Ever wondered what lies behind the hood of the humble Task Manager. Wonder no more…
The Task Manager in Windows is one of the most useful and easily accessible tools. It is virtually a window into the innards of your computer. You can: open new programs, kill running tasks, monitor CPU utilisation, get networking statistics etc. You can also use the task manager as a security diagnostic tool—to find malicious programs that might be running. Yet most people don’t exploit all the capabilities of the Task Manager. That’s about to change…
Open It
Everybody knows how to do this: the (in) famous [Ctrl] [Alt] [Delete] key combination. Click on the Task Manager tab and out pops the Task Manager (referred onwards as TM). You could also access the TM by [Ctrl] [Shift] [Esc]. Right-clicking on the Windows taskbar and clicking on the Task Manager on the menu also does the job.
Under The Hood
You will see a window with four tabs: Applications, Processes, Performance and Networking. Each of these tabs is used to get real time information about the state of your system.
Applications
This tab lists all the tasks that are currently running, and also their status. This is the first place to head to if your system is slowing down or has hung: Properly executing tasks have the status listed as running, while tasks that have frozen will show as “Not Responding”. To end an application, select it and click on the End Task button. You have two other buttons: Switch To and New Task. Switch To brings the selected application’s window to the foreground.
Right-clicking any task brings up a menu which pretty much does what the buttons do.
Processes
The Processes tab lists all the currently running processes. This is actually the most useful part of the TM. What is a process, you ask? Processes are running instances of applications. Consider the anti-virus program running in the background. A typical anti-virus program does several things simultaneously—checking for updates, scanning for threats, etc. So although you only see one anti-virus, it is running many simultaneous processes. You can set the priority for each process by right-clicking a process and selecting the Set Priority option. Selecting another menu option End Process Tree ends that particular process and any other process which it has spawned.
In the Processes tab you would typically see cryptic names like ctfmon.exe, svchost.exe, mdm.exe or winlogon.exe. They are the names of all the processes—good or bad. Some of these are critical to the system, and so cannot be changed. Since the process names are unfamiliar, this is where the Go To Process in the Applications tab comes in handy. Clicking on the option takes you to the corresponding process name.
Here is a brief description of some common system processes. A point to be noted: many Trojan horses, worms or viruses can have similar names as these processes, but the real ones always run from the System32 folder.
Svchost.exe: This is a system process. It stands for Service Host, a generic name for processes that are run by different system services like audio services, cryptographic services, DHCP, system clock etc. There could be multiple copies of svchost.exe running at the same time. To see which services are using svchost.exe go to Start > Run, type cmd and then type Tasklist /SVC.
Spoolsv.exe: It is a system process which handles printing tasks. It is essential if you need to print.
Lsass.exe: Stands for Local Security Authority Service. It is an essential system process that deals in local security and login policies. Terminating this process will make your system unstable.
Alg.exe: The Application Layer Gateway service is needed if you are using a third party firewall or Internet Connection Sharing. Shut it down and you will loose connection to the Net.
Csrss.exe: It executes the Client/Server Runtime Server Subsystem. All the graphical commands in Windows are executed by csrss.exe. Terminating this process will make the system unstable.
Explorer.exe: Windows Explorer is what runs all the eye candy. It runs the Windows Graphical Shell which includes the Start Menu, Taskbar, Desktop, etc. If you shut down explorer.exe you won’t be able the use the GUI.
Smss.exe: Stands for Session Manager Sub System. It handles user sessions on the system and should not be shut down.
Services.exe: It is a system process which manages the start up and shut down processes.
Performance
The third tab is a graphical depiction of the CPU usage and Page File usage plotted against time. It’s pretty much self explanatory: the only thing to remember is that if the graphs in both the cases are continuously at half the total height then your system needs some trouble shooting. There are statistics showing the number of handles (a unique value for resources like files and registry keys used by programs), threads and processes. The Commit Charge group shows the total memory allocated to programs, physical memory means the details of memory on the RAM and kernel memory means the memory used by the operating system kernel and various drivers.
Networking
The networking tab is the fourth tab in the TM. It shows a visual representation of the network connection. If you suspect presence of malicious software, shut down all apps and check the networking tab. Too many spikes in the graph might indicate that programs are connecting to the Internet without your permission.
It Boils Down To…
The TM is an easy and useful utility, though there are tools like Process Explorer which extend its functionality. So the moment you find your system acting up, don’t panic. Press those three keys and become a certified geek.