity view, like the Windows XP Task Manager has. Better still, if that view and the existing System Information view were in fact tabs in a tabbed view, à la Task Manager. I find that *much* more user-friendly than the two-windows model of Process Explorer (which is superb in every other aspect, of course).
4/7/2005 2:39:00 AM by Anonymous
# re: Services Polling when Process Explorer is Running
I second that...
4/7/2005 11:01:00 PM by Anonymous
# re: Services Polling when Process Explorer is Running
I third that...
4/8/2005 2:27:00 AM by Gimma
# re: Services Polling when Process Explorer is Running
I'd like to see that as well
For that matter a bulliten board would be much better than a blog
4/8/2005 9:35:00 AM by Anonymous
# re: Services Polling when Process Explorer is Running
I'd like the network activity view too....
I agree that a tab approach is better than a two window approach.
Asher
BTW - I just love this blog!
4/8/2005 10:49:00 AM by Anonymous
# re: Services Polling when Process Explorer is Running
How did you get a screenshot for softice?
Need use freeware plug-in for NTIce
called "IceExt"
get here:
http://stenri.pisem.net/
4/8/2005 12:47:00 PM by Sergey Dindikov
# re: Services Polling when Process Explorer is Running
Mark said: " If you’ve replaced Task Manager and run Process Explorer at all times in your tray (like you should)"
How about adding an option to "start on windows starup".
4/9/2005 1:18:00 AM by Anonymous
# re: Services Polling when Process Explorer is Running
I'm encountering a constant 50% CPU load. Process Explorer shows that it goes to Hardware Interrupts "process". It amounts about 115,000-120,000 context switches per second. Obviously, it's driver or hardware problem. It would be nice to see in future versions of Process Explorer a breakdown of Hardware Interrupts by Interrupt number. It would be very helpful in locating such problems. Thank you.
4/10/2005 4:10:00 AM by Valentinas Kraujalis
# re: Services Polling when Process Explorer is Running
The breakdown of interrupts could possibly be solved a little more elegantly with a properties screen for the pseudo-process where each interrupt is enumerated as a pseudo-thread
4/10/2005 5:36:00 AM by Anonymous
# re: Services Polling when Process Explorer is Running
The breakdown of interrupts could possibly be solved a little more elegantly with a properties screen for the pseudo-process where each interrupt is enumerated as a pseudo-thread
4/10/2005 5:37:00 AM by Anonymous
# re: Services Polling when Process Explorer is Running
Hello Mark,
Why you omit such important functionality in the "Process Explorer" as showing processes memory information in a list of the currently active processes?
It would be very helpful for admin when he try to find or sort processes by memory values.
Thanks.
(mailto:sheriff@calories.ru)
4/12/2005 4:29:00 AM by Igor Lebedew
# re: Services Polling when Process Explorer is Running
Igor Lebedew: you can add several different memory metrics as columns.
I haven't added a network view to process explorer because 1) I've found the information to be useless 2) I've gotten almost no requests for it.
As far as why System information is a separate window, I find it easier to look at. Making the main window a tabbed view would require that the entire window to be stretched to get a good width on any particular tab, like the system information page where you want wide history graphs.
4/12/2005 4:38:00 AM by Mark Russinovich
# re: Services Polling when Process Explorer is Running
Mark, I find the network information useless too. I hope you don't waste your time on adding it, especially when there are so many other niceties that could be thrown in--like multiple process selection. [G]
4/12/2005 8:47:00 PM by Anonymous
# re: Services Polling when Process Explorer is Running
Well, obviously different people uses software differently. 99% of times I fire up the Task Manager it is to see the network activity view, so Process Explorer could never replace the old beast...
4/13/2005 3:34:00 AM by Anonymous
# re: Services Polling when Process Explorer is Running
There are so many other tools to view network activity...
4/16/2005 3:48:00 AM by Anonymous
# re: Services Polling when Process Explorer is Running
>There are so many other tools to view network activity...
Sure. But if I have to install and fire other program, then PE is not a good replacement for Task Manager (wonderful as it is as a, yeah, Process Explorer :)
4/18/2005 4:10:00 AM by Anonymous
# re: Services Polling when Process Explorer is Running
Hey Mark
Just a comment to regmon.
