Processes, which include both user applications and Windows NT services, can become bottlenecks. While investigating processor, disk, or memory use, chart use by process, and then start and stop the processes to see how your system responds.
Performance Monitor and Task Manager both show counts of running processes, including user programs and Windows NT services:
Many of the tools on the Windows NT Resource Kit 4.0 CD also monitor processes in detail, including Process Viewer (PViewer.exe) and Process Monitor (PMon.exe). For more information, see Chapter 11, "Performance Monitoring Tools," and Rktools.hlp.
Note
The Services Control Panel also displays Windows NT services and lets you start and stop them. The Services Control Panel shows all Windows NT services, regardless of the process in which they run. However, it lists services by service name whereas Performance Monitor and Task Manager display the names of executable files.
For a list of the default services and a description of each, see Windows NT Help in the Services Control Panel. Click Start, click Help, and type Default Services.
In Task Manager, select the Processes tab. It displays a table of active processes. From the View menu, click Select Columns to add additional measures of the processor time, memory use, process priority, handle and thread counts, and the process ID.
In Performance Monitor, select the Process object from the Add To dialog box. All active applications and services appear in the Instances box.
The following table lists processes commonly running on Windows NT 4.0 Servers and Workstations without a network connection. It shows them as they appear in Performance Monitor and in Task Manager.
Note
Process Explode (Pview.exe), Process Viewer (Pviewer.exe), and Process Monitor (Pmon.exe) all display important counts of system processes. Although the information from these tools is instantaneous and cannot be logged or collected, the tools require almost no setup, so they are very valuable for a quick look.
Process name | Function | |
_Total | The sum of active processes, including idle. (Performance Monitor only.) | |
csrss | Client Server Runtime Subsystem, provides text window support, shutdown, and hard-error handling to the Windows NT environment subsystems. Note: Client Server Runtime Subsystem changed substantially with Windows NT 4.0. For more information, see "What's Changed for Windows NT 4.0" in Chapter 5, "Windows NT 4.0 Workstation Architecture." | |
Explorer | Windows NT Explorer, a segment of the user interface which lets users open documents and applications from a hierarchical display. | |
Idle (System Idle Process) | A process that runs to occupy the processors when they are not executing other threads. Idle has one thread per processor. For more information, see "The Idle Process" in Chapter 13, "Detecting Processor Bottlenecks." | |
Llssrv | License Logging Service, the service that logs the licensing data for License Manager in Windows NT Server and the Licensing option in Control Panel on both Windows NT Server and Workstation. | |
Lsass | Local Security Administration Subsystem, the process running the Local Security Authority component of the Windows NT Security Subsystem. This process handles aspects of security administration on the local computer, including access and permissions. The Net Logon service shares this process. | |
Nddeagnt | Network DDE Agent, handles requests for network DDE services. | |
Ntvdm | NT Virtual DOS Machine, which simulates a 16-bit environment for MS-DOS and 16-bit Windows applications. | |
Perfmon | Performance Monitor executable. | |
RpcSs | Remote Procedure Call (RPC subsystem) which includes the RPC service and RPC locator. | |
Services | This process is shared by the Windows NT Services Control Manager, which starts all services, and a group of Windows NT 32-bit services, including Alerter, Clipbook Server, Computer Browser, Event Viewer, Messenger, Server and Workstation, and Plug and Play. | |
Smss | Session Manager Subsystem | |
spoolss | Spooler Subsystem controls despooling of printer data from disk to printer. | |
System | Contains system threads that handle lazy writing by the file system cache, virtual memory modified page writing, working set trimming, and similar system functions. | |
taskmgr | Task Manager executable. | |
winlogon | Logon process executable. It manages logon and logoff of users and remote Performance Monitor data requests. | |
No matter what tool you choose, the processes that appear depend upon whether the computer is a server or workstation, and upon the services installed on the computer, including network services. User applications, including the executables for Performance Monitor and Task Manager, appear only when they are running.
Also, a process instance might not be visible for every active service. Performance Monitor and Task Manager display an instance for each executable process running on the system. Many services share a process to conserve system resources, so these appear together as one instance.
For example, many Windows NT 32-bit services, including Alerter, Clipbook Server, and Event Viewer, share the Services.exe process with the Windows NT Services Control Manager, a general process that starts all system services. Net Logon shares the Lsass.exe process with other security services.
It's difficult to monitor these services separately, although you can experiment in associating a service with threads in the process. The SC utility, in the Computer Configuration subdirectory on the Resource Kit CD, displays useful service configuration information, including the name of the process in which the service runs. For more information on SC, see Rktools.hlp.