resmon: monitor resources in windows r 511/1 quickly find

Quickly Find what is Slowing Down the Performance ofYour Windows System Using Resmon

If your system is running sluggishly, you have two options: either tune yourcomponents to make them run faster, or locate whatever is dragging downperformance. Fortunately, Windows has a tool that can help you with the latter.The Resource Monitor, known as Resmon for short, provides detailed informationon the execution of the software on your system, allowing you to find out whatis slowing down Windows. It has other uses too: if applications crash or you aredenied access to a file, you can use the Resource Monitor to find the cause of theerror. In this article, I’ll show you how to use the Resource Monitor to successfullyfind and fix errors and bottlenecks on your system.

27

Using the information given in this article you will be able to:

� Get a clear view of your system’s load and all the running processes,

� Optimise the performance of your system with perfect processmanagement,

� Find and close suspect processes such as viruses or Trojans.

The Windows Advisor March 2018

• Quickly Access the Resource Monitor............................• Set up the Resource Monitor to Find the Problems on Your PC.......................................................................• Use the Resource Monitor to Close Applications that Aren’t Responding...................................................• Use the Resource Monitor to Troubleshoot Your PC....• How to Filter Data in the Resource Monitor.................• How to Solve Problems with Unresponsive Applications.....................................................................• Learn More about Processes Running on Windows.....

R 511/2

R 511/3

R 511/8R 511/8

R 511/12

R 511/13R 511/15

R 511/1Resmon: Monitor Resources in Windows

R 511.qxp_March 2018 30/01/2018 14:06 Page 27

Resmon: Monitor Resources in WindowsR 511/2


Quickly Access the Resource Monitor The Resource Monitor allows you to keep an eye on theperformance of your running applications and processes.There are two ways you can access the Resource Monitorin Windows:

When it first opens, you will notice that the ResourceMonitor provides more detailed information than the TaskManager. In addition to system information relating to theCPU and network performance, which is shown by the TaskManager, the Resource Monitor provides details about yourRAM and hard drives. This information is shown in both textand graphical form.

The Resource Monitor shows resources being used by all theprograms on your PC in different categories: the CPU, harddrive, network and RAM. Clicking on a column heading suchas Image, PID, Threads or CPU will sort the runningprocesses by the category you have clicked on, in eitherascending or descending order.

If your PC is running slowly, sort the running programs bythese categories to find the problem program. For example,clicking on the CPU column will show you the programs thatare using your CPU the most.

Two ways toopen the tool

Find moreinformation inthe ResourceMonitor

Detailedsummaries

By pressing + , typing resmon into the Openfield and clicking on OK.

By opening the Task Manager using + + and clicking on Task Manager or Launch Task

Manager. Click on the Performance tab and finallyclick on Open Resource Monitor or Resource Monitorat the bottom of the window.

R

Ctrl Alt

�

�

Del

R 511.qxp_March 2018 30/01/2018 14:06 8

R 511/3

The Windows Advisor March 2018 29

Set up the Resource Monitor to Find the Problems on Your PC Launch the Resource Monitor and configure the settings asshown below:

The Resource Monitor updates the status of runningprograms at one second intervals, so that you can keep aneye on how different processes use your PC over time.

Resmon: Monitor Resources in Windows

Default view

Customise thedisplay

The Resource Monitor gives you an overview of all runningprocesses grouped into the following categories: CPU, harddrive, network and RAM

If you would like to change which columns are displayed inthe Resource Monitor, right-click on a column such as.Image and choose Select Columns from the pop-up menu.

You can then add or remove columns to monitor differentperformance options. In the table on page R511/5 you willfind a short explanation of the available values, as well aswhat they monitor on your system. Select or unselectcolumns for a personalised view of the running processes.

In the Image columnyou will see a list ofthe processes,services and runningprograms

Open the categoryviews by clicking onthe correspondingbar

R 511.qxp_March 2018 30/01/2018 14:06 Page 29


Themeasurementsshown dependon the category

CPU

Disk


Choose which columns you want to havedisplayed in the Resource Monitor

The default columns and what they show

The Resource Monitor shows the performance parameters ofall running processes, grouped by resource category.Depending on the category, you will find different values areshown in the columns:

The CPU category shows the current CPU load as wellas the load of each of the currently running programs.The percentage of the CPU that is currently being usedis shown in green and the peak CPU usage is plotted inblue on the graph.

The Disk category displays a detailed overview of yourhard drive performance, including all opened programsand their drive consumption. The total input/outputperformance is shown in green, and the peak percentageusage is shown in blue.