In what version did you change the result column for illegal access from "ACCDENIED" to "ACCESS DENIED" in regmon? ;)
I was filtering on "ACCDENIED" to catch misbehaving non-WinXP-logo programs illegal writes to the registry in NonAdmin-mode. When i upgraded from v6.10 to v7.0 all programs suddenly seemed well behaved ;)
BTW - Is it possible that you will implement the result-column filtering feature in filemon as well in the future ?
Anyway - Thanks for the those programs.
4/24/2005 11:28:00 AM by Henrik Jensen
# re: Services Polling when Process Explorer is Running
Mark, are you going to add anything for the new Dual Cores?
Id like to see how Landy Wang and Dave Cutler shift winword.exe between CPUs......
5/2/2005 1:30:00 AM by Anonymous
# re: Services Polling when Process Explorer is Running
Mark,
I noticed that one the service registry keys on your system was HKLM\System\CCS\Services\WDICA. Do you use Citrix\Terminal Services on a regular basis? It would be great to see some Terminal Server specific blogs and tools, or better yet, a chapter dedicated to Terminal Services in the next edition of Windows Internals!
5/21/2005 7:44:00 PM by Anonymous
# re: Services Polling when Process Explorer is Running
I too would like to view network activity.
When I copy files using firewire I can get a feel for how much throughput I get (fwiw it is usually closer to 100Mbps than 400Mbps when transferring to/from a notebook).
And it is also comforting to look at it to make sure an idle server isn't pushing lots of data for no obvious reason. (i.e. if a server uses its entire bandwidth, then something could be very very wrong -- Task Manager helps)
--
Rune
5/24/2005 10:29:00 AM by Rune
# re: Services Polling when Process Explorer is Running
I've just tried using procexp as a taskmgr replacement. It's great, but I have one minor issue: Tray icon currently changes color between green, yellow and red according to CPU usage. I'd like to be able to cancel that, since I'm color blind and can't see the red properly (as are 8% of the mail population!).
Oh, and I don't care about network utilization...
6/6/2005 8:46:00 AM by Jonathan
# re: Services Polling when Process Explorer is Running
Task Manager's tray icon looks more elegant than Process Viewer's, even if it does soft page fault every time.
10/7/2005 10:23:00 AM by Anonymous
# re: Services Polling when Process Explorer is Running
Logically if Mark really believes the world should replace Task Manager with Process Explorer, then the complete set of features of Task Manager should be included.
This includes in particular the 'Networking' tab - although you may not as an invidual find this feature useful, this is poor logic for omitting it.
(Never mind the fact that *many* do find it useful which is also fairly compelling.)
6/10/2006 5:19:00 AM by Anonymous
# re: Services Polling when Process Explorer is Running
There are some good suggestions here, and they're usefull. I, however, thought I'd just say THANKS YOU MARK FOR SUCH AN AWESOME TOOL! You make our lives so much better every day!
-Billy
8/6/2006 11:57:00 PM by Anonymous
The Regmon trace indicates that Services.exe is querying the ObjectName value of each service. The ObjectName value stores the name of the user account in which the service executes. If the account is not specified the services runs in the local system account.
This polling by the Service Control Manager stops when you exit Process Explorer so there’s clearly a connection. One of Process Explorer’s features is its services-process highlighting. By default, it highlights in a beautiful pink color (I think anyway – I chose it :) ) any processes that host Windows services. It also displays a services tab in the process properties dialog for those processes that shows you which services the process contains along with the descriptions of the services (if descriptions are available). Process Explorer gets this information by using the EnumServiceStatusEx function, which is the only way to obtain a mapping of services to their processes.
Unfortunately, the Service Control Manager for some reason queries the services Registry database (HKLM\System\CurrentControlSet\Services) to retrieve some of the other information returned by the API, rather than relying on its in-memory copy of the database - thus the polling. Attaching to Services.exe with Windbg results in a hang of both Windbg and Services.exe (if you use the symbol server) since Windbg relies on APIs implemented by Services.exe, so the only way to get a stack trace of one of the polling Registry queries is with a kernel debugger. This is a screenshot of the Compuware Numega Softice kernel debugger showing the stack of Services.exe when it’s querying the database in response to Process Explorer’s call to EnumServiceStatusEx.
Originally by Mark Russinovich on 4/6/2005 12:56:00 PM
Migrated from original Sysinternals.com/Blog
# re: Services Polling when Process Explorer is Running
Mark, any possibility of getting Regmon to accept an unlimited "exclude" list? I tend to use the right-click->Exclude Process option a lot and, quite frequently, hit the limit of processes I can exclude.
