Helping people with computers... one answer at a time.
Process Monitor is a powerful tool and it can be used to track down exactly what program on your machine is responsible for internet activity.
My wife and I share a laptop, using Windows XP and connected to a satellite. The ISP limits our bandwidth. Recently, we received a message that we were using too much: about 150 MB during one recent hour. We do not run any videos, such as YouTube. We just browse (eBay) and email (Mozilla Thunderbird). I have checked all the places that I can think. If I turn off the automatic updates, for example, it still recurs. When I am logged in, the problem goes away, so it is some program which my wife is inadvertently running in the background, I suppose. Looking at Processes with Task Manager does not help much. It jumps around too much. I ran a scan with Norton and found nothing. I took it in to the computer geek store here, and they ran a more extensive scan, but found nothing. Is there any program which could monitor Internet activity and let me know what's running?
•
Yes, there is.
It's a free tool, called Process Monitor, that I suspect will be perfect for this problem. While it's a little geeky, this extremely powerful tool can be used to diagnose many issues.
I'll walk you through how to set it up for this scenario.
•
Download Process Monitor
Download and install Process Monitor.
Process Monitor, or simply "procmon", downloads as a zip file. Save that to a folder of your choosing and then extract the .exe program from the zipped archive.
Place procmon.exe and procmon.chm (the help file) in a convenient folder.
Run Process Monitor
When you first run procmon.exe, you'll need to agree to some license terms. This should only happen once. When you run Process Monitor under Windows 7 and possibly Vista, you'll likely get the User Account Control dialog:
What procmon needs to monitor requires that it have full administrative access.
Procmon works by first collecting or recording events, which are basically notifications of things happening on your machine, and then providing several ways to view, filter and analyze what those collected events mean.
As soon as you start procmon, it starts collecting events:
The numbers in the status bar at the bottom will continue to increase as procmon counts the number of events being collected.
When you've collected enough, type CTRL+E or click on the magnifying glass in the procmon toolbar to stop data collection.
What's enough?
That's difficult to say as it depends on the nature of the problem that you're attempting to diagnose. In general, I start it when I know or suspect that a problem is happening, like your unknown internet usage, and let procmon collect until the problem has indeed happened and occurred long enough to have generated meaningful data.
Depending on the problem you're experiencing, it might take some experimentation.
Analyze Procmon Results
Procmon includes some summary analysis tools that make what we do next fairly easy.
On the Tools menu, click on Network Summary...
Procmon generates a summary of all the network-related events that it's captured. Initially, these are sorted by decreasing number of events, but the columns are all clickable. In the example above, the next to the last column is labeled Receiv..., which is truncated from Received Bytes. I'll click on that to see which event has been downloading the most data:
Here, we can see that during this capture, my machine was downloading a lot of data from mirrors.easynews.com, on the http port. The problem is that doesn't really tell us what program is doing the downloading.
Double-click on the line of interest and the Process Monitor main window will update to show only events related to that line. (You can close the Network Summary window if you need to, to be able to see procmon's main window.)
Sure enough, it was Firefox running on this machine. In order to show something interesting, I started a download of an Ubuntu Linux ISO file prior to running procmon. That file was being hosted by one of Ubuntu's mirror sites.
More Procmon
We've only scratched the surface here, but as you can see, it's fairly easy for such a powerful program to quickly generate a summary analysis of many common operations, not just network access. While you've got procmon out, spend a few moments, particularly with the other items on the Tools menu, to see how it might help you face other issues in the future.
Article C4733 - February 5, 2011 « »
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
February 9, 2011 8:33 AM
Have they turned on security on their modem?
February 10, 2011 5:53 AM
I wont mention who but ....I discovered that my ISP with whom I had a dedicated account , had been ILLEGALLY proxying my port on the NAT server with 1 other user [ to save a few $$$ ] discovered when certain sites were continually telling me I was ALREADY downloading something, I had exceeded my 24hr download limit, or I already was logged on to the site from the same IP address but port 1080. :) my speed was less than v90 on ADSL2+ , after informing my ISP I had a record of what was going on, my speed jumped to 1.5MB overnight. There ARE free tools to catch this little number and don't kid yourself; most people haven't a clue but when you have 150 users on a 100 port rack, things don't add up.
10-Feb-2011
May 4, 2011 8:47 AM
On a win vista OS after unzip all 3 files never open and I have to use task mng to kill not responding. And what information I find is limited.
May 4, 2011 9:35 PM
was starting with (open with admin prompt) but it took going into the properties menu and checking start as Admin. So now it is running but I am not getting any results when I choose the networking filter or summary only zeros all across. Maybe the firewall ?
December 11, 2011 1:41 AM
All I want to do is make a copy of the registry. Install a program. Make another copy of the registry and compare, to see the changes.
A) Run a tool like Procmon, which will allow you to filter on all registry writes by a specific application so you can see what that application is doing.
B) Run regedit.exe, select the "Computer" item at the top of the registry tree, and then select File->Export and export the entire registry to a ".reg" file. Do that before and after whatever it is you want to monitor, and then use a file difference tool like winmerge to scan for differences.
12-Dec-2011