Helping people with computers... one answer at a time.
Process Monitor is a powerful tool and it can be used to track down exactly what program on your machine is responsible for internet activity.
My wife and I share a laptop, using Windows XP and connected to a satellite. The ISP limits our bandwidth. Recently, we received a message that we were using too much: about 150 MB during one recent hour. We do not run any videos, such as YouTube. We just browse (eBay) and email (Mozilla Thunderbird). I have checked all the places that I can think. If I turn off the automatic updates, for example, it still recurs. When I am logged in, the problem goes away, so it is some program which my wife is inadvertently running in the background, I suppose. Looking at Processes with Task Manager does not help much. It jumps around too much. I ran a scan with Norton and found nothing. I took it in to the computer geek store here, and they ran a more extensive scan, but found nothing. Is there any program which could monitor Internet activity and let me know what's running?
Yes, there is.
It's a free tool, called Process Monitor, that I suspect will be perfect for this problem. While it's a little geeky, this extremely powerful tool can be used to diagnose many issues.
I'll walk you through how to set it up for this scenario.
Download and install Process Monitor.
Process Monitor, or simply "procmon", downloads as a zip file. Save that to a folder of your choosing and then extract the .exe program from the zipped archive.
Place procmon.exe and procmon.chm (the help file) in a convenient folder.
When you first run procmon.exe, you'll need to agree to some license terms. This should only happen once. When you run Process Monitor under Windows 7 and possibly Vista, you'll likely get the User Account Control dialog:
What procmon needs to monitor requires that it have full administrative access.
Procmon works by first collecting or recording events, which are basically notifications of things happening on your machine, and then providing several ways to view, filter and analyze what those collected events mean.
As soon as you start procmon, it starts collecting events:
The numbers in the status bar at the bottom will continue to increase as procmon counts the number of events being collected.
When you've collected enough, type CTRL+E or click on the magnifying glass in the procmon toolbar to stop data collection.
That's difficult to say as it depends on the nature of the problem that you're attempting to diagnose. In general, I start it when I know or suspect that a problem is happening, like your unknown internet usage, and let procmon collect until the problem has indeed happened and occurred long enough to have generated meaningful data.
Depending on the problem you're experiencing, it might take some experimentation.
Procmon includes some summary analysis tools that make what we do next fairly easy.
On the Tools menu, click on Network Summary...
Procmon generates a summary of all the network-related events that it's captured. Initially, these are sorted by decreasing number of events, but the columns are all clickable. In the example above, the next to the last column is labeled Receiv..., which is truncated from Received Bytes. I'll click on that to see which event has been downloading the most data:
Here, we can see that during this capture, my machine was downloading a lot of data from mirrors.easynews.com, on the http port. The problem is that doesn't really tell us what program is doing the downloading.
Double-click on the line of interest and the Process Monitor main window will update to show only events related to that line. (You can close the Network Summary window if you need to, to be able to see procmon's main window.)
Sure enough, it was Firefox running on this machine. In order to show something interesting, I started a download of an Ubuntu Linux ISO file prior to running procmon. That file was being hosted by one of Ubuntu's mirror sites.
We've only scratched the surface here, but as you can see, it's fairly easy for such a powerful program to quickly generate a summary analysis of many common operations, not just network access. While you've got procmon out, spend a few moments, particularly with the other items on the Tools menu, to see how it might help you face other issues in the future.