Contents
Introduction
Back to contents
The Task Manager Extension (TaskManagerEx) is a plug-in for Windows' built-in Task Manager. It expands the basic functionality and gives a powerful control over running processes. Task Manager Extension can show process modules, process memory map, used kernel handles, opened files, file properties, and lots of other info! It is very useful in many situations.
Here you can see the Task Manager window with the Task Manager Extension plug-in loaded:
The Task Manager Extension shows more processes, adds lots of useful items to process the context menu, adds a new "Extension" submenu to the main window menu, and so on...
Changes
Back to contents
Changes in version 2.1:
- Added Visual Studio 2005 compile compatibility
- Fixed bug with multiple Task Manager windows
- Reduced splash screen show time from 3 seconds to 1 second
- Added Service list to Process Information dialog
- Added Command Line, Environment information to Process Information dialog
- Fixed Process Information dialog resize bug
- Fixed "Always on top" option bug
- Tip Of The Day is now hidden by default
- Removed multi-byte characters bug (for file and kernel object names)
- Added Uninstall feature (TaskManagerEx.exe command line option).
- WARNING! Couldn't remove bug with drawing (sometimes dialog with listview creates with a garbage on it)... (it happens since the original version 1.0)
Changes in version 2.0:
- View process threads.
- View memory map.
- Edit process security.
- View process basic information.
- View process executable dependencies (depends.exe from MS VC++ 6 must be run at least once before).
- Process executable file properties.
- View module file properties.
- View loaded drivers.
- Edit object security.
- Find object by part of its name.
- Options: Start Task Manager Extension with Windows.
- Russian localization.
- Lots of bugs removed.
- Lots of new small features added.
Features (from original version):
- Show Application icons in Process list (if available).
- Use different color for services.
- Find a used file by any process. (Use * as file name for showing every used file.) (The search is a full text search, so for example you can use the extension only.)
- Find a used module by any process. (The search is a full text search, so for example you can search for "kernel".)
- Show Process ID in Applications tab.
- Use different color for processes if the CPU usage reaches a given limit (25%, 50%, 75%).
- Query list of every file, handle, module, window used by a given process.
- Close a used file (you can unlock an exclusively opened file, so you can delete it).
- Unload a used module (so you can delete it).
- You can kill services too.
- End process swiftly: just press DEL key!
Compatibility
Back to contents
The Task Manager Extension (TaskManagerEx) runs fine on Windows 2000, Windows XP, Windows 2003.
It doesn't work on any Windows 9x, Windows NT, or any Windows x64. I also tested the Task Manager Extension with Windows Vista, but it didn't work. I do not see a simple way to improve Task Manager Extension to work with Vista's Task Manager... :-(
Currently, two languages are supported - English and Russian. But it will work with any other localized Windows. In the Russian version of Windows, the Task Manager Extension shows all menus' captions and etc. in Russian language. It looks very native, when all user interfaces use a common language.
It is expected from the user to have Administrator rights while using the Task Manager Extension. Without these rights, some functions may not work or may work slowly.
Using Task Manager Extension
Back to contents
Warning
Back to contents
Warning! The Task Manager Extension can be very dangerous for your system! You must be sure what you are doing with the system internals! If you terminate some system thread, unload a library, or close an important handle, you may crash your system. Use the Task Manager Extension at your own risk!
Compiling
Back to contents
It is necessary to have the modern Platform SDK while compiling the Task Manager Extension on Visual Studio 6.0 (VC++ 6.0). You can download the February 2003 Windows Server 2003 PSDK Full Download with Local Install from here.
Visual Studio .NET doesn't need an extra SDK and is fully supported since this version of Task Manager Extension. You will be prompted to convert workspace and project files from 6.0 format.
Only two projects are necessary to compile the Task Manager Extension:
- TaskManagerEx
- TaskManagerExDll
You can compile the ANSI or Unicode version of the Task Manager Extension. Both should work.
Installation
Back to contents
The Task Manager Extension doesn't need a special installation:
- Copy TaskManagerEx.exe and TaskManagerExDll.Dll to any folder on your computer.
- Run TaskManagerEx.exe.
- Run Task Manager by pressing Ctrl+Shift+Esc or by Ctrl+Alt+Del and selecting Task Manager (on Windows XP, Ctrl+Alt+Del loads the Task Manager immediately).
The Task Manager should have extended functionality now!
You can make the TaskManagerEx.exe to start during logon: select menu Extension\Options, check "Run during Windows logon" on appeared dialog and press OK.
Uninstall
Back to contents
You can run the TaskManagerEx.exe /clean command. It will unload and unregister the Task Manager Extension completely! TaskManagerEx.exe and TaskManagerExDll.Dll will remain on the disk. This operation is equal to the following operations:
- Unregister TaskManagerEx.exe from running during Windows logon.
- Unload TaskManagerEx.exe.
- Restart existing Task Manager to unload TaskManagerExDll.Dll.
Hint! Try TaskManagerEx.exe /? to view all supported command line arguments!
Use Cases
Back to contents
There are lots of cases when the Task Manager Extension is very useful. Some of them are described below.
First of all, I want to say that the Task Manager Extension gives the Task Manager some extra security permissions so it may stop processes that generated "Access denied." before! You can view and terminate even processes that run services.
Detecting process service list, command line and environment
Back to contents
With the Task Manager Extension you can get the command line for any process in the system. You should only use the process context menu item "Information...".