4/6/2005 1:23:00 PM by Thomas Hruska
# re: Services Polling when Process Explorer is Running
The next update to Regmon supports 1024-character filters. I'm looking at unlimited filters in the future.
4/6/2005 1:27:00 PM by Mark Russinovich
# re: Services Polling when Process Explorer is Running
On demand registry access does not qualify as "polling".
You always have to fight with the integrity issue with a cache.
4/6/2005 2:38:00 PM by Junfeng Zhang
# re: Services Polling when Process Explorer is Running
How did you get a screenshot for softice?
Was in running in a VM or what?
4/6/2005 4:16:00 PM by Anonymous
# re: Services Polling when Process Explorer is Running
You should be able to debug services.exe with a user mode debugger, as long as you use a local symbol path. For example, this works for me:
C:\Debuggers>set _NT_SYMBOL_PATH=srv*c:\symbols
C:\Debuggers>cdb -pn services.exe
0:017> bp ntdll!NtOpenKey "k;g"
0:017> g
Normally I have _NT_SYMBOL_PATH pointing to the MS symbol server, with c:\symbols as the local cache. So using srv*c:\symbols as the sympath allows debugger to find locally cached symbols without hitting the network.
4/6/2005 10:36:00 PM by Pavel Lebedinsky
# re: Services Polling when Process Explorer is Running
As for replacing Task Manager with Process Explorer, I'd happily do if only PE had a Network Activity view, like the Windows XP Task Manager has. Better still, if that view and the existing System Information view were in fact tabs in a tabbed view, à la Task Manager. I find that *much* more user-friendly than the two-windows model of Process Explorer (which is superb in every other aspect, of course).
4/7/2005 2:39:00 AM by Anonymous
# re: Services Polling when Process Explorer is Running
I second that...
4/7/2005 11:01:00 PM by Anonymous
# re: Services Polling when Process Explorer is Running
I third that...
4/8/2005 2:27:00 AM by Gimma
# re: Services Polling when Process Explorer is Running
I'd like to see that as well
For that matter a bulliten board would be much better than a blog
4/8/2005 9:35:00 AM by Anonymous
# re: Services Polling when Process Explorer is Running
I'd like the network activity view too....
I agree that a tab approach is better than a two window approach.
Asher
BTW - I just love this blog!
4/8/2005 10:49:00 AM by Anonymous
# re: Services Polling when Process Explorer is Running
How did you get a screenshot for softice?
Need use freeware plug-in for NTIce
called "IceExt"
get here:
http://stenri.pisem.net/
4/8/2005 12:47:00 PM by Sergey Dindikov
# re: Services Polling when Process Explorer is Running
Mark said: " If you’ve replaced Task Manager and run Process Explorer at all times in your tray (like you should)"
How about adding an option to "start on windows starup".
4/9/2005 1:18:00 AM by Anonymous
# re: Services Polling when Process Explorer is Running
I'm encountering a constant 50% CPU load. Process Explorer shows that it goes to Hardware Interrupts "process". It amounts about 115,000-120,000 context switches per second. Obviously, it's driver or hardware problem. It would be nice to see in future versions of Process Explorer a breakdown of Hardware Interrupts by Interrupt number. It would be very helpful in locating such problems. Thank you.
4/10/2005 4:10:00 AM by Valentinas Kraujalis
# re: Services Polling when Process Explorer is Running
The breakdown of interrupts could possibly be solved a little more elegantly with a properties screen for the pseudo-process where each interrupt is enumerated as a pseudo-thread
4/10/2005 5:36:00 AM by Anonymous
# re: Services Polling when Process Explorer is Running
The breakdown of interrupts could possibly be solved a little more elegantly with a properties screen for the pseudo-process where each interrupt is enumerated as a pseudo-thread
4/10/2005 5:37:00 AM by Anonymous
# re: Services Polling when Process Explorer is Running
Hello Mark,
Why you omit such important functionality in the "Process Explorer" as showing processes memory information in a list of the currently active processes?
It would be very helpful for admin when he try to find or sort processes by memory values.
Thanks.
(mailto:sheriff@calories.ru)
4/12/2005 4:29:00 AM by Igor Lebedew
# re: Services Polling when Process Explorer is Running
Igor Lebedew: you can add several different memory metrics as columns.
