Or better yet: "How to find and destroy rogue processes"
One thing that that makes me angry is when unnecessary processes take up too much memory or kernel space. This especially infuriates me when the lack of memory or kernel space ends up bringing my web server down! So this morning, I had this situation happen on my recently reimaged XP notebook, a Dell Latitude 600C. This is a work laptop and as such, is locked down by my security department. I always like when security locks things down, so then I can find ways around the lockdown! :)
In this case, IIS crashed because of there were too many programs using kernel memory. How do I know this? Well, after the crash, I inspected the event logs. In the system event log, I found the following error:
"Symantec antivirus auto protect could not scan file c:\windows\system32\xxx.dll for viruses due to low kernel stack"
A quick search on Google provided a few URLs that gave me hints as to what was going on:
As usual, I decided to take the low road and resolve my problem in the quickest way possible. The resolution was to disable the myriad of useless programs that execute when my system starts up. These include:
Also, I chose to disable a few unnecessary media and pdf programs that started on bootup.
So how did I find out what was running and how do disable them from starting up? I used Mark Russinovich's great Process Explorer program
Microsoft has bought him out and rightly so, because this guy REALLY knows the Windows OS inside and out. He's made his expertise available through a number of very useful programs available here:
My first task was to identify the programs that were hogging up memory unnecessarily. I downloaded and installed Proc Explorer from the link above and ran it. Running the program gives you a screen like this:
If you roll down to the bottom of the Process Explorer display, you'll see a bunch of processes hanging off of the "explorer.exe" process. Under that main branch, you'll see a ton of running processes, some of which you may recognize if you've ever looked at the running processes using Task Manager. I looked at this list of running processes and decided which ones that I could safely disable. A number of them were just helper apps, like the above mentioned media player related utilities. I also noted other helper apps that I didn't need:
graphics card (igfxtray.exe)
I just hate all that crap getting loaded and wasting memory.
One great thing about Process Explorer is that you can kill rogue processes right then and there within the program. Just identify the process that you'd like to kill in the list, right-click and select Kill or Kill Process Tree if the rogue process has spawned a number of child processes:
To round out the discussion on Process Explorer, PE includes an information-rich task manager system information window you can access via the menu or just by pressing CTRL-I. It has more information that the graphic Task Manager than Microsoft gives you and shows you real time updates of top processes while the graphs scroll by:
So how did I actually disable these programs from executing on start up? For that, msconfig is your nearest and dearest friend, especially if your XP Taskbar has been locked down by Security! MSconfig is a program provided by Microsoft that allows you to disable startup programs and generally wreak havoc on your system, so be damn careful when you use it. To start MSconfig, click Start -> Run -> type in "msconfig" and press enter. You should see a screen like this:
Click the Startup tab. You'll see a bunch of startup items listed, the command that started them and the registry location of where they are set to run. MSconfig makes it easy for you to disable these programs by simply unchecking the programs you don't want to run on Startup. Here is the list after I was done deselecting the unnecessary programs on my machine:
After you deselect these memory hogs, go ahead and click OK. You'll then get a message to reboot now or later. If you are overzealous and have clicked too many startup items off, your PC may not come up correctly. So be careful to not go too crazy and remove everything from automatically starting up. Of course, an ounce of prevention is worth a pound of cure. And if you do screw something up, you'll probably learn something in the process of fixing it. So there is a reason that things happen the way they do.
Go ahead and reboot. Hopefully, when the system restarts, you'll have a bit more free memory and probably a faster machine if you've killed processes that were hogging your CPU. Good luck!
PS - If you want to do things the good old fashioned way (ie, edit the registry!), edit this key in regedit:
My Computer -> HKEY_LOCAL_MACHINE -> Software -> Microsoft -> Windows -> CurrentVersion -> Run
PPS - Of course, you'll need to click Start -> Run -> "regedit" and hit enter to get into regedit first!
PPPS - Here's the great Mark Russinovich on a bug hunt using Process Explorer. Learn from the master!