Helping people with computers... one answer at a time.

Process Monitor is a powerful tool and it can be used to track down exactly what program on your machine is responsible for internet activity.

My wife and I share a laptop, using Windows XP and connected to a satellite. The ISP limits our bandwidth. Recently, we received a message that we were using too much: about 150 MB during one recent hour. We do not run any videos, such as YouTube. We just browse (eBay) and email (Mozilla Thunderbird). I have checked all the places that I can think. If I turn off the automatic updates, for example, it still recurs. When I am logged in, the problem goes away, so it is some program which my wife is inadvertently running in the background, I suppose. Looking at Processes with Task Manager does not help much. It jumps around too much. I ran a scan with Norton and found nothing. I took it in to the computer geek store here, and they ran a more extensive scan, but found nothing. Is there any program which could monitor Internet activity and let me know what's running?

Yes, there is.

It's a free tool, called Process Monitor, that I suspect will be perfect for this problem. While it's a little geeky, this extremely powerful tool can be used to diagnose many issues.

I'll walk you through how to set it up for this scenario.

Download Process Monitor

Download and install Process Monitor.

Process Monitor Download Page

Process Monitor, or simply "procmon", downloads as a zip file. Save that to a folder of your choosing and then extract the .exe program from the zipped archive.

Procmon Zip Contents

Place procmon.exe and procmon.chm (the help file) in a convenient folder.

Run Process Monitor

When you first run procmon.exe, you'll need to agree to some license terms. This should only happen once. When you run Process Monitor under Windows 7 and possibly Vista, you'll likely get the User Account Control dialog:

Procmon needing administrative access

What procmon needs to monitor requires that it have full administrative access.

Procmon works by first collecting or recording events, which are basically notifications of things happening on your machine, and then providing several ways to view, filter and analyze what those collected events mean.

As soon as you start procmon, it starts collecting events:

Procmon collecting data

The numbers in the status bar at the bottom will continue to increase as procmon counts the number of events being collected.

When you've collected enough, type CTRL+E or click on the magnifying glass in the procmon toolbar to stop data collection.

What's enough?

That's difficult to say as it depends on the nature of the problem that you're attempting to diagnose. In general, I start it when I know or suspect that a problem is happening, like your unknown internet usage, and let procmon collect until the problem has indeed happened and occurred long enough to have generated meaningful data.

Depending on the problem you're experiencing, it might take some experimentation.

Analyze Procmon Results

Procmon includes some summary analysis tools that make what we do next fairly easy.

On the Tools menu, click on Network Summary...

Procmon Network Summary

Procmon generates a summary of all the network-related events that it's captured. Initially, these are sorted by decreasing number of events, but the columns are all clickable. In the example above, the next to the last column is labeled Receiv..., which is truncated from Received Bytes. I'll click on that to see which event has been downloading the most data:

Process Monitor recived bytes summary list

Here, we can see that during this capture, my machine was downloading a lot of data from mirrors.easynews.com, on the http port. The problem is that doesn't really tell us what program is doing the downloading.

Double-click on the line of interest and the Process Monitor main window will update to show only events related to that line. (You can close the Network Summary window if you need to, to be able to see procmon's main window.)

Process Monitor showing events relating to the network summary line we double clicked on

Sure enough, it was Firefox running on this machine. In order to show something interesting, I started a download of an Ubuntu Linux ISO file prior to running procmon. That file was being hosted by one of Ubuntu's mirror sites.

More Procmon

We've only scratched the surface here, but as you can see, it's fairly easy for such a powerful program to quickly generate a summary analysis of many common operations, not just network access. While you've got procmon out, spend a few moments, particularly with the other items on the Tools menu, to see how it might help you face other issues in the future.

Article C4733 - February 5, 2011 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

7 Comments
Kara
February 8, 2011 8:48 AM

I used to have the same problem with my satellite ISP (wildblue). Their site offered an online portal that you could log into and see where you are on the rolling 30 day scale. What it didn't show was a day-to-day graph that might allow you to see that, for example, once a specific date drops out of the 30-day window, it will "free up" more bandwidth for the remaining period.

I also used a free tool called BitMeter (available at Download.com) to monitor traffic. I would imagine with this product and Leo's suggestion, you could quickly get a handle on the bandwidth consumption.

I feel your pain: that cap forced me to move to the highest/priciest package to handle the traffic required for my work-at-home freelance business. Fortunately, DSL eventually came my way and I immediately jumped on it.

Joleca
February 8, 2011 9:33 AM

Same problem with my ISP.. When I went over the very first time, they told me they would cut me off for 30 days if it happened again.. and after a 3rd time, they'd cut me off for a year!!!

Fortunately I stumbled across a great FREE network monitoring program called Networx (http://www.softperfect.com/products/networx/) It will not only track and total up all usage on multiple computers (I have more than one), but you can even set it to shut down your computer if it exceeds a certain amount of bandwidth (which you set yourself).. Very easy to use and haven't had a problem since I installed it about a year and a half ago... Even though you only have the one laptop and share it, it would still work just as well... and if you ever do get an 2nd computer, you'd be set.. If you travel or use your laptop away from home, you can even set it to ignore all traffic outside your home network (which is great when I take my laptop to work).

ad
February 9, 2011 8:33 AM

Have they turned on security on their modem?

john neeting
February 10, 2011 5:53 AM

I wont mention who but ....I discovered that my ISP with whom I had a dedicated account , had been ILLEGALLY proxying my port on the NAT server with 1 other user [ to save a few $$$ ] discovered when certain sites were continually telling me I was ALREADY downloading something, I had exceeded my 24hr download limit, or I already was logged on to the site from the same IP address but port 1080. :) my speed was less than v90 on ADSL2+ , after informing my ISP I had a record of what was going on, my speed jumped to 1.5MB overnight. There ARE free tools to catch this little number and don't kid yourself; most people haven't a clue but when you have 150 users on a 100 port rack, things don't add up.

I'm no lawyer, but my only quibble is that it may not have been "illegal". Annoying and bad business perhaps, but I doubt that any laws were broken.
Leo
10-Feb-2011

robert
May 4, 2011 8:47 AM

On a win vista OS after unzip all 3 files never open and I have to use task mng to kill not responding. And what information I find is limited.

robert
May 4, 2011 9:35 PM

was starting with (open with admin prompt) but it took going into the properties menu and checking start as Admin. So now it is running but I am not getting any results when I choose the networking filter or summary only zeros all across. Maybe the firewall ?

Ty Buchanan
December 11, 2011 1:41 AM

All I want to do is make a copy of the registry. Install a program. Make another copy of the registry and compare, to see the changes.

There are two ways that I'd go about doing this:

A) Run a tool like Procmon, which will allow you to filter on all registry writes by a specific application so you can see what that application is doing.

B) Run regedit.exe, select the "Computer" item at the top of the registry tree, and then select File->Export and export the entire registry to a ".reg" file. Do that before and after whatever it is you want to monitor, and then use a file difference tool like winmerge to scan for differences.
Leo
12-Dec-2011

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.