sticky
** Process Explorer Bugs **

    Question

  • -Process Explorer v10.11 Bugs-


    This version is very stable but I still see some "bugs" inside .

    1)System Idle Process security issue This quasi process has "Session -1" in properties->security tab, I don't think that such session exists.

    2)Run As strange handling After I selected some process to start I must select from which user account it must be started. However if I press "Cancel" in this dialog, PE told me "Unable to execute process: Access Denied". Well I guess it must simple do nothing in this case.

    3)IsDebuggerPresent function statically linked, so Process Explorer can't start on Windows 95. Whole operation system is not supported.

    4)Save As non existing process strange handling
    When I select some process from list and press "Save As", save dialog is opening. In this moment selected process is ending and removing from Process Explorer list. However when I press "Ok" in Save Dialog PE saves text file on disk. Inside the log I see name of dead process with PID of Process Explorer and all objects displayed here is also Process Explorer objects.

    Opera.exe     3836��� ;       Opera Internet Browser     Off   &n bsp;�C:\Program Files\Opera\Opera.exe     MAINFRAME 64\EP_X0FF     Running
    procexp.exe     3424��&nb sp;��13.04     Sysinterna ls Process Explorer     On   &n bsp;�C:\Program Files\WIN2000\procexp.exe      MAINFRAME64\EP_X0FF�� ;   Running

    Process: calc.exe Pid: 3424

    Type     Name   &nbs p;�Share Flags
    Desktop     \Default��&nb sp;��
    Directory     \KnownDlls�� ;   
    Directory     \Windows��& nbsp;��
    Directory     \BaseNamedObjects&nbs p;    
    Event     \BaseNamedObjects\CLR_Per fMon_DoneEnumEvent     
    Event     \BaseNamedObjects\CLR_Per fMon_StartEnumEvent     
    Event     \BaseNamedObjects\crypt32 LogoffEvent     
    Event     \BaseNamedObjects\Microso ft Smart Card Resource Manager Started     
    Event     \BaseNamedObjects\userenv : User Profile setup event     


    5)Find Handle or DLL restriction
    Process Explorer can't find DLL located in SYSTEM context.

    6)Empty Window Title cannot be found by PE. If Windows has empty title - "Window" element is not active in context menu of Process Explorer. But I see no reasons why Process Explorer can't operate with empty titled visible top level windows.

    Hope this bugs will be fixed in next release.

    Kind Regards.

    EDIT: Changed topic title
    Wednesday, June 14, 2006 11:49 PM

All replies

  • One More.

     When I try to get to my PC by using Remote Desktop and there is the Process Explorer running all I get is a blank screen with no menus, icons etc

    Friday, June 16, 2006 12:56 AM
  • And there is also the one that I've described in the PE�s UI glitch on process opening/closing thread (but I guess only for some users), and maybe also this one: Specific Process Explorer crashes ...


    cheers, Ivan

    Sunday, June 18, 2006 8:06 AM
  • Just one thing.

    7)Process Explorer settings

    Can Process Explorer check settings version in Registry and if they are old - remove them? This can avoid many bugs with oldest settings.
    Sunday, June 18, 2006 2:24 PM
  • I'll repost this here.

    Proc property windows keep migrating left

    My taskbar's on the left, and after opening and closing a few process properties windows, they've migrated so far left I can only move them with an alt+space.  Not that it actually gets to that point, because I drag the window towards the center after opening a window, each time.

    I recorded the window's x, y after each closing/opening/closing etc on csrss.exe and they are as follows:
    600, 215
    348, 215
    96, 215
    -156, 215
    -408, 215

    So they're jumping left 252 pixels, which unsurprisingly is the same width as my taskbar.  Other dialogs are not affected by this.

    This doesn't happen if my taskbar's on the bottom.  I'm using 10.11.

    ===

    Verified by http://www.sysinternals.com/Forum/forum_posts.asp?TID=5972&a mp;KW=deadfones
    Monday, June 19, 2006 2:13 PM
  • Further discovering of Process Explorer v10.11 Save As bugs shown following:

    8)PE Save As+Process Terminate bug

    if PE is paused and selected process is terminated with PE this feature also fails, like in first post.

    It is not displaying objects, but the same
    Process: Procexp Pid: PidOfTheDeadProcess

    Will post here if I find something else.
    Tuesday, June 20, 2006 3:40 PM
  • The lower view panel when resized and dropped falls above the current mouse position. This bug has been present in version 9.25, reported and not fixed.
    Using Find Handle / DLL, column sorting "Type" doesn't group all Handles and DLL correctly one or two overlap each other.
    Corrupted exe version info crashes Process Explorer running on Windows 9x.

    Richard S.
    Tuesday, June 20, 2006 7:57 PM
  • 9)"Debug" feature not working under Win98
    Well, I guess this should attach debugger to selected process. I tried many times - no luck, perhaps I doing something wrong, what debugger should be attached under Windows 98? DrWatson? Could someone explain me?

    10)Pause not "pause" bug
    This bug succesfully reproduced under Windows 98 and Windows XP SP2, I guess it's working everywhere.

    Steps to reproduce:
    1) Press "Space" to pause display refreshing
    2) Ctrl+F to find handle or DLL, you can also use menu.
    3) You can type anything and press search or simple press cancel - that works identically.
    4) List will be refreshed for a second then again paused.
    I think if I press "Pause" then PE should pause display refresh for all time, even if I search for something.

    11)Shutdown works like "LogOff" under Windows 98
    Yep, exactly this. Pressing logoff - doing logoff, pressing shutdown - ...doing logoff, or I miss something?

    I will continue my discovery.
    Tuesday, June 20, 2006 7:59 PM
  • The lower view panel when resized and dropped falls above the current mouse position. This bug has been present in version 9.25, reported and not fixed.
    Using Find Handle / DLL, column sorting "Type" doesn't group all Handles and DLL correctly one or two overlap each other.
    Corrupted exe version info crashes Process Explorer running on Windows 9x.

    Richard S.


    I've download Process Explorer 10.2 and this problem still exists. In fact I believe it's not sorting correctly because clicking on the "Type" column is actually sorting the "Handles or DLL" column instead.

    Support for Windows95 is still broken thanks to IsDebuggerPresent dependency (unless you apply a dirty hack).

    Richard S.
    Tuesday, July 11, 2006 9:55 AM
  • -Process Explorer v10.2 Bugs-


    1)System Idle Process security issue This quasi process has "Session -1" in properties->security tab, I don't think that such session exists.


    --fixed, n/a

    2)Run As strange handling After I selected some process to start I must select from which user account it must be started. However if I press "Cancel" in this dialog, PE told me "Unable to execute process: Access Denied". Well I guess it must simple do nothing in this case.


    --not fixed

    3)IsDebuggerPresent function statically linked, so Process Explorer can't start on Windows 95. Whole operation system is not supported.


    --not fixed

    4)Save As non existing process strange handling
    When I select some process from list and press "Save As", save dialog is opening. In this moment selected process is ending and removing from Process Explorer list. However when I press "Ok" in Save Dialog PE saves text file on disk. Inside the log I see name of dead process with PID of Process Explorer and all objects displayed here is also Process Explorer objects.


    --fixed, as I can see right now

    5)Find Handle or DLL restriction
    Process Explorer can't find DLL located in SYSTEM context.


    --not fixed

    6)Empty Window Title cannot be found by PE. If Windows has empty title - "Window" element is not active in context menu of Process Explorer. But I see no reasons why Process Explorer can't operate with empty titled visible top level windows.


    --not fixed

    8)PE Save As+Process Terminate bug

    if PE is paused and selected process is terminated with PE this feature also fails, like in first post.

    It is not displaying objects, but the same
    Process: Procexp Pid: PidOfTheDeadProcess


    --fixed as I see right now

    10)Pause not "pause" bug
    This bug succesfully reproduced under Windows 98 and Windows XP SP2, I guess it's working everywhere.

    Steps to reproduce:
    1) Press "Space" to pause display refreshing
    2) Ctrl+F to find handle or DLL, you can also use menu.
    3) You can type anything and press search or simple press cancel - that works identically.
    4) List will be refreshed for a second then again paused.
    I think if I press "Pause" then PE should pause display refresh for all time, even if I search for something.


    --not fixed


    11)Shutdown works like "LogOff" under Windows 98
    Yep, exactly this. Pressing logoff - doing logoff, pressing shutdown - ...doing logoff


    --not fixed still shutdown=logoff

    New Discovered Bugs in Process Explorer v10.2


    1)[System Process] bug

    1) Ctrl+F, type ntdll.dll
    2) In list of dll you can see ntdll.dll that used by [System Process] with Process Explorer pid.
    Tuesday, July 11, 2006 11:40 AM
  • Wink hey ep,
    NOT to get on your jock, or, more importantly take anything away from messrs russinovich and cogswell, for whom i'm sure we ALL have the utmost respect for... i have to say nice work!

    having said that, you gotta ig the 9x issues. why ya goin there?! and you know that. sheesh, it's only those two. skipping the 90's they've still got min THREE soon to be 4 platforms to support. Clap

    cos when all is said and done, imho, it's all about advancing the state of the art, no?