�

�

Choose whichitems to havedisplayed

R 511.qxp_March 2018 30/01/2018 14:06 Page 30

The following table describes the main parameters which youcan choose to monitor in the Resource Monitor.


Network

Memory

Parametersto monitor


The Network category shows all the network activityon your system. You will see a list of the applicationsthat are sending or receiving data on your network.Under TCP Connections you will find a list of all thecurrent network connections, the local ports they areusing, the remote addresses and latency times. Theentire network traffic (in KB/s) is displayed in green,and the percentage of network activity is shown in blue.

In the Memory category, you can see a listing of all thecurrently open programs and the amount of memorythey are consuming. Additionally, the total number ofmemory read errors is plotted in green, and thepercentage of memory in use is shown in blue.

�

�

Category Column Description

Image orProcess

PID

Description

Threads

CPU

Average CPUload

Shows the internal name of the application,service or process which is consuming theCPU resources.

ID that the process is assigned by Windows.

The public name of the application, serviceor process.

The number of currently active threads forthe application instance.

The number of currently active CPU cyclesfor the application instance.

The average CPU load caused by theapplication over the last 60 seconds. Theinformation is given as a percentage of thetotal CPU capacity.

CPU

R 511.qxp_March 2018 30/01/2018 14:06 Page 31




Image or Process

PID

File

Read (B/sec)

Write (B/sec)

I/O Priority

Response Time

Image or Process

PID

Address



Information about the file that theapplication instance is accessing (readingfrom and/or writing to).

Information about the average speed (inbytes/second) which the application’s datahas been read from the open file within thelast minute.

Information about the average speed (inbytes/second) which the application’s datahas been written to the open file within thelast minute.

Information relating to the priority ofinput/output tasks performed by theapplication.

Response time in milliseconds for the driveactivity of the application.



Shows the network IP address which thelocal computer is using in order toexchange information. It can be displayedin the form of a computer name, an IPaddress or a fully qualified domain name.

Disk

Network

R 511.qxp_March 2018 30/01/2018 14:06 Page 32




Send (B/sec)

Receive (B/sec)

Total (B/sec)

Image or Process

PID

Hard Faults/sec

Commit (KB)

Working Set (KB)

Shareable (KB)

Private (KB)

Shows the amount of data (in bytes/second)that the application has sent from your PCto the remote computer it is connected to inthe last minute.

Shows the amount of data (in bytes/second)that the application has received from theremote computer to your PC in the last minute.

Shows the total network bandwidth used (inbytes/second) that the application has usedto send and receive data.



Average number of major errors caused bythe application in the last minute.

Shows the amount of virtual memoryreserved by the operating system (Windows10 only).

Shows information concerning the amountof application data (in KB) that is currentlyin the RAM.

Displays the memory used by anapplication (in KB) that is available forother applications to use.

Displays the memory used by anapplication (in KB) that is reserved for usesolely by the application.

Memory(RAM)

R 511.qxp_March 2018 30/01/2018 14:06 Page 33



Close frozen applications using the Resource Monitor

Use the Resource Monitor to CloseApplications that Aren’t RespondingYou may use the Task Manager to close applications that areno longer reacting, but the Resource Monitor also does this.This is handy if you need to quickly close an application thatis unresponsive.

In the Overview tab, right-click on the application that isno longer responding, and select End Process from the pop-up menu.

Use the Resource Monitor to Troubleshoot Your PCThe Resource Monitor is extremely useful if you want tocheck the performance of your PC and investigate itsavailable resources.

Closeunresponsiveprograms

Investigate PCproblems

Right-click on thefrozen applicationto kill it

All runningapplications areshown in here

R 511.qxp_March 2018 30/01/2018 14:06 Page 34



How to find your current resource consumption

Finding the current consumption of your PC’s resources isone of the core features of the Resource Monitor. You canuse the column sorting options in order to quickly find outwhich resources are being used by which processes.

The following table shows examples which you can use toanalyse your resource consumption in practice:

Check yourresource usage

Here are 3 key tasks that the Resource Monitor allows youto effectively perform:

� Find out the current resource consumption on yourwhole PC.

� Filter data relating to running applications to findproblem programs.

� Solve problems with applications that no longer respond.

��

��Yes No Test

Evaluation Execution

This test shows you the application, service or processthat is currently using your processor the most. In theResource Monitor, go to the CPU tab and click on theCPU header to sort the list by processor consumption.The first entry shown in the list is the one that is usingyour processor the most. If the application is no longerresponding, or causing your PC to hang, you can end itby right-clicking on it and choosing End Process.

