Friday, November 27, 2009

Managing Windows XP Programs from the Command Line: Tasklist

Managing Windows XP Programs from the Command Line: Tasklist
Windows XP Professional comes with a powerful command-line tool called Tasklist that provides many details on the programs and processes that are running.
Many will be familiar with the graphical tool Task Manager, which I have discussed elsewhere, and which provides various kinds of information about the applications and processes that are running on a system. There are also several command-line tools that provide similar but even more detailed information. In this article I will discuss the features of the tool called Tasklist (the system file is tasklist.exe). This tool is part of the regular installation of the Professional version of XP but does not come with the Home edition. However, those with the Home version of XP can download Tasklist here. Tasklist can be applied to see how much memory and CPU time running processes are using, what DLL files they rely on, and other information. Thus it can be a very useful troubleshooting tool.
Basic Tasklist command
If all you want to know is what tasks are running, enter TASKLIST into the command line. The output can be redirected to a file if you wish. The default format is a table with several columns of information. An example of a partial console output is shown in the figure below. There are five columns of information. The following list gives the meanings of the various column headings:
Image Name
The name of the process or the executable file running the process.
PID
The process ID. The system assigns a number to each process so it can keep track of it. It is possible to have several processes running with identical names but the PID will be unique. Note that the PID may not be the same each time you open a particular program. You may need the PID to run certain other diagnostic tools and Tasklist is one way to obtain this information.
Session Name
Unless you are on a network, this will read "Console" indicating that the process was started locally. Home PC users can usually ignore this column.
Session#
Each session is assigned a number. Home PC users can usually ignore this column also.
Mem Usage
This gives the very useful information about how much memory (in KB) that a process was using at the time Tasklist was run.
Additional columns will be displayed in the so-called "verbose" mode that is obtained with the switch /v. These columns are:
Status
Gives the current status of the process as "Running", "Not Responding", or "Unknown". Useful for finding hung processes. Unknown status may refer to a normal process but Not Responding indicates a process that should be stopped.
User Name
User account under which the process is running, Windows itself will be running many processes and the various system accounts SYSTEM, LOCAL SERVICE , or NETWORK SERVICE. will appear, coupled with the local domain name NT AUTHORITY.
CPU Time
The total amount of CPU cycle time used by the process since its start. This can be a big number if you never turn off the computer.
Window Title
Windows display name of the process if it exists. Can sometimes help identify what program is involved.
More advanced options for Tasklist
There are many more options and these are provided by switches. The full syntax is: TASKLIST [/S system [/U username [/P [password]]]] [/M [module] /SVC /V] [/FI filter] [/FO format] [/NH] Upper case has been used for clarity but the command is not case-sensitive. Table I describes the various parameters.
Table I. Parameters for TASKLIST
Parameter
Description
/S system
Specifies the remote system to connect to. Not needed for local computer
/U username
Specifies the user context. Not needed for local computer
/P [password]
Specifies the password for the given user context (if necessary).
/M [module]
Lists all tasks that have DLL modules loaded in them that match the given pattern name. If the module name is not specified, displays all modules loaded by each task.
/SVC
Displays services in each process.
/V
Specifies that the verbose information is to be displayed.
/FI filter
Displays a set of tasks that match a given criteria specified by the filter.
/FO format
Specifies the output format. Valid values: "TABLE", "LIST", "CSV".
/NH
Specifies that the "Column Header" should not be displayed in the output. Valid only for "TABLE" and "CSV" formats.
These additional parameters enable Tasklist to provide very detailed information about the system. Some examples will be shown in the next sections.
Find which Services use a processIt can be very useful to know the relationship between a process and the services that are running on a system (for a discussion of services see this page.) To obtain a table relating Image Name, PID, and Services use the command tasklist /svc >list.txt Here I have shown the redirect to a file to illustrate creating a text record. One application of this command is for diagnosing problems with a service by monitoring the memory usage and other properties of the processes associated with the service.
Find which DLL files are used by a processProcesses can be using many different DLL files by calling on various procedures from their libraries. It is not uncommon for a problem to arise because a DLL is corrupted or is the wrong version. To find which DLLs are used by each process use the commandtasklist /mThis will return a table relating Image Name, PID, and Modules. "Modules" here indicates DLLs. The table may have quite a few entries and the list can be limited to a specific DLL by using its name in the command. For example, to see only the processes that use oleaut32.dll, entertasklist /m oleaut32.dll
Filtering Tasklist output
The output can be narrowed down to specific parameters by using filters and the switch /FI. There are a number of comparison operators and these are given in Table II. Not all operators can be used with every parameter and allowed values are shown for the most useful parameters in Table III.
Table II. Comparison operators for filters
Operator
Description
eq
Equals
ne
Does not equal
gt
Greater than. Only used with numeric values
lt
Less than. Only used with numeric values
ge
Greater than or equal to. Only used with numeric values
le
Less than or equal to. Only used with numeric values
Table III. Filter operators and allowed values
Parameter
Valid operators
Valid values
ImageName
eq, ne
Any valid string
PID
eq, ne, gt, lt, ge, le
Any valid positive integer
MemUsage
eq, ne, gt, lt, ge, le
Any valid positive integer in kilobytes
Status
eq, ne
Running, Not Responding, Unknown
Username
eq, ne
Any valid user name (includes SYSTEM, LOCAL SERVICE , NETWORK SERVICE)
WindowTitle
eq, ne
Any valid string
An example of using a filter is a command to find processes that are not responding. The command would be tasklist /fi "status eq not responding" Another example is to find processes using a lot of memory, say more than 40 MB. The command is tasklist /fi "memusage gt 40000"
A final example shows how to clarify the multiple entries for the process "svchost.exe" that occur. (Each has a different PID.) Service Host (svchost.exe) is a basic piece of the Windows XP OS that is involved with many low-level system services. These are placed in several service groups, all running under the generic service name "svchost.exe" .(See the discussion here.) To see which services are associated with each instance of svchost.exe, use the command tasklist /svc /fi "imagename eq svchost.exe"
More infornation on Tasklist is at this Microsoft site.

No comments:

Explaining DNS Concepts - DNS Servers-DNS Queries-DNS Records

3 types of DNS queries— recursive, iterative, and non-recursive 3 types of DNS servers— DNS Resolver, DNS Root Server and Authoritative Name...