    Tuesday, July 11, 2006 4:55 PM
  • Removing support for w98/me (w95 is not supported due IDP bug) will slightly decrease filesize. But many peoples still using these ugly operation systems.

    Removing support (or moving it to separate binary) for ia64 (such popular platform) will decrease filesize ~55%.

    BTW, Debug attach feature still not working under w98.
    Tuesday, July 11, 2006 6:42 PM
  • Removing support for w98/me (w95 is not supported due IDP bug) will slightly decrease filesize. But many peoples still using these ugly operation systems.

    Removing support (or moving it to separate binary) for ia64 (such popular platform) will decrease filesize ~55%.

    BTW, Debug attach feature still not working under w98.

    hi ep,
    ya! of course removing support fot the 9x platform would decrease filesize. i understand what you're saying. that's a dev speaking and you're a dev thru and thru. but that's really not my point. my point is this: ms is giving up on the 9x platform real soon here. in fact i think *you* announced 09/06 timeframe if i'm not mistaken? i could go look it up but i really can't be bothered w/that. and you know this!

    bottomline? anyone on the 9x platform *has* to move forward. come on! you know this. it's 06 for crissakes! it's unfair to hold sysinternals accountable for those platforms. it's just not right. Wink dude? there are bigger fish to fry, no?
    BTW, Debug attach feature still not working under w98.

    ya? however, it works pretty well with .net and xp|2x? Clap
    Tuesday, July 11, 2006 7:45 PM
  • Personally I'm not using w9x as PC OS last eight years. Yes, it is time to upgrade to something better, no questions here. But most of bugs is not related to w9x. IDP is just most obvious of them. And I don't understand why continue saying: supports w95 if it is not true.

    Or why having Debug feature if it is not working on w9x?
    Or why not fix shutdown under w9x?

    I think it is not so hard to do.
    Tuesday, July 11, 2006 8:20 PM
  • More info about [System Process] bug.

    It has been present in prev.versions.

    Tuesday, July 11, 2006 8:47 PM
  • It crashes multiple times. Annoying 15K image file limit, which the screen caption is 18K

    Anyway, the message says "The instruction at "0x775618de" reference memory at "0x03f80000". The memory could not be "read".

    Now that MS owns the code, please have someone fix it, soon.

    Friday, August 25, 2006 11:05 AM
  • More info about [System Process] bug.

    It has been present in prev.versions.



    hey,yeah cool bug,can reproduce it right now.

    so it is ToolHelp???!
    Sunday, August 27, 2006 5:42 PM


  • Hmmmm, maybe I'll just mention a bug (that was "there" also in previous 10.xx versions) when you invoke the "Process Properties" window, sometimes the tooltip in the CPU Usage, Private Bytes, I/O Bytes History graphs is not displayed, i.e. you need to invoke it the second time to see it ...


    Ivan

    Monday, August 28, 2006 8:22 AM
  • PE 10.2.

    If I select all columns in Select Columns dialog (put ticks in every checkbox) PE crashes. If I select all columns except some two (it doesn't matter which two) PE works fine.

    It's only guess: Looks like PE stores selected columns in some fixed-size array and the size of array is not enough (2 slots less than maximum possible number of columns).

    Thursday, September 14, 2006 3:26 AM
  • Bug report by Earthplanet, partially confirmed by IMNdi:

    PE 10.2: Hogs memory, crashes computer

    Although I cannot confirm Earthplanet's report, I thought it should be linked to in this thread about (suspected/confirmed/reproducible) P.E. bugs.

    Karl
    Saturday, September 16, 2006 4:32 AM
  • Bug report by Ivan, may be related to Earthplanet's and IMNdi's findings or not:

    Specific Process Explorer crashes (Suspected SafeXP and P.E. incompatibility)

    Hypothesis:
    A series of quickly starting and terminating processes may make P.E. crash.

    Karl
    Saturday, September 16, 2006 11:42 PM
  • I got PE to crash today. It brought down the whole system. Here's the screen shot before I rebooted:

    PE tried to grab all available virtual memory. I couldn't kill it so rebooting was the only option. This followed Executive Software Diskeeper running (a disk defragmentation service), so that may have triggered it. Diskeeper is a trustworthy application, so I doubt it's doing anything suspect.

    Edit: diskeeper alone doesn't seem to trigger the PE resource problem. It seems to be a combination of the matrix ss and diskeeper (or some other app) that accelerates the PE memory consumption.

    Wednesday, September 20, 2006 8:36 AM
  • I thought I'd try to clarify the memory behavior that PE is exhibiting.

    I've noticed that the longer my system is up, the more memory PE uses. This is not a traditional memory leak because it persists after PE is shutdown and restarted. Within a minute of being restarted, PE is back to the same or higher Working Set and Virtual Size that it had the previous time. Why is this? Eventually it expands its Virtual Size to the limit of what's available and the system crashes. The only way to reduce the amount of memory PE uses is to reboot the whole system.

    Here's the dialog that PE shows when it's close to running out of resources:

    This happened after the matrix_ss had run over night. PE wasn't running during that time. I started it and immediately got this message. I've learned from experience that PE must be terminated using the Windows Task Manager at this point to avoid locking up the system. Pressing OK results in PE taking even more memory and finally locking up the OS.

    Apparently, some applications cause the number of handles to rise and PE can't "handle" it, so to speak.  These handles seem to persist even after the applications have been stopped. If the PE lower pane display is disabled, there should be no need to load handle information, correct? Then it could run regardless of how many handles exist. This would also speed up the initial loading. Please consider this suggestion.

    Update: even logging out of Windows and back in again doesn't clear the handle problem. PE still reports insufficient system resources to get handle information. Surely this is a PE bug which can be fixed. At the very least, provide a Cancel button on that dialog so PE can be cleanly terminated. The only option now is to use the Task Manager, which is a nuisance.

    Friday, September 22, 2006 7:35 AM

  • I recently noticed for the first time (since Process Explorer rarely has focus for so long on my PC) that when Process Explorer currently has a focus, and when the screen is refreshed, or should I say when the data displayed are updated (I've set mine to 5 seconds), the mouse movement starts to being "delayed" or as I call this behaviour, the mouse starts "moving in steps". This lasts only for a second or so, when the screen is updated


    P.S. -- Just as an interesting side-note; something similar was occuring when I was trying to play a Start Trek - Knights of the Old Republic game from LucasArts few months back. The solution to the problem was to lower the priority of game's main process (i.e. "swkotor.exe") to anything below "NORMAL" priority (for instance to "BELOWNORMAL"); for more details please head over to the thread titled "HELP: I can't normally play most of the games anymore", that I opened on Ars Technica forum back then.


    kind regards, Ivan
    Thursday, September 28, 2006 8:47 AM

  • And additionally, I've noticed that if "Handle lower pane" is open (this doesn't apply to "DLLs view"), Process Explorer starts consuming approx. 20 % of CPU non-stop, while I don't remember this behaviour in previous PE versions ...


    Ivan
    Saturday, October 14, 2006 10:42 AM
  • Another one...
    This happened to me a long time ago, with some version checked something like "group and show as Kilo/Mega" or similar option. Or maybe i'm wrong. Take look @ screenshot, and tell, how to get rid of those micro-numbers...
    PE working normally, just counts some numbers strangely. Look into Physical Memory in sysinfo, or Private bytes column... Already (and not once) deleted HKCU\Software\Sysinternals\ProcessExplorer branch, no more registry keys known to me. Maybe this behavior may come from regional settings?
    Saturday, October 14, 2006 8:50 PM
  • This may have been reported on page 1, but I'm not sure.  In ver 10.2, if you look at a process properties page and view the threads tab, you'll see a new thread executing a function inside NT.dll called RtlConvertUiListToApiList in an infinite loop.

    Monday, October 16, 2006 6:15 AM
  • procexp.exe 10.21
    windows2003 without sp1

    If try open properties->thread for proccess which protected from OpenThread like Kaspersky antivirus KAV6.0.303
    May be see words "Scanning threads..." in window after this Proccess Explorer hang or see what in main window proccess list is copied twice (show doubled info) see image:

    Thursday, November 9, 2006 9:33 AM
  • If try open properties->thread for proccess which protected from OpenThread like Kaspersky antivirus KAV6.0.303
    May be see words "Scanning threads..." in window after this Proccess Explorer hang or see what in main window proccess list is copied twice (show doubled info) see image:


    Probably KAV hook returns something abnormal. For KAV it is normal LOL.
    Friday, November 17, 2006 8:07 PM
  • Good morning, EP_X0FF.

    Confirmed:

    KAV6 will block other processes from accessing their avp.exe process. Norton calls this tamper protection. Same thing with KAV.

    But I assume you know the details better than I do.

    Karl
    Friday, November 17, 2006 8:38 PM
  • There is possibly a bug in Process Explorer 10.21's "Runas..." and "Runas Limited User..." dialogs. On Scandinavian language Windows installations for some reason the "Browse" button appears in English, not in the system language, and consequentially does not work at all. The Run dialog displays the "Browse" button in the correct language, and the button works as intended.
    Monday, February 19, 2007 6:28 AM
  • Hello, Buggy Buddha.