I haven't added a network view to process explorer because 1) I've found the information to be useless 2) I've gotten almost no requests for it.
As far as why System information is a separate window, I find it easier to look at. Making the main window a tabbed view would require that the entire window to be stretched to get a good width on any particular tab, like the system information page where you want wide history graphs.
4/12/2005 4:38:00 AM by Mark Russinovich
# re: Services Polling when Process Explorer is Running
Mark, I find the network information useless too. I hope you don't waste your time on adding it, especially when there are so many other niceties that could be thrown in--like multiple process selection. [G]
4/12/2005 8:47:00 PM by Anonymous
# re: Services Polling when Process Explorer is Running
Well, obviously different people uses software differently. 99% of times I fire up the Task Manager it is to see the network activity view, so Process Explorer could never replace the old beast...
4/13/2005 3:34:00 AM by Anonymous
# re: Services Polling when Process Explorer is Running
There are so many other tools to view network activity...
4/16/2005 3:48:00 AM by Anonymous
# re: Services Polling when Process Explorer is Running
>There are so many other tools to view network activity...
Sure. But if I have to install and fire other program, then PE is not a good replacement for Task Manager (wonderful as it is as a, yeah, Process Explorer :)
4/18/2005 4:10:00 AM by Anonymous
# re: Services Polling when Process Explorer is Running
Hey Mark
Just a comment to regmon.
In what version did you change the result column for illegal access from "ACCDENIED" to "ACCESS DENIED" in regmon? ;)
I was filtering on "ACCDENIED" to catch misbehaving non-WinXP-logo programs illegal writes to the registry in NonAdmin-mode. When i upgraded from v6.10 to v7.0 all programs suddenly seemed well behaved ;)
BTW - Is it possible that you will implement the result-column filtering feature in filemon as well in the future ?
Anyway - Thanks for the those programs.
4/24/2005 11:28:00 AM by Henrik Jensen
# re: Services Polling when Process Explorer is Running
Mark, are you going to add anything for the new Dual Cores?
Id like to see how Landy Wang and Dave Cutler shift winword.exe between CPUs......
5/2/2005 1:30:00 AM by Anonymous
# re: Services Polling when Process Explorer is Running
Mark,
I noticed that one the service registry keys on your system was HKLM\System\CCS\Services\WDICA. Do you use Citrix\Terminal Services on a regular basis? It would be great to see some Terminal Server specific blogs and tools, or better yet, a chapter dedicated to Terminal Services in the next edition of Windows Internals!
5/21/2005 7:44:00 PM by Anonymous
# re: Services Polling when Process Explorer is Running
I too would like to view network activity.
When I copy files using firewire I can get a feel for how much throughput I get (fwiw it is usually closer to 100Mbps than 400Mbps when transferring to/from a notebook).
And it is also comforting to look at it to make sure an idle server isn't pushing lots of data for no obvious reason. (i.e. if a server uses its entire bandwidth, then something could be very very wrong -- Task Manager helps)
--
Rune
5/24/2005 10:29:00 AM by Rune
# re: Services Polling when Process Explorer is Running
I've just tried using procexp as a taskmgr replacement. It's great, but I have one minor issue: Tray icon currently changes color between green, yellow and red according to CPU usage. I'd like to be able to cancel that, since I'm color blind and can't see the red properly (as are 8% of the mail population!).
Oh, and I don't care about network utilization...
6/6/2005 8:46:00 AM by Jonathan
# re: Services Polling when Process Explorer is Running
Task Manager's tray icon looks more elegant than Process Viewer's, even if it does soft page fault every time.
10/7/2005 10:23:00 AM by Anonymous
# re: Services Polling when Process Explorer is Running
Logically if Mark really believes the world should replace Task Manager with Process Explorer, then the complete set of features of Task Manager should be included.
This includes in particular the 'Networking' tab - although you may not as an invidual find this feature useful, this is poor logic for omitting it.
(Never mind the fact that *many* do find it useful which is also fairly compelling.)
6/10/2006 5:19:00 AM by Anonymous
# re: Services Polling when Process Explorer is Running
There are some good suggestions here, and they're usefull. I, however, thought I'd just say THANKS YOU MARK FOR SUCH AN AWESOME TOOL! You make our lives so much better every day!
-Billy
8/6/2006 11:57:00 PM by Anonymous