Services can also consume valuable processor resourceson your system. In the CPU tab, click on the Servicesheading to open that section. In the listing underProcesses, tick the services that you want to monitor.These will then be shown in the Services section at thebottom of the window.

Find the processwith the highestCPU load

Check servicesthat spend themost time usingyour CPU

R 511.qxp_March 2018 30/01/2018 14:06 Page 35



If you tick a particular process under Processes, allof the corresponding services will be listed in theServices window


Click on the CPU heading in order to sort the runningservices by their processor load. The services using mostof your CPU will be moved to the top of the list.

If you want to know which program has access to acertain file, proceed as follows:

In the CPU tab, click on the Associated Handles headerto open it.

In the search field to the right of Associated Handles,type in the name of the file that you wish to look for.

The applications using the file you searched for areshown in the list of results. This allows you to quicklyfind which application is blocking access to a file, for example.

Find out whichprocess iscurrently using a file

R 511.qxp_March 2018 30/01/2018 14:06 Page 36



The Resource Monitor has uncovered several programsusing the es.dll file in this example


Explorer can provide some details on how your drivesare being used, but it is very difficult to see how thedrives are being used.

For a more detailed analysis, click on the Disk headingthen click on the Storage section heading to open it. Inthe Available Space column, you will see the amount ofunused space (in MB) on each of the storage devicesconnected to your PC.

Click on the Network tab and then click on the TCPConnections header in order to open that section. Selectthe process whose network connection you wish tomonitor in the Processes with Network Activity section.If you see many entries shown in the list, I recommendyou click on the Image heading to sort the connectionsby process and make the display easier to read.

Check in the Remote Address and Remote Port headingsto find the network address and port of the remotemachines that the process is connected to.

Check theavailable spaceon all yourdrives

Check theavailable spaceon all storagedevices

R 511.qxp_March 2018 30/01/2018 14:06 Page 37



How to Filter Data in the Resource MonitorThe Resource Monitor shows all the running processes thatare currently active on your system. The vast amount of datashown makes it difficult to work out what is really going on.

Thankfully you can filter the listed processes and haveunnecessary information hidden from view. Proceed asfollows to filter the data for one or more processes:

Pinpoint thedata you areinterested in

1.

2.

In the Resource Monitor, tick the processes that youwish to monitor in the Image column. The selectedprocesses will be moved to the top of the column.

Take a look at your filtered data in the sectionsbelow the top section to find information about thefiltered applications.

:

How to filter out unnecessary data in the Resource Monitor

...are shown here in detail

The processes thatare selected here ...

R 511.qxp_March 2018 30/01/2018 14:06 Page 38



How to Solve Problems with UnresponsiveApplicationsThe Resource Monitor can also help when you quickly needto find the cause of problems that lead applications to nolonger respond.

If there is an application that isn’t reacting, you will receivea message from Windows that offers to immediately closeor restart the application. This usually happens when thesystem is waiting for a process that hasn’t completed,perhaps because there are not enough system resourcesavailable.

Using the Resource Monitor, you can monitor the queue ofrunning processes and close any that are blocking theexecution of other programs.

Processes that are not responding are displayed in red in theCPU section of the Overview tab, and in the Processessection in the CPU tab. Right-clicking on a red process willallow you to kill it using the End Process menu option.

When you do this, the opened process will be immediatelyclosed and any data that hadn’t been saved by the programwill be lost. Closing a process that Windows depends on canlead to an unstable system and general data loss.

Additional filterpossibilities

Deactivate the filters

What to dowhen anapplicationfreezes up

Take note of thered display

You can also combine filters if you wish, for example, byselecting applications on the CPU, Memory, Disk andNetwork tabs.

Simply select the desired process and in the table that opensbelow you will see the results of the filter. In the table’sheading you will also see an orange-coloured informationbar that tells you the data is being filtered. Remove the ticksnext to the process names in order to remove the filter.

!

R 511.qxp_March 2018 30/01/2018 14:06 Page 39



Analyse theWait Chain

... click on Endprocess

In this example, svchost is waiting on another instance ofitself. You can terminate it using the End process button

1.

2.

3.

Select a tab in the Resource Monitor and click onthe name of the process you would like to analysein the Image column using the right mouse button.

Select Analyse Wait Chain in the pop-up menu. Ifthe process isn’t executing properly you will seedetails of the other processes that this process iswaiting for.