    On Scandinavian language Windows installations for some reason the "Browse" button appears in English, not in the system language, and consequentially does not work at all.

    The language of the Browse Button does not necessarily mean it does or does not work:

    P.E. v10.20 on WinXP Sp1 GER:
    Run => Browse (in German)
    RunAs => Browse (in Englsih)
    Both work. (Tested)

    P.E. v10.21 on WinXP Sp1 GER:
    Run => Browse (in German)
    RunAs => Browse (in Englsih)
    Both work. (Tested)

    Karl
    Monday, February 19, 2007 7:33 AM
  • I understand. In this case (Swedish / Finnish / Norwegian Windows localizations), however, the button really does not work. Then again, maybe it's something about those localizations or the settings of the systems themselves that causes it. I'm not entirely sure it's a bug, but it might be.
    Monday, February 19, 2007 7:29 PM
  • Moved normal usage issue reports to two new threads:

    + Double Process Tree Bug in P.E. by mutronics

    + Problem: P.E. "Replace TaskMgr" on XP64 by bleeding_me

    + PE Download File Lacks PROCEXP.EXE? by lseddins

    This thread was meant to collect a list of (confirmed) bugs only.
    If anybody not feeling like creating a new thread for his/her usage issue report simply posts the issue here, this thread will be a useless muddle soon.

    Kind regards,
    Karl

    Wednesday, February 28, 2007 6:13 AM
  • .NET counters have not correct values for COM applications (see image):

    Wednesday, March 14, 2007 4:35 PM
  • Moved normal usage issue reports to two new threads:

    + Double Process Tree Bug in P.E. by mutronics

    Actually, looks as if I failed to see that mutronics report confirms this bug report posted by Zeroes:
    ** Process Explorer Bugs **.

    Karl

    Thursday, March 15, 2007 6:52 AM
  • .NET counters�have not correct values�for COM applications (see image):

    Hm, seems as if I fail to see what is wrong in your screenshot. Could you please elaborate a bit?
    Thanks.

    Karl
    Thursday, March 15, 2007 6:53 AM
  • .NET counters have not correct values for COM applications (see image):

    Hm, seems as if I fail to see what is wrong in your screenshot. Could you please elaborate a bit?
    Thanks.

    Karl
     .NET counters (Gen0 Collection, Gen1 Collection, Gen2 Collection) is last three columns on screenshot. As you know, dllhost is surrogate process for COM applications, which loads component's library (in this case (pids 4120, 848, 7556), written on .net language). Dllhosts on screenshot is not the same, in fact, absolutely different COM applications executing different tasks. But Process Explorer show equal values of .NET counters, although, context of this processes is different.

    Friday, March 16, 2007 5:01 PM
  • Hi, .rip.

    Thanks for explaining. Hope it will help the programme authors.

    Ciao,
    Karl
    Friday, March 16, 2007 8:38 PM
  • Unfortunately, that's a limitation of the .NET performance counters, which identifies processes by name and not by PID.
    Friday, March 16, 2007 11:31 PM
  • hmm... it was strange to see code in CORPerfMonExt.dll, written by developers from Microsoft(c) (pseudocode):

    GetModuleBaseName(hProcess, hModule, lpBuffer, 15)

    Why developers can't wrote just the same as perfproc.dll, using swprintf(lpBuffer, "%s_%d", ModuleBaseName, PID) ? it is impossible to understand.

     

    Tuesday, March 20, 2007 11:12 PM
  • Unfortunately, that's a limitation of the .NET performance counters, which identifies processes by name and not by PID.
    ...identifies processes by first 15 chars of name, isn't it?
    Tuesday, March 20, 2007 11:25 PM
  • Latest Process Explorer contains buffer overrun bug.
    If ProcessParameters->ImageFileName > 1040 PE will die with ACCESS_VIOLATION message at the program start.
     
    Since PEB values can be easy faked by malware I think that this is awesome bug and it need to be fixed.
    Tuesday, April 10, 2007 12:55 PM
  • I just checked with Mark and this will be fixed in the next release. Unfortunately, I don't have a timeframe for you (but I can't imagine it's too far out).
    Wednesday, April 11, 2007 7:30 AM
  • Process Explorer 10.21

    If you run it on a 32-bit Windows, then Help -> About says:
    Process Explorer v10.21

    If you run it on Windows XP Pro. x64 (with SP2), then Help -> About says:
    Process Explorer v

    Not dealing with integers correctly?

    -- rpr. /Robert Premuz/
    Thursday, April 12, 2007 10:36 PM
  • PE 10.2, xp 64 bit.
     
    Using Run allows me to enter a command which exceeds the length available in the Run dialog box.  Using Runas or Run Limited, the dialog box will not allow you to scroll past the end of the text field.  Run works for running <path to mmc> <path to compmgmt> /s, (copied from command line of the limited user version) where Runas or Run limited fail.
     
    Great prog though :)
    Friday, April 20, 2007 1:30 AM
  • Moved normal usage issue reports to two new threads:
     
    + Memory leak in 10.21 on Vista? by deadfones
     
    + SystemInfo: MB displayed but KB indicated? by JoeCool (confirmation report of ABLomas' original report in this topic).
    Sunday, June 17, 2007 10:28 PM
  • Hi,

    Couple of annoying problems in an essential app:
    - TCP/IP tab of process properties never shows any connections (on Vista)

    - If you set update speed to 5 seconds, then exit & reload its back to 2 seconds (all versions)

    Hopefully Mark isn't too busy at MS now to put out a new version... Getting mark to continue workon on the sysinternals utilities should be a priority, these utilities are a big reason for them buying his company in the first place!

    Cheers
    Thursday, July 5, 2007 10:05 AM
  • Hi, Johnno.
     
    I am able to confirm the behavior you report regarding the TCP/IP tab of process properties not showing connections on Vista.
     
    However, I am unable to reproduce the behavior you report regarding the update speed.  I set the speed to 5 seconds, exited PE, restarted PE, and the update speed was still set to 5 seconds.  Vista Ultimate 32-bit, PE 10.21.  The registry setting controlling the update speed [HKEY_CURRENT_USER\Software\Sysinternals\Process Explorer\RefreshRate] always had the expected value.
     
    If you are having problems with the update speed setting, one thing that is regularly suggested and frequently resolves UI / display-related issues is to exit PE, and rename / remove [HKEY_CURRENT_USER\Software\Sysinternals\Process Explorer].
    Thursday, July 5, 2007 12:12 PM
  • Cheers Molotov, I'll try that.

    As you can imagine, not seeing TCP/IP connections is a much bigger issue for me :)

    I wanted to see what process was triggering our firewall, and discovered the TCP/IP tab wasn't working.  Interestingly I downloaded some app that had a similar function (forget what it was sorry) and it didn't work either so looks like the API or the security in vista has changed something there...
    Thursday, July 5, 2007 12:37 PM
  • Yes, not having the TCP/IP tab function as expected is rather undesirable.  A lot of stuff changed with Vista, including a rebuilt TCP/IP stack.  TCPView also has some issues under Vista, it seems.  I've not used it, but NirSoft's CurrPorts has reportedly had a recent upgrade for Vista...
    Thursday, July 5, 2007 7:36 PM
  • BUGBUG1:
    i encountered a bsod due to procexp. at the time i was doing heavy io and cpu processing. it crashed when showing the thread stack of an .net process. i remember the thread start symbol to be something like "com+ entry point".

    Windows NT  Version 6.0 Build: 6000
    Product (0x1): Windows Vista (TM) Ultimate
    Edition: ULTIMATE
    BuildString: 6000.16386.amd64fre.vista_rtm.061101-2205
    Flavor: Multiprocessor Free
    Architecture: X64
    LCID: 1033

    minidump uploaded to rapidshare:

    http://rapidshare.com/files/42152185/procexp_bsod.rar.html

     
    BUGBUG2:
    the pid-column cannot be hidden.
     
    BUGBUG3:
    when loading the threads-page process explorer disappears if it is busy with downloading the symbols while the property page is closed by the user.
     
    BUGBUG4:
    when suspending explorer.exe (for example to pause a file transfer) procexp refreshes very slowly (about every 5 secs)
    Tuesday, July 10, 2007 2:46 AM
  • Hi, noname47.
     
    Thanks for taking the time to post.
     
    My take on the bugs you reported...
     
    BUGBUG1:
    Unable to comment.
     
    BUGBUG2:
    This is by design, if I recall.  I can't find the particular post / message where Mark or Bryce detail it (Unhappy), but I think it has something to do with the Process name column being tri-sort / tree view.
     
    BUGBUG3:
    The first time I reproduced this, I got a DEP violation and was able to "debug" it.  The dump indicates a DEP violation, likely as a result of heap corruption.  Of course, it appears to be related to symbol resolution / interaction with the symbol engine.
     
