Tag: tasklist

List top processes using memory from Windows commandline

This seems to do the trick for listing processes by memory usage. I’m most interested in the top 9 processes (I have to figure out why the regexp isn’t working in findstr for anything over 10 in a range like [1-15].

tasklist /NH | sort /R /+65 | findstr /N . | findstr  "^[1-9]:"

Here’s an example output.

C:\Users\rjk>tasklist /NH | sort /R /+65 | findstr /N . | findstr  "^[1-9]:"
1:dwm.exe                       1640 Console                    1  4,232,012 K
2:OUTLOOK.EXE                  10600 Console                    1    590,128 K
3:explorer.exe                  3824 Console                    1    342,608 K
4:SearchHost.exe                7016 Console                    1    316,300 K
5:chrome.exe                    4340 Console                    1    279,036 K
6:PhoneExperienceHost.exe      13136 Console                    1    231,060 K
7:MsMpEng.exe                  12364 Services                   0    215,128 K
8:testEmbedNet9401.servUnde     1772 Console                    1    205,808 K
9:msedge.exe                   26452 Console                    1    189,468 K

This goes in line with some other work I’ve done in determining CPU usage using command line (wmic specifically) from the following articles:

UPHCleanup, Handle, ProcExp vs. NTUSER.DAT

The infamous:

Windows cannot load the user’s profile but has logged you on with the default profile for the system.

This was received on Windows Server 2003 Terminal Server (non-roaming profile) when I logged in this morning.  I *really* grumble when I see these errors.

My first thought was NTUSER.dat and NTUSER.dat.LOG files were locked.
This server has User Profile Hive Cleanup which is supposed to combat this during a user log off and make sure handles are closed to the files in the user’s profile.

First things first, I grabbed Process Explorer from SysInternals website.  I know that in the application  you can search for a file and close it’s handle (from previous experience) so I got to work.

I fired up ProcExp and searched for NTUSER.dat then sorted by handle.

I double-clicked on NTUSER.DAT and then right-clicked and chose Close Handle.

Ah damn, didn’t work.  (Shocking?  Pfft.)

Next, I decided to grab SysInternal’s handle command-line tool.

C:\CMDS>handle -u ntuser.dat|find /i rkreider
System             pid: 4      type: File          NT AUTHORITYSYSTEM       27D4: C:\Documents and Settings\rkreider\ntuser.dat.LOG
System             pid: 4      type: File          NT AUTHORITYSYSTEM       2B9C: C:\Documents and Settings\rkreider\NTUSER.DAT

I need the PID and handle (hex) from the information above (bolded), then I could try to kill it:

C:CMDS>handle -c 27D4 -p 4
Handle v3.46
Copyright (C) 1997-2011 Mark Russinovich
Sysinternals - www.sysinternals.com
 27D4: File  (---)   C:Documents and Settingsrkreiderntuser.dat.LOG
Close handle 27D4 in System (PID 4)? (y/n) y
Handle closed.
C:\CMDS>handle -c 2b9c -p 4
Handle v3.46
Copyright (C) 1997-2011 Mark Russinovich
Sysinternals - www.sysinternals.com
 2B9C: File  (---)   C:Documents and SettingsrkreiderNTUSER.DAT
Close handle 2B9C in System (PID 4)? (y/n) y
Handle closed.

Now, you’d think it would be closed, right since ‘handle’ told me so.  Let’s check!

C:\CMDS>handle -u ntuser.dat|find /i rkreider
System             pid: 4      type: File          NT AUTHORITYSYSTEM       27D4: C:\Documents and Settings\rkreider\ntuser.dat.LOG
System             pid: 4      type: File          NT AUTHORITYSYSTEM       2B9C: C:\Documents and Settings\rkreider\NTUSER.DAT

Aaaiiieee! It didn’t work. =(

I decided to make sure UPHClean.exe was running (User Profile Hive Cleanup) with a quick

tasklist | find /i uphclean.exe

It is running I saw so I decided to just restart the service.

After I restarted the service, I once again used handle to quickly locate the files using:

handle -u ntuser.dat | find /I rkreider

BINGO!

It was gone.  So, what is the root problem here?  UPHClean not doing it’s job?  *shrug*

svchost – What's running inside it?

I’m sure when you look at your running processes in Task Manager you see a few svchost.exe processes running. I’m also sure that you’d like to know what is running inside the wrapper. Here are a few methods to help you find this information out.
First, the easiest/quickest, is to use a built-in Windows tool called tasklist. I’m not going into detail about everything tasklist can do, but here’s how to briefly find out what’s in svchost.exe.

tasklist /svc /FI "IMAGENAME eq svchost.exe"


Another method would be to use Sys Internal’s ProcessExplorer tool. You can view the svchost.exe contents using that tool also as shown below.