Many will be familiar with the graphical tool Task Manager, which I have discussed elsewhere, and which provides various kinds of information about the applications and processes that are running on a system. There are also several command-line tools that provide similar but even more detailed information. In this article I will discuss the features of the tool called Tasklist (the system file istasklist.exe). This tool is part of the regular installation of the Professional version of XP but does not come with the Home edition. However, those with the Home version of XP can download Tasklist here. Tasklist can be applied to see how much memory and CPU time running processes are using, what DLL files they rely on, and other information. Thus it can be a very useful troubleshooting tool.
Basic Tasklist command
If all you want to know is what tasks are running, enter TASKLIST into the command line. The output can be redirected to a file if you wish. The default format is a table with several columns of information. An example of a partial console output is shown in the figure below. There are five columns of information. The following list gives the meanings of the various column headings:
- Image Name
- The name of the process or the executable file running the process.
- PID
- The process ID. The system assigns a number to each process so it can keep track of it. It is possible to have several processes running with identical names but the PID will be unique. Note that the PID may not be the same each time you open a particular program. You may need the PID to run certain other diagnostic tools and Tasklist is one way to obtain this information.
- Session Name
- Unless you are on a network, this will read "Console" indicating that the process was started locally. Home PC users can usually ignore this column.
- Session#
- Each session is assigned a number. Home PC users can usually ignore this column also.
- Mem Usage
- This gives the very useful information about how much memory (in KB) that a process was using at the time Tasklist was run.
- Additional columns will be displayed in the so-called "verbose" mode that is obtained with the switch /v. These columns are:
- Status
- Gives the current status of the process as "Running", "Not Responding", or "Unknown". Useful for finding hung processes. Unknown status may refer to a normal process but Not Responding indicates a process that should be stopped.
- User Name
- User account under which the process is running, Windows itself will be running many processes and the various system accounts SYSTEM, LOCAL SERVICE , or NETWORK SERVICE. will appear, coupled with the local domain name NT AUTHORITY.
- CPU Time
- The total amount of CPU cycle time used by the process since its start. This can be a big number if you never turn off the computer.
- Window Title
- Windows display name of the process if it exists. Can sometimes help identify what program is involved.
More advanced options for Tasklist
There are many more options and these are provided by switches. The full syntax is:TASKLIST [/S system [/U username [/P [password]]]] [/M [module] | /SVC | /V] [/FI filter][/FO format] [/NH]Upper case has been used for clarity but the command is not case-sensitive. Table I describes the various parameters.
| Parameter | Description |
|---|---|
| /S system | Specifies the remote system to connect to. Not needed for local computer |
| /U username | Specifies the user context. Not needed for local computer |
| /P [password] | Specifies the password for the given user context (if necessary). |
| /M [module] | Lists all tasks that have DLL modules loaded in them that match the given pattern name. If the module name is not specified, displays all modules loaded by each task. |
| /SVC | Displays services in each process. |
| /V | Specifies that the verbose information is to be displayed. |
| /FI filter | Displays a set of tasks that match a given criteria specified by the filter. |
| /FO format | Specifies the output format. Valid values: "TABLE", "LIST", "CSV". |
| /NH | Specifies that the "Column Header" should not be displayed in the output. Valid only for "TABLE" and "CSV" formats. |
These additional parameters enable Tasklist to provide very detailed information about the system. Some examples will be shown in the next sections.
Find which Services use a process
It can be very useful to know the relationship between a process and the services that are running on a system (for a discussion ofservices see this page.) To obtain a table relating Image Name, PID, and Services use the commandtasklist /svc >list.txtHere I have shown the redirect to a file to illustrate creating a text record. One application of this command is for diagnosing problems with a service by monitoring the memory usage and other properties of the processes associated with the service.Find which DLL files are used by a process
Processes can be using many different DLL files by calling on various procedures from their libraries. It is not uncommon for a problem to arise because a DLL is corrupted or is the wrong version. To find which DLLs are used by each process use the commandtasklist /mThis will return a table relating Image Name, PID, and Modules. "Modules" here indicates DLLs. The table may have quite a few entries and the list can be limited to a specific DLL by using its name in the command. For example, to see only the processes that use oleaut32.dll, entertasklist /m oleaut32.dllFiltering Tasklist output
The output can be narrowed down to specific parameters by using filters and the switch /FI. There are a number of comparison operators and these are given in Table II. Not all operators can be used with every parameter and allowed values are shown for the most useful parameters in Table III.
| Operator | Description |
|---|---|
| eq | Equals |
| ne | Does not equal |
| gt | Greater than. Only used with numeric values |
| lt | Less than. Only used with numeric values |
| ge | Greater than or equal to. Only used with numeric values |
| le | Less than or equal to. Only used with numeric values |
| Parameter | Valid operators | Valid values |
|---|---|---|
| ImageName | eq, ne | Any valid string |
| PID | eq, ne, gt, lt, ge, le | Any valid positive integer |
| MemUsage | eq, ne, gt, lt, ge, le | Any valid positive integer in kilobytes |
| Status | eq, ne | Running, Not Responding, Unknown |
| Username | eq, ne | Any valid user name (includes SYSTEM, LOCAL SERVICE , NETWORK SERVICE) |
| WindowTitle | eq, ne | Any valid string |
An example of using a filter is a command to find processes that are not responding. The command would betasklist /fi "status eq not responding"Another example is to find processes using a lot of memory, say more than 40 MB. The command istasklist /fi "memusage gt 40000"
A final example shows how to clarify the multiple entries for the process "svchost.exe" that occur. (Each has a different PID.) Service Host (svchost.exe) is a basic piece of the Windows XP OS that is involved with many low-level system services. These are placed in several service groups, all running under the generic service name "svchost.exe" .(See the discussion here.) To see which services are associated with each instance of svchost.exe, use the commandtasklist /svc /fi "imagename eq svchost.exe"
More infornation on Tasklist is at this Microsoft site.