    Stack text from my repro (with DEP enabled):
    STACK_TEXT:  
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    03c4bce8 03c4bd14 02aeeb34 000005c4 00000003 <Unloaded_symsrv.dll>+0xecbf
    03c4bd14 75153471 00000003 0294001c 0294001c 0x3c4bd14
    03c4bd14 75153471 00000003 0294001c 0294001c cabinet!FDIGetFile+0x121
    03c4bd30 75153618 00000000 000004fc 0469019c cabinet!FDIGetFile+0x121
    03c4bd4c 02aee625 0293f860 02ae2c4e 03c4bd88 cabinet!FDICopy+0x172
    03c4c0d8 7c91056d 00000000 00261288 00261288 <Unloaded_symsrv.dll>+0xe625
    03c4c318 02af2a37 0003bc5a 0003b63c 0003b008 ntdll!RtlFreeHeap+0x647
    03c4c334 02ae521a 032c4d50 00000001 00000000 <Unloaded_symsrv.dll>+0x12a37
    03c4c478 7c910945 7c91094e 00000000 00000000 <Unloaded_symsrv.dll>+0x521a
    03c4c978 02ae6087 03c4cbc8 03c4da98 03c4c990 ntdll!RtlAcquirePebLock+0x28
    03c4cba8 0302dfee 03c4cbc8 03c4da98 03c4dcbc <Unloaded_symsrv.dll>+0x6087
    03c4cfe8 03018e7d 00e70688 03c4d240 03c4da98 dbghelp_3000000!symsrvGetFile+0x12e
    03c4dcd0 03019ee7 00f5ac40 00f5b4d0 00f5b4c0 dbghelp_3000000!diaLocatePdb+0x33d
    03c4df4c 030415fe 00f5ac40 00000000 00000004 dbghelp_3000000!diaGetPdb+0x207
    03c4e170 0303fa35 00f5ac40 9217f261 000004fc dbghelp_3000000!GetDebugData+0x2be
    03c4e618 0303fcf4 00000420 05140ef8 03c4e72e dbghelp_3000000!modload+0x305
    03c4ea98 03037fdd 00000420 00f1f6e0 00000000 dbghelp_3000000!LoadModule+0xb4
    03c4eb04 0303815a 00000420 000004fc 0469019c dbghelp_3000000!SymLoadModuleEx+0x7d
    03c4eb30 00420664 00000420 000004fc 0469019c dbghelp_3000000!SymLoadModule64+0x2a
    03c4eb50 02208368 7e42f383 03c4ff74 041a1fb8 procexp+0x20664
    00000000 00000000 00000000 00000000 00000000 0x2208368
     
    I then excluded procexp.exe from DEP, and was able to repro what you described - Process Explorer disappeared.  So, I ran it under a debugger.  Each time I cancelled the Properties dialog with the Threads tab active, before symbol resolution was done, Process Explorer generally encountered either an access violation (first-chance), or a STATUS_BREAKPOINT (0x80000003) for which the debugger reports various messages like:
    HEAP[procexp.exe]: HEAP: Free Heap block 21e1798 modified at 21e19e0 after it was freed
     
    Eventually, procexp.exe got into such a messed up state that I encountered an infinite number of first-chance access violations and I had to kill the debugging session.
     
    Then, I ran procexp.exe and attached a debugger to it (so that the Win32 Special Debug Heap wasn't used).  Similar, but no heap corruption message or breakpoints.
     
    Given the <Unloaded_symsrv.dll> entries in the stack, and that it seems PE / DbgHelp loads / unloads symsrv.dll each time the Threads tab is displayed, it seems that perhaps somehow symsrv.dll is prematurely unloaded when one cancels the Properties dialog before symbol resolution is complete.  Chaos ensues.
     
    BUGBUG4:
    Unable to reproduce.
    Tuesday, July 10, 2007 3:57 AM
  • Moved issue report into its own topic:
     
    This is similar to Ivan's report, eariler in this topic.
    Monday, July 16, 2007 12:33 PM
  • Using PE 10.21 on Windows NT Terminal Server Edition (NT4) with SP6. System has 4GB of RAM and dual Xeon CPUs.

    System Information page has wrong info. Only shows 2GB of RAM, and the Commit graph stays constant and shows incorrect value compared to Commit box below. Windows Task Manager correctly shows 4GB of RAM, and shows same Commit numbers as PE.
    Wednesday, August 22, 2007 11:23 AM
  • procexp.exe 10.21
    Windows XP Pro SP3beta Build.3180

    I Install Windows XPsp1, after install SP3beta Build.3180
    after this Process Explorer show invalid info about memory usage for all
    proccesses.

    Standart TaskMgr show memory info all right!







    ps. I check version 11 of PExplorer. bug present too...
    and 100% reproduce on another OS: WinXPsp2 + all security updates for date: 1.09.2007.
    Sunday, September 2, 2007 12:28 AM
  • Process Explorer v11.0 Bugs

    1) Bug with [System Process]. Discovered at 2nd page of this thread. Still available.

    Steps to reproduce.

    1. Ctrl+F or menu
    2. Type for example ntdll.dll
    3. Press Search
    4. Browse in the search results. You will find mysterious [System Process] with Process Explorer PID.

    2) Buffer overrun as it described here

    http://forum.sysinternals.com/forum_posts.asp?TID=6397&PID=46212#46212

    Steps to reproduce.

    Modern malware sometimes fakes various Process Environment Block values. The most popular here is PROCESS_PARAMETERS substructure.

    procedure ExploitForPE(); 
    var
      bytesIO: DWORD;
      pBuf: PROCESS_BASIC_INFORMATION;
      buf: array[0..10000] of WCHAR;
    begin
      for bytesIO := 0 to 1039 do buf[bytesIO] := '1';
      bytesIO := 0;
      ZwQueryInformationProcess(GetCurrentProcess(), ProcessBasicInformation,
     @pBuf, sizeof(PROCESS_BASIC_INFORMATION), @bytesIO);
      RtlInitUnicodeString(@p1.ProcessParameters.ImagePathName, @buf);
    end;


    After process is faking ImagePathName in this style Process Explorer can't normally start until process with faked PEB is working. Process Explorer simple dies with "Send to Microsoft" message. If exploit executes while Process Explorer is running then Process Explorer starts to show various incorrect information for this process.

    Minidump attached http://rku.nm.ru/procexp_minidump.zip (21 Kb)

    3) Driver still not unloading itself after exit. I think it should do this. It is just a matter of time when SecuROM or other "stuff" will add new blocking for Process Explorer. Because its names it object as PROCEXPxxx it will be easy to create full Process Explorer startup ban by simple mask.
    Tuesday, September 4, 2007 6:13 PM
  • Note: Some posts regarding tooltips in PE11 not displaying in Windows 2000 SP4 + Update Rollup 1 were moved into their own topic:
    Tuesday, September 4, 2007 9:19 PM
  • V 11.0

    Running on Vista Business Edition
    2gb RAM

    I have no column sets defined - just the default one exists, if I hit CTRL + 1 twice, it crashes.  Sometimes once - but the majority seems like twice is the lucky number.
    Wednesday, September 5, 2007 12:30 AM
  • Hi simon,
     
    I'm unable to reproduce this on XP SP2.  I'll try on Vista when I get an opportunity.  In the meantime, could you humor me by trying the following?
    1) Exit PE
    2) Rename / remove [HKEY_CURRENT_USER\Software\Sysinternals\Process Explorer]
    3) Restart PE
    4) Try to reproduce the behavior
     
    Thanks very much!
    Wednesday, September 5, 2007 12:55 AM
  • That seemed to clear it up.  I deleted the reg entry and all is well with the world again.
    Thanks for the recommendation.
    Wednesday, September 5, 2007 1:18 AM
  • So I defined a new column set by going to View > Save Column Set...
    I named it "Default"
    Then when I hit CTRL + 1 the application crashes.

    But then I tried Defining a column set (the previous one did not save - I assume it's because it crashed after I defined it, and those settings are probably saved on exit) called "Default", then hit CTRL + Q to exit normally, then re-started and hit CTRL + 1.  Nothing happened except the status bar was cleared and then re-populated.  So I hit CTRL + 1 again, same thing, status bar cleared and then re-populated.  But after hitting it 2 more times the application crashed with an unhandled exception.

    Ah wait, I just tried it again to see if I could get the magical "4 tries" and it crashes.  It's not that, if I hit CTRL + 1 the status bar clears and repopulates, and no matter how many times I do it, it's fine.  It's only when I hit CTRL + 1 while the status bar is cleared and in the process of repopulating does the crash occur.
    Wednesday, September 5, 2007 7:25 AM
  • Thanks for providing further details, Simon.
     
    I've reproduced the crash on Vista (haven't tried other OS', yet).
    Wednesday, September 5, 2007 7:29 AM
  • I was able to get it to crash on my XP Virtual PC as well - but I can't duplicate it.  Just hitting CTRL + 1 a random amount of times and speeds seems to do it though.
    Hope that's helpful
    Wednesday, September 5, 2007 7:35 AM
  • PE v11.0

    Start it and look on Threads of System Idle Process ;)
    Wednesday, September 5, 2007 8:27 PM
  • 1. Right-clicking and highlighting problem:
    When startup, no process is highlighted in the list. Right-click process A, A is highlighted, but no menu opens with this click.
    Then right-click process B, the context menu opens, but process A is still highlighted.
    Then right-click process C, process B is highlighted now.

