0
Default Task Manager and Sysinternals ProcessExplorer are well-known GUI applications to show processes details in Windows 10. I use both.
Windows 10 comes also with command-line tasklist.exe.
It shows the processes list and but I can not make it show them in tree mode.
From here I tried with /SVC with no luck.
Just downloaded Sysinternals PsTools which come with pslist.exe & pslist64.exe.
This one seems to be that tool I want, since it can show all processes in tree mode.
It is like a command-line ProcessExplorer.
The only problems is that pslist takes a lot of time to show the results.
As a comparison, tasklist.exe takes less than 3 seconds to show all the processes.
Whereas pslist (both exes) take about 26 seconds, either showing or not as tree.
Why is pslist so slow?
Are there other alternatives?
nephewtom
Posted 2019-01-24T13:01:56.387
Reputation: 1 660
probably because it is gathering much more information. Maybe use the S switch?....Figure 5 on this page....https://docs.microsoft.com/en-us/previous-versions/technet-magazine/cc162490(v=msdn.10)
– Moab – 2019-01-24T14:05:31.677I have never seen such delays: on my Win10 Pro system,
pslist -tshows 220 processes - it runs in 770ms. I suggest you use other SysInternals utilities, such as ProcExp or ProcMon to find out whatps listis doing for such a long time. – AFH – 2019-01-24T14:37:12.460@Moab Switch
-sseems like work as Unixtopcommand, and does not really help here. – nephewtom – 2019-01-24T15:09:20.880@AFH I have run ProcMon, with a filter for
pslist64.exe, but I do not know where to start... I can see a Process Start at 16:07:37.2231183, and IRP_MJ_CLOSE at 16:08:08.9720484. There are 10,876 events... I can see tons of RegOpenKey/QueryValue/CloseKey, but also many IRP_MJ_CREATE/CLEANUP/QUERY_SECURITY/CLOSE and FASTIO_ACQUIRE/RELEASE_FOR_SECTION_SYNCHRONIZATION/NETWORK_QUERY_OPEN/QUERY_INFORMATION... The information is overwhelming... BTW, mine shows 317 processes. – nephewtom – 2019-01-24T15:16:51.517I exported
ProcMoninfo to a CSV file, and got a total of 10876 events with the following returned codes: TOTAL:10876, SUCCESS:7410, NAME NOT FOUND:2022, BUFFER, OVERFLOW:421, FILE LOCKED WITH ONLY READERS:396, FAST IO DISALLOWED:336, ACCESS DENIED:182 , NO MORE ENTRIES:46, REPARSE:38, PATH NOT FOUND:14, INVALID PARAMETER:5, IS DIRECTORY:4, BUFFER TOO SMALL:1, NAME INVALID:1 – nephewtom – 2019-01-24T15:45:28.617Are there any events with long delays before the next event, in particular network accesses? I log ~16K events, but they all occur within a couple of seconds (
pslistruns a bit slower when monitored). – AFH – 2019-01-24T15:46:08.533I am getting this type of event: IRP_MJ_:3023, FASTIO_:2356, RegQuery:2034, RegOpen:2056, RegClose:377, RegEnum:940, RegSet:11, RegCreate:2, ProcessProfiling:31, LoadImage:32, ThreadCreate:6, ThreadExit:6. Let's see if I can find any delay... – nephewtom – 2019-01-24T16:00:11.147
Most of the events are run in the same second, but at the end, following 4 Operations are repeated 96 times, which is what is causing a delay of 31 seconds :
"RegQueryKey","HKLM","SUCCESS","Query: HandleTags, HandleTags: 0x0" "RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib","SUCCESS","Desired Access: Read" "RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib","SUCCESS","" "RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Disable Performance Counters","NAME NOT FOUND","Length: 20"Should I remove that Registry entry? – nephewtom – 2019-01-24T16:18:12.783