윈도우용 프로세서, 메모리, TCP 모니터링용

 

MS 사에서 나온 Sysinternals 툴에 포함된 유틸입니다.

기본제공된 작업관리자 보다 훨씬 많은 정보를 볼수 있습니다.

부모 프로세서와 자식 프로세서간의 관계를 파악 할수 있으며,

바이러스나 악성코드 탐색에 많은 도움을 줍니다.

 

다운로드 : procexp.zip procmon.zip tcpview.zip vmmap.zip

 

 

Process Explorer

 

Copyright © 1996-2012 Mark Russinovich

 

Sysinternals - www.sysinternals.com

 

Process Explorer is an advanced process management utility that picks up where Task Manager leaves off. It will show you detailed information about a process including its icon, command-line, full image path, memory statistics, user account, security attributes, and more. When you zoom in on a particular process you can list the DLLs it has loaded or the operating system resource handles it has open. A search capability enables you to track down a process that has a resource opened, such as a file, directory or Registry key, or to view the list of processes that have a DLL loaded.

 

The Process Explorer display consists of two sub-windows. The top always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window, which you can close, depends on the mode that Process Explorer is in: if it is in handle mode you will see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you will see the DLLs and memory-mapped files that the process has loaded.

 

Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded. The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work.

 

You can obtain equivalent command-line tools, Handle and ListDLLs, at the Sysinternals Web site.

 

Process Explorer does not require administrative privileges to run and works on clients running Windows XP and higher (Including IA64) and servers running Windows Server 2003 and higher (Including IA64).

 

 

 

 

Process Monitor

 

Copyright © 1996-2010 Mark Russinovich and Bryce Cogswell

 

Sysinternals - www.sysinternals.com

 

Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.

 

Process Monitor runs on Windows XP SP2, Windows Server 2003 SP1, and Windows Vista as well as x64 versions of Windows XP, Windows Server 2003 and Windows Vista.

 

 

TCPView
Copyright 1997-2010 Mark Russinovich and Bryce Cogswell
Sysinternals - www.sysinternals.com

 

 

 

Introduction

 

TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the owning process name, remote address and state of TCP connections. TCPView provides a conveniently presented subset of the Netstat program that ships with Windows NT/2000/XP.

 

TCPView requires Windows XP or higher.

 

Using TCPView

 

When you start TCPView it will enumerate all active TCP and UDP endpoints, resolving all IP addresses to their domain name versions. You can use a toolbar button or menu item to toggle the display of resolved names. If you run with administrative rights, Tcpview will also show the amount of TCP and UDP traffic flowing through an endpoint.

 

By default, TCPView updates every second, but you can use the View|Update Speed menu item to change the rate. Endpoints that change state from one update to the next are highlighted in yellow; those that are deleted are shown in red, and new endpoints are shown in green.

 

You can close established TCP/IP connections (those labeled with a state of ESTABLISHED) by selecting File|Close Connections, or by right-clicking on a connection and choosing Close Connections from the resulting context menu.

 

If you want to see who owns the domain registered for a remote address, select the item containing the name and choose Whois from the context menu or the File menu.

 

You can save TCPView's output window to a file using the Save menu item.

 

 

VMMap

 

Copyright © 2009-2010 Mark Russinovich and Bryce Cogswell

 

Sysinternals - www.sysinternals.com
Portions based on code by Jeffrey Richter

 

 

 

VMMap is a process virtual and physical memory analysis utility. It shows a breakdown of a process's committed virtual memory types as well as the amount of physical memory (working set) assigned by the operating system to those types. Besides graphical representations of memory usage, VMMap also shows summary information and a detailed process memory map. Powerful filtering, refresh and snapshot comparison capabilities allow you to identify the sources of process memory usage and the memory cost of application features.

 

 

 

Before reporting a bug, please make sure that you can reproduce the bug on the latest version of VMMap posted at Sysinternals. To report a bug, email markruss@microsoft.com.

 

 

 

VMMap works on Windows XP and higher, including x64 64-bit versions of Windows.