    2. Loading a Column Set always crashes PE. (I've removed PE's old registry keys and newly saved the column sets.)

    3. Still cannot display process names other than English, e.g. Chinese.


    + A suggestion:
    I feel, for CPU History in Tray Icon, opaque colors (as before) are better, more striking especially when CPU usage is high.


    My OS: XP Pro SP2 (Chinese Simplified).

    Saturday, September 8, 2007 2:53 AM
  • Hi sum1,
     
    Regarding your reports...
    1) Confirmed.
     
    2) The problem of PE crashing when applying a column set (CTRL+1), as you described, has already been reported, and I strongly suspect (Wink) it will be resolved with the next minor release.  I have been informed that the next minor release will be on Monday.
     
    3) Unable to test this.
     
    Thanks for the report!
     
    Saturday, September 8, 2007 8:34 AM
  • deleted - my fault
    Sunday, September 9, 2007 8:31 AM
  • 2. Loading a Column Set always crashes PE. (I've removed PE's old registry keys and newly saved the column sets.)



    Yeah, unfortunately I too can confirm this, while I also agree regarding the tray-icon's opaque colors being better...


    Ivan
    Monday, September 10, 2007 5:05 AM
  • Well, and now I am glad to report/confirm that the 11.01 version (the latest minor update) fixes the Column Set related crashes, and also the high-lighting related problem/glitch mentioned in one of the posts above, so thank you Mark very very much!!


    Ivan
    Tuesday, September 11, 2007 4:03 AM
  • Excellent, thanks!

    Tuesday, September 11, 2007 5:24 AM
  • Hello, EP_X0FF.
    PE v11.0Start it and look on Threads of System Idle Process ;)

    The "system idle threads display" bug has been fixed by Process Explorer v11.01.

    Regards,
    Karl
    Tuesday, September 11, 2007 5:55 AM
  • Saving the Sort Column

    For example, there are only 3 columns, the 2nd ([Start Time]) is the sort column.

    Drag and move the 3rd column to be the 1st. [Start Time] (now the 3rd ) is still the sort column. Things seem OK. Save this column set.

    Exit and restart PE. Now you'll find the sort column is not [Start Time] but the 2nd one.

    Same problem in the saved Column Set.

    Wednesday, September 12, 2007 11:43 AM
  • Exit and restart PE. Now you'll find the sort column is not [Start Time] but the 2nd one.
     
    Same problem in the saved Column Set.
     
    Confirmed.  Actually, I don't even need to exit PE - the sort column changes immediately after saving the column set.  But I do see that moving the sort column and exiting PE causes the column that is in the position where the sort column previously was, to become the "new" (unintended) sort column.
    Wednesday, September 12, 2007 8:53 PM
  • Actually, I don't even need to exit PE - the sort column changes immediately after saving the column set.
    Yes. Thanks.
    I hastily added "Save this column set." after "Things seem OK." just before posting.
    Thursday, September 13, 2007 3:26 AM
  • Hi sum1,
     
    Looks like 11.02 takes care the case where PE doesn't sort by the expected column, as described above.
    Friday, September 14, 2007 6:54 AM
  • What about the "GUI glitch" which causes the bottom-most process (its line in the PE's process-pane) to appear as if there was 0.001 mm (or something like that) missing at its bottom??! I hope that you understand what I mean, otherwise I will post a screenshot ...


    regards, Ivan
    Monday, September 17, 2007 5:46 AM
  • Screenshot please. I don't see what it is you're referring to. Does it do this only when you have certain fonts set?
    Monday, September 17, 2007 8:33 AM
  • Oh and I totally forgot about this (i.e. I even had it written already in my "To-Post.doc" to-do file) possible bug: sometimes you need to open the Process Properties window twice for the graphs-tooltips to work. And note that this particular glitch existed also in version 10.25 ...


    /EDIT: Sorry Bryce, I totally missed your reply; I will post a screenshot ASAP ...


    P.S. - And yes, not actually a bug, but more or less same as for . I am talking baot the Threads tab in Process Properties sub-window. Now that Thread ID column was added, you always need to arange the columns for the CPU column to be visible. Can this be fixed/changed as it was before (i.e. the CPU column being visible right away)??!


    Ivan
    Tuesday, September 18, 2007 1:56 AM

  • Tuesday, September 18, 2007 3:09 AM
  • Hi Zeroes,
     
    Have a look here:
     
    To hide the <Pagefile Backed> sections, uncheck "Show Unnamed Handles and Mappings" in the View menu.
     
    Tuesday, September 18, 2007 3:14 AM
  • Screenshot please. I don't see what it is you're referring to. Does it do this only when you have certain fonts set?


    Errrr, well Bryce I guess you are right (I will not post that screenshot mentioned above), i.e. it's probably one of my fonts and/or font-sizes fault since I've changed these a lot (from default settings) through the "Advanced Appearance" section under Control Panel -- Display -- Appearance (Advanced button) to make it work/look normal with my bbLean alternative shell.


    cheers all, Ivan
    Wednesday, September 19, 2007 7:57 AM
  • since 11.00, online search does not work. it opens the web browser, calls google, but only searches for "%1"
    Thursday, September 20, 2007 5:42 PM
  • since 11.00, online search does not work. it opens the web browser, calls google, but only searches for "%1"
    It is not correct to state that the function Search Online does not work at all in P.E. 11.
    It all depends on 2 factors:
    + which browser is your default browser, I.E. vs. others
    + has a default search engine been setup correctly.

    Yet, it is true, "Search Online" will fail on a number of configurations.

    As P.E.11.x and Autoruns8.73 use the same approach for Search Online, it may be helpful to checkout these two threads, depending on which browser you use:

    + autoruns does not run online search in IE7

    + autoruns doesn't launch online search in Firefox

    Karl
    Thursday, September 20, 2007 5:56 PM
  • okay, let's see the circumstances:
    - Firefox is not installed
    - IE 7 is not installed
    - I still use IE6
     
    My default browser is Maxthon, which uses the IE engine. The same configuration was used when I used Process Explorer 10.x. The problem occured when I installed PE 11.01.
    Now I reverted the default browser to IE6. Now it calls for Windows Live Search instead of Google, but it still gives %1 as parameter.
    Thursday, September 20, 2007 6:15 PM
  • Hi Karl and Mostly Harmless,
     
    I might mention that though not quite the same situation, this topic may be relevant:
    Thursday, September 20, 2007 7:44 PM
  • It indeed helped, thank you.
    (I used Maxthon for years, and earlier never had this problem)
    Friday, September 21, 2007 2:01 AM
  • + A suggestion:I feel, for CPU History in Tray Icon, opaque colors (as before) are better, more striking especially when CPU usage is high.



    ... and yes, this is especially true in my specific situation since I am running DC projects (currently only the Folding@Home one in particular), and so I am not entirely sure if the CPU usage is at 0 or at 100%.


    Ivan
    Friday, September 21, 2007 10:13 AM
  • Using 11.02 and Firefox 2.0.0.7.  Firefox is my default browser.  When I use Search Online, it attempts to open another instance of Firefox (it pops up as a new process) even if Firefox is already open, then shuts down after a second or two.  It does this for whichever  process I choose to search.  I did not have this problem in 10.x versions of Process Explorer.
    Friday, September 21, 2007 11:29 PM
  • Hi, Chuck.

    Note:
    Autoruns 8.7x and PE11.x use the same internal routines to execute "Search Online".
    I.e. if it works in 1 programme, it will work in the other programme as well. If it does not work for one, then it will not work in both.
    I know I reported so before?! => 6 posts upwards.

    So the (mis)behaviour you report has been reported before. Admittedly the reports were inside the Autoruns forum. (Yet, in this particular case this does not matter.)

    It is a known problem. So far no-one has reported a solution, yet.

    "Search Online" in P.E. 10.21 simply worked because the "http://..."-string to launch MS Live Search was hardcoded inside the executable file. Up to v10.20 you could switch between Google and Live Search.

    Karl
    Saturday, September 22, 2007 12:23 AM
  • The recent .7 update of FF has a bugfix that prevents exploits based on misusage of the % character. For example:
    mailto:test%../../../../windows/system32/calc.exe".cmd
    That link would actually start calc.exe if FF 2.0.0.6 was the default browser, even when invoked from PE's run or from Start Menu Run dialogs. This was fixed in .7.
    I am sure Autoruns worked fine here with FF.6 that did not have this fix. It appears the new URL calling method Mark uses is incompatible with the .7 bugfix.

    To Mark:
    Please bring back the opaque Graph Colors in all graphs and the grid in the Graphic CPU History column, at least as options, thanks.

    Monday, September 24, 2007 10:09 AM

  • OK folks, before posting my really long post with many bugs/glitches described graphically with screenshots (which I am writing/preparing to post for a long time now), I will only mention another minor PE's bug ...


    I don't know if it's just me (i.e. my computer) or not, but on my PC there are connections displayed for "System Idle Process" and strangely not for the "System" process (i.e. the TCP/IP tab is empty), which I guess is wrong.