You can also detect what Services are running in the selected process. It is useful when one of SVCHOST.EXE (or some other service executable) eats 100% of your CPU and you don't know what service is guilty.
Deleting blocked files: looking for used file or module
Back to contents
Sometimes file deleting is impossible. You may want to delete a file that is opened by some application. May be you are developing a hook DLL (or COM component) and you can't delete it because your DLL is loaded into some processes. In such cases, you can select a Task Manager main menu item "Extension/Find used file..." or "Extension/Find used module...".
This dialog will help you find all the processes that use a specified file or executable module. You just enter a part of file, folder, or module, and press Enter. The special value "*" matches all files (or modules). Note that loaded modules may not be opened as files and vice versa! So the "Find used file..." dialog will not find the loaded modules. The user-entered string is searched in the whole path of the file.
Antivirus and anti-trojan protection
Back to contents
Sometimes, a firewall may alert you with a question about a network activity of a process. Sometimes you can see some strange process in Task Manager that is unknown to you or eats 90-100% of your CPU. With the Task Manager Extension you can simply check lots of information about suspicious processes.
First of all, you can check file information (it is usually shown through the "Properties" item of file context menu). The Task Manager Extension gives you the corresponding process context menu item. All Windows built-in modules have the correct VS_VERSION_INFO
structure in its resources.
If an executable module is located in the Windows folder and there is no Version tab at all, or the vendor is not Microsoft, then there is a big probability that the selected module is a virus. Viruses usually don't contain the correct Windows version information because their author doesn't know what version of Windows you would use.
The second way to get important information about a process is the "Modules..." item of the context menu. It is especially important for RUNDLL32.EXE or RUNDLL.EXE processes. These processes are Microsoft EXE-files (with correct version info) that are written specially to run other DLLs.
In this dialog, you can directly view any module file properties using the context menu. If the process seems to be an internal Windows process, then all of its modules usually lay in Windows folder and have version information that correlates with the version of your Windows. There are a few exclusions: Windows Hook DLLs may be loaded anywhere (it may be a DLL from your mouse driver, multimedia keyboard driver, Lingvo loader, etc.). Some DLLs may be also located in correct Microsoft folders like "C:\Program Files\Common Files\Microsoft Shared".
These are the basics of anti-virus war on your computer. My experience shows that end-users will always find a new and unexpected way of using my program. :-)
Debugging: library usage
Back to contents
You can see the process module list through the "Modules..." item of the process context menu.
You should pay your attention to the "Usage" column. It contains library usage counter. It increments during the LoadLibrary()
call and decrements during the FreeLibrary()
. "Fixed" modules are the main executable modules and all libraries that are statically linked to it. These libraries do not increment their counters and are never unloaded. You can increment or decrement the usage counter by the module context menu. When the counter goes to zero, the library is unloaded automatically. Be careful!
Debugging: kernel object usage
Back to contents
You can see all your handles using the "Handles..." item of the process context menu.
Here, you can see all the process handles to various kernel objects. Some of them have names and you can see them. You can view and edit object security information. Most of the objects support special operations through their context menu. However, every handle supports its closing.
If you want to see opened files only, then you'd better choose the "Files..." process context menu item. It is the same, but it filters to show file objects only.
Other Task Manager Extension screenshots
Back to contents
Conclusion
History
Back to contents
Four years ago, I found TaskManagerEx. I got it without any sources and used it for a long time. It was good enough, but I always wanted a bit more from that utility. I wanted Task Manager Extension to have some additional features when I accidentally found Zoltan's article on CodeGuru with sources (CodeGuru: Task Manager Extension). I spoke with Zoltan and wrote a new version of the Task Manager Extension. It was based on its public sources. While developing and refactoring old code, there was always one big question: how Zoltan could write it 5(!) years ago? There were no information about lots of undocumented features. I have now some of these info, but he wrote and debugged his code an eternal period ago! It was a really great job, Zoltan!
When I was writing version 2.1, I suddenly found the Windows 2000 sources. I looked at them and found the Task Manager sources. How exciting it was to see all those constants and logic, that we reverse engineered with IDA, Spy++, etc... It was nice to verify that the Task Manager Extension uses one of the most correct ways to hack the Windows Task Manager.
Analogs
Back to contents
After writing Task Manager Extension 2.0, I found the ProcessExplorer from Sysinternals. ProcessExplorer does more things than the Task Manager Extension, but it works standalone while the Task Manager Extension is built-in into the system (nice and tight). ProcessExplorer has also another disadvantage: it has no open sources. Some time ago, Microsoft bought Sysinternals, so you can find the ProcessExplorer installation here.
Credits
Back to contents
Thanks to Zoltan Csizmadia for writing the original version of TaskManagerEx. TaskManagerEx helped me lots of times in my work, and encouraged me to write an improved one.
Thanks to everybody who contributed anything on CodeGuru and The Code Project.
Thanks to Yura Semashko, Konstantin Karatov, Alexey Grakov, Ivan Kirkorov for verifying my article.
Thanks to nova_, Simon.W, wumpus1 and other users from CodeProject who tested TaskManagerEx 2.0.
Thanks to Mike Russell. He made a donation and told me how Task Manager Extension helped him. This occurrence inspired me to remove old bugs, write a new version, and to compose an article for it.
Back to contents