Helping people with computers... one answer at a time.
Process Monitor, a free tool from Microsoft, can be used to find out exactly what's happening on your machine, including which programs are starting.
My computer dings every 10 seconds... nice for Christmas maybe but not so much this time of year. It's making the "close program" tone. How do I figure out what program is starting and closing?
•
I've actually covered this in the past in an older article that uses Windows own process auditing feature.
However, the easy way to turn that on and off isn't available for users of Windows Home editions.
The good news is that there's an alternative available to everyone using a significantly more powerful tool.
•
Process Monitor
Process Monitor (not to be confused with Process Explorer, a completely different utility) is a utility that monitors a lot more than just processes. It actually records numerous system events as they happen, and then allows you to filter and browse the resulting collected data.
With that power, of course, comes a little bit of complexity. The good news is that what we need to look at to answer this question is very simple to configure.
So, download Process Monitor - it's a free download from Microsoft - and place it somewhere on your computer so that you can run it at will.
Monitoring Processes
Run Process Monitor and after accepting the license agreement (first run only) you should see something similar to this:
What you're seeing is the Process Monitor main window, and in front of that, the Filter dialog.
Process Monitor works by collecting events ... lots of events. (Note that these aren't necessarily the same events as Windows Event Viewer shows - Process Monitor shows much, much more.)
As a result, in order to make analyzing what's happening somewhat comprehensible, or even possible, the approach is to define filters on which events should be shown. That then allows you to see and analyze a manageable amount of data.
Process Monitor comes pre-loaded with a set of filters that prevent it from showing its own events as well as assorted system events that typically aren't useful.
Fortunately, we have just one event we care about - "Process Start". This is the event that indicates that Windows is starting a new program. We just want to see what programs are created as they are created, so we'll add that to the filter.
Select "Operation", "is", "Process Start" and "Include" from each of the four drop-down selection boxes, and press Add to add this to the filter. This will tell Process Monitor to only include "Process Start" events. (You could also use "Process Exit" event if you like, or even both.)
As soon as you press OK Process Monitor will begin collecting events. Even though nothing may be happening on its display, you can tell by the status line near the bottom:
You should see the number of events increasing. (The "Backed by" status tells you where Process Monitor is storing the data for those events that it's recording.)
Let Process Monitor run for a while, so that whatever you're attempting to capture happens. To create an example of what you might see, I'll run the Windows Command Prompt, and then run Excel:
As you can see running the Windows Command Prompt actually started two processes: cmd.exe and conhost.exe, and shortly after that when I started Excel, EXCEL.EXE shows.
Click on Process Monitor and press CTRL+E to suspend data collection once you have enough.
You can right-click on the event in the list, and click on "Properties" to get more information about the processes you find. Here's the Process tab in properties for the Excel start:
Here you can see where Excel.exe resides, the fact that it's a 32 bit application (I'm running 64 bit Windows 7), and more.
Occasionally, the most important item here is the command line. In this case, the command line shows only Excel itself, but occasionally there will be parameters included following the program name that provide additional information to the program being run.
More Monitoring Options
CTRL+E, as I mentioned stops, but also re-starts event collection.
CTRL+X clears the collected events so you can start new.
CTRL+L brings up the filter dialog again.
The number of events that can be monitored is truly amazing.
There are a set of event "classes":
and each class has it's own set of events that can be monitored. Here's just the beginning of the dozens of events associated with the "Operation" class of events:
As you can imagine, we've just scratched the surface by looking at what processes are starting on your system over time. Process Monitor can be an invaluable tool to diagnose many "what's happening?" kinds of scenarios.
Article C4451 - September 17, 2010
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
IMO - AUTORUNS from System Internals (same people who brought you Process Monitor)is a much easier tool to use for this.
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
21-Sep-2010
Posted by: Steve at September 21, 2010 10:15 AM
I have lost the keyboard symbol on my tower system & cannot get the keyboard to work. How do I get this working again.
Posted by: Brian Oswin at September 22, 2010 2:41 AMCame across a program called WhatsInStartup that gives a very clear description of startup programs. Permits either stopping or deleting among other features.
Posted by: Dave at September 22, 2010 6:09 AMthis is a very good article for someone who has the patience to manage it but isn't Process Monitor also running in the background??? that's another app that will cause delays in operation of your pc...what I'm really interested in finding out is what programs are running, what they do and which ones can I disable if they do not have an active function or requirement for my pc to run properly? Any help?? thanks
Posted by: Don B at September 22, 2010 3:43 PM@Don: Process Monitor does not run in the background. It is a stand-alone app that ceases to run when you close it. Regarding the rest of your question, there's no cut-and-dry rules for this. Get a utility like WhatsInStartup or Autoruns to see what's running. Uninstall stuff you don't need.
For specific questions and questions like Brian's, the best thing to do is find and join an active help forum, who's members will answer your questions. Here's a good start: http://lounge.windowssecrets.com
Posted by: Reid at September 23, 2010 7:11 AM