    The screenshot of TCP/IP tab:




    cheers, Ivan
    Sunday, October 7, 2007 7:25 AM
  • Hi Ivan,
     
    I can't explain why there may not be connections for your "SYSTEM" process (does TCPView show any?).  Yet, the connections for the System Idle Process seem to be explained here:
    Sunday, October 7, 2007 9:47 AM
  • I can't explain why there may not be connections for your "SYSTEM" process (does TCPView show any?).


    Yeah, the reason for the high number of connections is that I was running my p2p-sharing application the Soulseek (that's the "slsk.exe" process in the list) at that particular time.


    And additionally (not that this is the reason for it though), I've patched my "tcpip.sys" driver because of the "TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts." warnings that I was getting all the time in the Event Viewer; also see the TCP/IP has reached the security limit... thread that I opened on "Ars Technica" forums back then, of course, if you are interested.


    P.S. - Oh and yes, for details on how it did it (i.e. patched that driver with hex-editor) see the On patching the Win XP SP2's "tcpip.sys" driver ... thread that I also opened on "Ars Technica" forums!!


    Ivan
    Monday, October 8, 2007 3:39 AM
  • Resuming the "Search Online" problems experienced by Firefox users
    (cf. the posts inside this thread by Mostly Harmless and Chuck)
    I would like to give these pieces of advice:

    Please, check out
    + the related Autoruns Firefox thread
    + the related Autoruns Opera thread

    HTH,
    Karl
    Monday, October 15, 2007 8:49 PM
  • Drag and move a column to be the 1st column. Then reduce its width to 0 (to "hide" it) by dragging the right edge of its heading fully to the left. Then exit and restart PE. -- You'll find the 1st column is 4-character wide now. And it cannot be "hidden" any longer (its minimum width is 2 characters now), unless you drag it to be a non-1st column and restart PE.

    Besides, if you "hide" the 2nd/3rd column by reducing their width to 0, next session they will expand to about 17 character width.

    I found these odd things when I was trying to hide PID column. I don't understand why the new PE has been designed not to allow users to hide PID column by deselecting it in [Select Columns] dialog.

    The only way to "hide" PID column is to move it to the 4th position or further and reduce its width to 0. Confused

    Monday, October 15, 2007 8:52 PM
  • I don't understand why the new PE has been designed not to allow users to hide PID column by deselecting it in [Select Columns] dialog
    The ability to hide the PID column in this fashion was not possible in PE 10.21, either.  So this is not something specific to the "new" 11.x PE.
     
    The behavior you describe was also present in PE 10.21.  Except, in PE 10.21, the "And it cannot be "hidden" any longer" piece does not apply.
     
    Probably, some of these behaviors are meant to protect people from themselves, or are a part of protecting people from themselves.  And I believe the PID column is meant to be an "anchor"-type column*, as by default it is the first column to the right of the "tree/list" Process column.
     
    *=ISTR that this was discussed somewhere, but when I have looked for it in the past I have been unable to find it
    Monday, October 15, 2007 9:51 PM
  • Bug:
    At Win2000 -> PE 11.02 -> any process properties -> TCP/IP tab do not work
    Wednesday, October 17, 2007 2:08 PM
  • Bug:
    At Win2000 -> PE 11.02 -> any process properties -> TCP/IP tab do not work
    Just tested it here on a randomly chosen Win2K SP4 RUP1 server.
    PE11.02 will show TCP/IP information for any given process provided the process has got an open connection.
    Browsers e.g. usually close any given connection pretty quickly after they have received a webpage. In this case, PE can only display the TCP/IP information while the browser is using the connection.
    Yet, e.g. our backup client software will hold an open connection to the backup master server all the time. This is how I could determine that PE 11.02 will display TCP/IP connections correctly.

    Conclusion:
    The "Win2000 -> PE 11.02 -> any process properties -> TCP/IP tab" bug does not exist.

    Karl
    Wednesday, October 17, 2007 4:33 PM
  • MS Windows 2000 Pro sp4 without rollup update

    PE 10.21
    ftp://bug:bug@81.222.204.116/norm.jpg

    PE 11.02
    ftp://bug:bug@81.222.204.116/bug.jpg
    Wednesday, October 17, 2007 5:18 PM
  • Hi, JustSoul.

    For outdated systems like Win2000 SP4 without Rollup 1, keep Process Explorer v10.21.

    As we have not got any Win2K SP4 without Rollup1 I cannot verify if RUP1 makes the difference in this case or not (it looks like it does).

    Karl
    Wednesday, October 17, 2007 7:44 PM
  • hello,

    here is my bug:

    ProcExp v11.02
    OS: Vista x64 Ultimate
    when the "System information" dialog is active for some time (1-5 minutes), ProcExp is crashing (leaving icon on the tray)..

    Oleg
    Monday, October 22, 2007 12:02 AM
  • Hi Oleg,
     
    I'm unable to reproduce this, on XP SP2 (32-bit) at least.  Will try Vista Ultimate (32-bit) later (no 64-bit hardware to test with... Embarrassed).
     
    Can you provide some crash details (.dmp file, event from Application Event Log, etc.)?
    Monday, October 22, 2007 12:52 AM
  • Unable to reproduce this on Vista Ultimate (32-bit), as well... Confused
    Perhaps x64-only?  Can anyone else with access to a 64-bit system try this?
    Monday, October 22, 2007 9:24 AM
  • Hi,
    new treelist control in 11.x version is terrible (my icons 32x32 are all confused), both in XP (32bit) and Vista (32 bit).

    The 10.x version visualization is perfect (XP & Vista), infact I had to go back to previous version.

    Can you improve icons display in new treelist control?
    Thank you very much
    Wednesday, October 24, 2007 3:55 PM
  • Hello
    I believe that I have found a bug in PE 11.03 x64
    OS: WinXP Pro x64 SP2

    Steps to reproduce:

    A) Using _64-bit_app_ (like explorer) start
         (1) %windir%\system32\cmd.exe
    and
         (2) %windir%\syswow64\cmd.exe
    Now we have two shells: (1) x64 and (2) x86
    Examine both with PE and TaskMgr to prove that.

    B) Run "notepad" from each of the shells.
    Now we have two notepads too: x64 and x86 (and TaskMgr proves that).
    But PE shows both notepads as x64
    and in the DLL pane PE shows that notepad-x86 has loaded all DLLs from syswow64 (that's right)
    But the .EXE itself is loaded from system32 (obviously wrong). Also icon & description come from x64 .EXE

    PE is not confused when notepad-x86 is started using full path (e.g. "%windir%\syswow64\notepad.exe") from cmd-x86.
    I guess PE does not take into consideration WOW64 file system redirector somehow.

    -------

    PS: dunno about 11.02/Vista64 but with 11.03/XP64 I see no problem with "System Information"
    (keeped it open for about 40 min)
    Friday, November 2, 2007 7:40 AM
  • Odd bug in Process Explorer v11.04 with the help menu.

    The help menus gets completely disabled and you have to restart app for it be become re-enabled.

    See:



    To replicate:

    1.) Start Process Explorer (PE) and make sure "Show Lower Pane" is unchecked under "View" menu. If it is checked, uncheck, close PE and restart.

    2.) Push ctrl+d on your keyboard and now the help menu is disabled. Whoops!

    3.) Push ctrl+l and help menu is still disabled. So close PE and restart. Now the help menu is enabled.

    Odd!
    Wednesday, November 7, 2007 2:39 PM
  • Hi, Will.

    Proceeded as instructed by you.

    Results:
    + Problem not confirmed for P.E. v11.04 on WinXP Prof SP2. The help menu items are selectable all the time.
    + Problem not confirmed for P.E. v11.04 on Win2K SP4 Rollup1. The help menu items are selectable all the time.
    + Problem not confirmed for P.E. v11.04 on Win2003 SP1. The help menu items are selectable all the time.

    Will try the same procedure on Vista, Win2K, Win2003 (all 32bit) as soon as I find the time and report back.  (Win2K + Win2003 done, see above)

    Maybe stopping P.E., removing "HKCU\Software\Sysinternals\Process Explorer" and restarting P.E. will solve the issue for you as well.

    Karl
    Wednesday, November 7, 2007 5:48 PM
  • Also unable to confirm, on Vista Ultimate 32-bit.
    Push ctrl+d on your keyboard and now the help menu is disabled. Whoops!
    Odd that the screenshot shows handles in the lower pane, and CTRL+D will set the lower pane view to "DLLs" ... ?
    Wednesday, November 7, 2007 7:49 PM
  • Hi, War59312, Karlchen, and Molotov,

    No need to restart.

    Try it this way:
    Select process A. >> Ctrl+D. >> Ctrl+L. >> Open [Help] menu. (Enabled.)
    Ctrl+D again. >> Ctrl+L. >> Open [Help] menu. (Disabled.)
    Select process B. >> Ctrl+D. >> Ctrl+L. >> Open [Help] menu. (Enabled again.)
    Ctrl+D again. >> Ctrl+L. >> Open [Help] menu. (Disabled again.)
    ...