If your application is not responding, you can endthe process by clicking on it and then clicking theEnd process button.

:

Select theapplication thatisn’t respondingand...

You can analyse a process using the Resource Monitor asfollows:

R 511.qxp_March 2018 30/01/2018 14:06 Page 40



Many system processes are dependent on other processesand services. If a system process entry in the table isn’tdisplayed in red, and the process status shows Running, thenyou should not end the process.

Learn More about Processes Running on Windows Some processes can be easily identified from their processname (taskmgr.exe is the Task Manager, for example, oriexplore.exe is Internet Explorer), but other importantWindows processes are hidden behind cryptic names.

The following table shows you which processes are hiddenbehind which process names and whether they can be safelyterminated using the Resource Monitor:

Check forprocessesdisplayed inred

Programs hidebehind crypticnames

Process Can it be Ended? Description

No

Yes

This is the part of the Win32 subsystem thatis responsible for user mode. Win32.sys,however, is a core part of Windows whichruns on your PC. Csrss stands forClient/Server Run Time Subsystem. It isresponsible for console windows, creatingand deleting process threads and specificparts of the virtual command environment.

This is the user interface with takes care ofdisplaying components such as the taskbar,desktop and so on, and giving you access toyour programs and files. This process is notas important for normal Windows operationas you might think, and can be closed (andre-launched) using the Task Manager if

Csrss.exe

Explorer.exe

R 511.qxp_March 2018 30/01/2018 14:06 Page 41




No

Yes

No

your interface freezes. Doing this usuallydoesn’t have a negative effect on thesystem, and is quicker than re-booting.

This is an individual thread that is run onevery processor code. It fills the processortime when it is not being used for anything else.

Usually, this process seems to takes up themost processor time in the ResourceMonitor, but it actually does nothing.

Internat.exe is loaded at Windows startup.The process loads the different keyboardlayouts that are configured by the user. Thelayouts that are to be loaded for the currentuser are stored in the following register key:

HKEY_CURRENT_USER\KeyboardLayout\Preload

Internat.exe also shows the language icon(e.g. EN) in the taskbar, allowing you toeasily switch keyboard layouts when youneed to enter a symbol not shown on yourkeyboard, for example. This icon disappearswhen the process is ended. The keyboardlayout can also be changed at any timeusing the Control Panel.

This is the local authentication server. Itcreates the process that is responsible for theauthentication of users by the login service.

Idle Process

Lsass.exe

Internat.exe

R 511.qxp_March 2018 30/01/2018 14:06 Page 42



Mstask.exe


No

No

No

No

No

In order to do this, different authenticationpackages can be used, but the default isMsgina.dll. This process became veryfamous due to the Sasser virus, whichexploited gaps in its security.

This is the task scheduler service thatautomatically launches processes at a timeconfigured by you.

This is the Session Manager process that isthe subsystem responsible for opening usersessions. This process is launched by thesystem thread at startup and is responsiblefor initiating various processes, includinglaunching the Winlogon and Win32processes (Csrss.exe), as well as settingdifferent system variables.

This is the print queue service which isresponsible for the management of allprinting and faxing jobs initiated by theend user.

This is a general process that serves as ahost for other processes that are launchedby DLLs. That’s why you will find multipleinstances of this process running in theResource Monitor.

This is the management process for systemservices. The launch and shutdown ofservices, as well as all usual interactionswith services, are all managed by it.

Spoolsv.exe

Smss.exe

Svchost.exe

Services.exe

R 511.qxp_March 2018 30/01/2018 14:06 Page 43



Process Can it be ended? Description

Yes

No

No

This is the process that runs the TaskManager.

This process is responsible for themanagement of the user logon and logoffprocess.

In addition, the Winlogon process isactivated when the user presses [Ctrl] +[Alt] + [Del] at logon, to display thesecure logon window.

Winmgmt.exe is a core component of theclient management subsystem. Theprocess is launched the first time a clientapplication is launched, and is alwaysexecuted by a management service.

Winlogon.exe

Taskmgr.exe

Winmgmt.exe

The Resource Monitor is an extremely useful tool that helpsyou to analyse how the programs and services on your PCare performing. Apart from monitoring resource usage inreal-time, the Resource Monitor can also help you analyseprocesses that are no longer responsive, identify whichapplications are using which files and also manage runningprocesses and services.

Alt DelCtrl

Summary

R 511.qxp_March 2018 30/01/2018 14:06 Page 44

resmon: monitor resources in windows r 511/1 quickly find

Documents