Diagnostics using the Windows Task Manager

The Windows Task Manager displays information about the current state of the Windows processes.  Using the information in the task list, we’ll look for clues about the health of your computer (or lack thereof) and gather information for further diagnosis.

The windows task manager displays all of the windows startup programs and processes. Make sure you’ve checked the “show all processes” checkbox to display the system processes.

To start the Task Manager:

  • Press ctrl-alt-delete to open directly
  • R-click on the Task Bar select from menu

At the top are five tabs, select Performance.

computer repair

Task Manager - Performance Tab

The first elements we want to examine are the CPU Usage (and history) and the Physical Memory.

CPU Usage

This represents how busy your CPU is.  If your computer were a car, CPU Usage is the RPMs – how much work is the CPU doing.  CPU Usage represents the total “load” on the computer from all the processes running.
Normal CPU usage for a healthy Windows XP system is between 0-3% after booting and completely loading of drivers, processes and applications.

If your CPU Usage high, obviously there’s something running that is using an inordinate amount of CPU clock cycles.

Later, we’ll use the Processes tab to uncover more information about the CPU Usage. Make note of the CPU Usage number (as best you can) as we’ll use that information when examining the running processes.

Physical Memory

Here we want to make sure we don’t have “Ram Cram” – processes, services and programs using more memory than installed.

“Total” is just that – how much memory (RAM) is installed in the computer.

“Available” is the amount of free RAM available for use AFTER loading all startup processes, services and programs.

System Cache shows the current physical memory used to map pages of open files.

If availble RAM gets below about 256k, the system will begin using the Windows pagefile as RAM (well, it uses the pagefile all the time but that’s another article).

When the computer has to use the pagefile as RAM, you have “Ram Cram” and everything runs slow because the page file is a hidden hard disk file that is used like RAM.  Because it is a file on the hard drive, it is much slower than RAM and system performance reflects that.

SOLUTION – add more RAM or reduce startup processes, services and programs.  But we’re still diagnosing and this is one small step along the way.

Now click on the Processes tab.

computer repair

Task Manager - Processes

In this tab, each column is sortable by clicking on the column label.  First sort the processes by CPU bringing the running processes to the top.

In a healthy system, the System Idle Process should be at 99%.  This means that the system is idling 99% of the time awaiting instructions.

If there are several (or many) processes near the top, make note of them.  You should recognize some of them but others you may not.  Do a registry search on the process name to try and learn what it is.

The process list shows the normal Windows processes running (partial list):

  • services.exe
  • spoolsv.exe
  • svchost.exe
  • system
  • smss.exe
  • lsass.exe
  • taskmgr.exe
  • winlogon.exe
  • csrss.exe
  • explorer.exe
  • alg.exe

For now, we want to identify what’s causing the problem.  Aside from noting the processes that are eating your CPU cycles, we really want to determine if the Task Manager is reporting ALL processes that are running.

Malware can run processes that are hidden – they don’t show in the Task Manager.  By doing some quick mental math on the CPU numbers of the running processes and comparing that to the CPU Usage in the Performance tab, we can sometimes spot a mismatch in the numbers.  This is a quick-n-dirty test for hidden processes.

Hidden processes are malware!

Next, sort by Image Name just to have a quick look at what’s there.  You won’t know everything that’s here.  But as you become familiar with the normal Windows processes and programs you have running at startup, start identifying the other processes:

  • Printers
  • AV programs
  • iPod/iTunes
  • Video apps
  • Network devices
  • Touchpad
  • Keyboard/mouse

Search the registry to find out what it is.

There was a time when we could spot malware running here.  In fact, I’ve seen some “classic” infections where the malware process(s) is displayed.  If you can see it, r-click on it and “End Process Tree” to stop it.  If you can’t stop it or it comes right back, you may have found a piece of the problem.

Some processes are designed to be persistent. They will restart. Don’t panic yet.  Research the process to determine what kind of process it is and who it belongs to.

Remember, we’re still diagnosing the system here.  If you’re just doing a performance tuneup, then you’ll use the Task Manager to assess your effectiveness at reducing the load on the CPU.

For diagnostics though, we’re using the Windows Task Manager as a discovery tool.  Look for clues that you can use elsewhere.

Any process here that’s running at 100% after the computer has fully booted, is likely a process that has been infected.

Often, during startup, there are updates being applied (Windows Updates, antivirus program, etc.) that will run the CPU hard for the first few minutes.  If your CPU is still running hard after 10 minutes, investigate further.