    Another way:
    Select a process. >> Ctrl+D. >> Ctrl+L. >> Open [Help] menu. (Enabled.)
    Ctrl+D again. >> Ctrl+L. >> Open [Help] menu. (Disabled.)
    Ctrl+D again. >> Click a dll in the lower pane. >> Ctrl+L. >> Open [Help] menu. (Still disabled.)
    Ctrl+D again. >> Ctrl+L. >> Open [Help] menu. (Enabled again.)

    Or:
    When newly started, no process selected. >> Open [Help] menu. (Enabled.)
    Ctrl+D. >> Ctrl+L. >> Open [Help] menu. (Disabled.)

     

    Seems something to do with the [DLL] menu toggling and/or the focus moving.

    XP Pro SP2

    Thursday, November 8, 2007 1:07 AM
  • XP Pro SP2, PE 11.04.
    Unable to recreate using any of the 3 sets of steps posted by sum1.
    Thursday, November 8, 2007 1:30 AM
  • Vista Home Premium, PE 11.04.
    Unable to reproduce the described behaviour using any of the 3 sets of steps posted by sum1, too.

    Karl
    Thursday, November 8, 2007 3:50 AM
  • sum1 , I can reproduce every time. Running Windows XP Pro. SP2. IE 7 is not installed, not sure if that matters.

    Karlchen, I removed the key, rebooted PC and ran PE and after clicking agree to terms and trying again, once again the about menu becomes disabled.

    My computer is 100% up to date.
    Friday, November 9, 2007 4:39 PM
  • Hello, Will.

    So at the moment, we have two users of P.E. v11.04 who experience the issue and two users who cannot reproduce it on different Windows platforms (Windows XP Pro SP2, Win2k Sp4 Rollup1, Win2003 Sp1/Sp2, Vista). And we have got no clue what the race condition may be that triggers the problem. Confused

    As a consequence, there is no further idea from my side for the moment on what to do in order to diagnose the source of the problem. Sorry. Hopefully others will have helpful ideas.

    Kind regards,
    Karl


    Friday, November 9, 2007 6:56 PM
  • IE 7 is not installed, not sure if that matters
    My computer is 100% up to date
    Big%20smileWink
     
    I just tested on a fully updated XP SP2 system, running IE 6, and was still not able to reproduce the reported behavior.  As Karl, I have no further ideas. Confused
     
    (Enabled again.)
    Yet, while the problem might be "flakey" and mildly inconvenient, it does seem that it is not difficult to get into the help once it occurs.
     
     
    Friday, November 9, 2007 10:32 PM
  • I am also unable to reproduce the behavior on XP Pro 32bit, SP2, IE 6
    Sunday, November 11, 2007 11:14 AM
  • Yeah it's no big deal, just thought it was kinda funny really. lol

    Thanks everyone for trying to replicate.
    Monday, November 12, 2007 4:21 PM
  • It seems to me that PE 11.04 still has a memory leak.
     
    It starts out at around 16 MB but its memory usage increases... after a day or so of running it was using 45 MB. Previous versions (10.x) did not seem to increase memory usage if it was left running.
     
    Wednesday, November 14, 2007 8:03 AM
  • Hi FrizzleFry,
     
    What value are you referencing when you mention "memory usage", and what tool are you using to measure it?
    Wednesday, November 14, 2007 8:14 AM
  • Usually just Process Explorer itself - the Working Set column - but also Task Manager.
    Wednesday, November 14, 2007 9:47 AM
  • It seems to me that PE 11.04 still has a memory leak.
    the Working Set column
    From the Process Explorer help file:
    Private Bytes represents the amount of private virtual memory a process has allocated and is the value that will rise of a process exhibiting a memory leak bug.
    Wednesday, November 14, 2007 10:12 AM
  • XP Pro SP2, PE 11.04.
    Limitation: upon "Runas..." the length of the path to be keyed in is limited, and quite short BTW: 52 chars...
    Though not actually a bug, this is a really annoying limitation preventing to runas apps stored in deeep subdirectories
    Thursday, November 15, 2007 4:40 PM
  • Hi TerDale,
     
    Haven't run into it before, but you are correct - "Runas" and "Run as Limited User" (and "Run as Administrator in Vista") all seem to enforce rather short command lines - 43 characters by my count...
    Thursday, November 15, 2007 8:40 PM
  • Hi

    Noticed the following small bug (or is it a feature?) on

    XP Pro SP2, PE 11.04.

    If you are in the Properties dialogue box for a process, then on the "Threads" tab, if you click on a thread to highlight it, the details e.g. Thread ID etc, the value updates.

    If you then use the up and down arrow keys on the keyboard to move through the list of threads, although the highlighting moves through the list the detailed information below the list does not update.

    Not sure if this has already been noticed?

    P.S. very useful software.

    Thursday, November 15, 2007 10:25 PM
  • Hi Steve,
     
    I have been told that this will be addressed in the next Process Explorer update.  Thanks for the report.
    Thursday, November 15, 2007 10:32 PM
  • Hi Molotov,


    Haven't run into it before, but you are correct�- "Runas" and "Run as Limited User" (and "Run as Administrator in Vista") all seem to enforce rather short command lines - 43 characters by my count...


    Glad you confirm it ;-)
    So, as a newbie on this forum, what does that mean: fix in next planned version? Or instead in a sooner bug-fix release?
    Thursday, November 15, 2007 10:32 PM
  • So, as a newbie on this forum, what does that mean: fix in next planned version? Or instead in a sooner bug-fix release?
    It simply means that I can confirm what you report.  Not sure if or when it may be addressed.  Mark and Bryce do visit these forums, so I would not be surprised to see some attention paid to it in an upcoming realse.  But that is just speculation.
    Thursday, November 15, 2007 10:45 PM
  • I am also experiencing a Process Explorer V11.04 memory leak at the rate of 4k per 3 second interval. If allowed to run over several days, bad things seem to happen to my W2K OS. PE has been executing for several days at a time as I am trying to trap some intermittent problems in an application software package. When PE becomes part of the problem instead of part of the solution then we all suffer greatly.
    Sunday, December 16, 2007 8:11 AM
  • I have a toolbar on top of the desktop with selected "stay on top" property. When I a multiple time open and close properties window of any process, then this window (properties window) is moved up, and up, and finally is located above the screen edge.
    Wednesday, January 2, 2008 10:33 AM
  • Hello!
    After run ProcExp 11.04, if click left mouse button on any process and select Properties... on the tab Permance, in the CPU group label "Context" displayed  instead of label "Cycles"

    Tuesday, January 22, 2008 6:37 PM
  • Hi Stanner,
     
    On pre-Vista systems, "Context" displays instead of "Cycles".  On Vista, "Cycles" displays.
    Tuesday, January 22, 2008 7:56 PM
  • Process explorer 11.04

    > 64 bit prob.  on XP64 and server 2003/64

    > The DLL pathnames are incomplete (filename only is visible) on the DLL pane.

    Sunday, February 10, 2008 10:11 PM
  • Hi, jluu.

    Thanks for your report. I admit I had not noticed this behaviour before trying to reproduce it.

    OK, let me clarify how to reproduce the incorrect behaviour:

    Standard DLL pane behaviour (with column "Path" for DLL pane not ticked):
    + select any process in the process list or process tree inside P.E.
    + press ctrl-d to open the DLL pane in the lower half of the window
    + the left most column will show the DLL filenames (without any path).

    In order to see the fully qualified filename in a dedicated column inside the DLL pane, proceed like this:
    + Select "View" => "Select Columns" => tab "DLL" => tick "Path" => click "OK"
    + The DLL pane will show the fully qualified filename in a column titled "Path"

    Scope of the reported error

    The error is that for 32bit processes the "Path" column inside the DLL pane will display the pure filename, instead of the fully qualified filename.
    For 64bit processes the "Path" column inside the DLL pane will display the fully qualified filename.

    Clicking with the mouse on the "Name" column will display a tooltip shwoing th fully qualified filename for all 64bit DLLs, but pure filenames for 32bit DLLs (in most cases).

    This behaviour can be reproduced on P.E. 11.04.

    Regards,
    Karl
    Sunday, February 10, 2008 10:51 PM
  • If PE start up with shortcut option [RUN: minimized]
    at deployment the window is not recovered previous maximized state :-(
    Wednesday, February 13, 2008 8:13 PM
  • Hi alt76,
     
    The behavior you describe seems similar to this topic, which does offer a workaround:
     
    Wednesday, February 13, 2008 8:42 PM
  • I'm getting caught out by this Vista Bluescreen 3 or 4 times a week :-(
     
    WARNING: Stack unwind information not available. Following frames may be wrong.
    nt!ObfDereferenceObject+0x66
    PROCEXP110+0x946
    PROCEXP110+0xe5c
    PROCEXP110+0x103c
    nt!IofCallDriver+0x64
    nt!IoIsFileObjectIgnoringSharing+0x3453
    nt!IoIsFileObjectIgnoringSharing+0x4417
    nt!NtDeviceIoControlFile+0x2a
    nt!KeReleaseInStackQueuedSpinLockFromDpcLevel+0xba2
    0x777a0f34
    0xbadb0d00
    0x3f1c8e8
     
    Any chance of a fix ? It seems to have been going on since Septmber
    --
    Dan
    Monday, February 18, 2008 4:05 PM
  • Hi Daniel,
     
    PROCEXP110
     
    Seems you're using an older version of Process Explorer.  Please upgrade to the latest, 11.04.
    Monday, February 18, 2008 7:13 PM
  • Hi Molotov,
     
       Still there:
     
     
    WARNING: Stack unwind information not available. Following frames may be wrong.
    nt!KeBugCheckEx+0x1e
    nt!KeRevertToUserAffinityThread+0x1c4
    nt!Kei386EoiHelper+0x1d2
    nt!PsCreateSystemThread+0x13d0
    nt!PsReleaseProcessExitSynchronization+0x2d
    PROCEXP111+0x944
    PROCEXP111+0xf3b
    PROCEXP111+0x114e
    nt!IofCallDriver+0x64
    nt!IoIsFileObjectIgnoringSharing+0x3453
    nt!IoIsFileObjectIgnoringSharing+0x4417
    nt!NtDeviceIoControlFile+0x2a
    nt!KeReleaseInStackQueuedSpinLockFromDpcLevel+0xba2
    0x771a0f34
    0xbadb0d00
    0x4b1cea8
    Monday, February 18, 2008 10:22 PM
  • What are the repro steps?  I've been running PE on Vista 32-bit for ages and don't have any problem...
     
    Also, what drivers are loaded?  And can you post a minidump?
    Monday, February 18, 2008 10:36 PM
  • Seems to happen under relatively heavy system load (usually when building our product).
     
    I'm on 32bit Vista (dual quad core) as well, don't believe I have any unusual drivers. I'm running Hardware RAID 1 for my O.S. and data, and Hardware RAID 0 for my build drives.
     
    I've uploaded a minidump
     
    uploads/20080219_064600_Mini021908-02.zip
     
    --
    Dan
    Monday, February 18, 2008 10:49 PM
  • Not that it's at all related...
    What is xpvcom.sys?
     
    Does the problem happen when only one Process Explorer driver is loaded?
    Tuesday, February 19, 2008 10:57 AM
  • Hi Molotov,
     
       xpvcom.sys, I have no idea ;-), a quick binary dump reveals several microsoft copy right notices and references to microsoft  certification services.
     
       The prcoess Expolrer driver, I guess I have to run procexp in non admin mode to find out? Is there anyway of doing that without having to turn UAC back on (and rebooting) and messing up my dev environment ;-) ?
     
    --
    Dan
    Tuesday, February 19, 2008 3:57 PM
  •    xpvcom.sys, I have no idea ;-), a quick binary dump reveals several microsoft copy right notices and references to microsoft  certification services.
    It's not present on my Vista system, and a quick Google search didn't turn up anything...
     
    The prcoess Expolrer driver, I guess I have to run procexp in non admin mode to find out? Is there anyway of doing that without having to turn UAC back on (and rebooting) and messing up my dev environment ;-)
    The .dmp file showed that both procexp110.sys and procexp111.sys were loaded.  If you run only one version of PE (preferably, the most current), only one version of the driver should be loaded.
     
    If you do choose to run PE from a standard account (no need to tweak UAC, etc.), the driver will not be loaded.  If the BSODs are frequent, and if running PE in this mode is adequate for your needs, this may be a desirable consideration.
    Tuesday, February 19, 2008 7:18 PM
  • Sorry for the delay, BSOD's really put a downer on day, so I've let of trying to test this. I left procexp running overnight, and the machine crashed (and faield to POST, fortunately it did the second time of asking). I had rebooted after copying 11.04 down so am fairly confident procexp110.sys was nowhere around.

    Standard account is of no use (VS even wants you to run it from an admin account, let alone the pain of however many UAC dialogs a day).

     
    --
    Dan
    Monday, February 25, 2008 4:11 PM
  • and faield to POST
    Do you suspect hardware problems with this machine?
     
    Do you use Handle.exe on this server?
     
    What do you use to do the builds?
     
    VS even wants you to run it from an admin account

    What version of Visual Studio are you referring to?
    Monday, February 25, 2008 8:39 PM
  • PE v11.10

    As usually mysterious [System Process] with PE process id  (when searching for handle or dll) is not fixed. This bug simple irritates and was known last 1.5 year.
    Tuesday, February 26, 2008 2:35 PM
  • PE v11.10

    New Infinite Pause Bug with Process Explorer

    Start PE
    Launch Handle or dll search Ctrl+F
    Close PE by hitting [x] on the main PE window (search dialog must remains visible)
    Start PE again, it will be paused and you can't unpause it until removing registry entries.
    Tuesday, February 26, 2008 3:09 PM
  • Hi EP_X0FF,
     
    I see the [System Process] you reference.  However, I cannot recreate exactly the "Pause Bug" you describe.  I don't think the behavior is new with 11.10, as I also see it with 11.04 as well as 10.21.
     
    I do the following:
    + start PE
    + bring up the "Process Explorer Search" dialog
    + click on the [X] on the main PE window
    + start PE again
     
    PE's display is paused when I launch it again, but I am able to unpause it by setting the desired Update Speed from the View menu.  I do not need to remove the registry entries.
    Wednesday, February 27, 2008 10:20 AM
  • Hi,
     
    Regarding the CPU Cycles(Vista)/Context from ProcessExplorer, I have this question for Windows Vista:
     
    Any process I choose (although there are some with N/A), in Properties > Performance tab, the CPU Cycles shows value 0, which is not very correct (the CPU cycles shown in the Vista perfmon tool show different).  
     
    Is there a setting I missed or is this a known issue on Vista?
    Wednesday, February 27, 2008 4:05 PM
  • Hi Onoriu,
     
    Using Process Explorer 11.11, any process I inspect in Vista shows an appropriate value (non-0) for CPU Cycles on the Performance tab (when I'm not running it elevated, some processes show n/a for all values on the Performance tab, which I would expect).
     
    I assume that if you add the Cycles column to the main PE window, you also see 0?  What about the "Cycles Delta" column on the Threads tab of an active process?
     
    You might also try exiting PE, renaming / removing [HKCU\Software\Sysinternals\Process Explorer], and restarting PE, as this has been known to clear up odd display-type issues.
    Wednesday, February 27, 2008 7:51 PM
  • I added the column to the main window and the problem was solved. After removing the column, when checking the process through double click, the CPU cycles had a different value than 0, but a constant one - the one it showed when removing the column.
     
    This is though in PE 11.04 (I was sure I had the latest version, otherwise I wouldn't have bothered here - but double-checked now and...).
     
    Now, with PE 11.11, the problem is solved. Thank you for the help, molotov
    Wednesday, February 27, 2008 9:08 PM
  • I am using PE 11.11 and notice that if I run the following batch file from a DOS window (XP Pro and XP Home) the Private Bytes of procexp.exe increase until all memory is used (admittedly after many hours of use).

    :Loop
    cmd /c exit
    goto Loop


    After reading other posts I uninstalled all versions of .NET framework (1.1, 1.1 hotfix, 2.0 and 3.0) and ran the test again with the same results. Does this imply a memory leak is still in PE?
    Thursday, February 28, 2008 8:55 AM
  • However, I cannot recreate exactly the "Pause Bug" you describe.  I don't think the behavior is new with 11.10, as I also see it with 11.04 as well as 10.21.
     
    I do the following:
    + start PE
    + bring up the "Process Explorer Search" dialog
    + click on the [X] on the main PE window
    + start PE again
     
    PE's display is paused when I launch it again, but I am able to unpause it by setting the desired Update Speed from the View menu.  I do not need to remove the registry entries.


    Hi molotov,

    You were right. This bug can be solved by changing update speed. But "Space" button is not functional in this case, isn't it?

    Also if I press "Refresh Now" in such paused mode, PE lists will be refreshed, label "Paused" will be removed, but PE still remaining in coma.
    Saturday, March 1, 2008 9:41 PM
  • Correct - the space bar does not pause / resume, and "Refresh Now" will still refresh.  But I still see the Paused label in the status bar - refreshing does not remove it.  Still, the only way to recover from the paused state in this case is to change the update speed, or exit PE, remove the registry settings, and restart PE.
    Sunday, March 2, 2008 12:51 AM
  • But I still see the Paused label in the status bar - refreshing does not remove it.


    Are you sure?

    Did you tried following steps:
    1) Do the infinite pause
    2) Go to View->Refresh Now, or use F5. The listview will be refreshed and freezed. For me - label "Paused" is removed and PE is still paused.
    Sunday, March 2, 2008 1:21 AM
  • Yes, I am sure.  On Vista and Server 2003, neither pressing F5 nor choosing Refresh Now remove "Paused" from the status bar.
     
    Sunday, March 2, 2008 1:31 AM
  • Yes, for now it is really not disappearing anymore, as well as on Vista. Excuse me for false positive :)
    Sunday, March 2, 2008 1:43 AM
  • Hi, jluu.


    Scope of the reported error

    The error is that for 32bit processes the "Path" column inside the DLL pane will display the pure filename, instead of the fully qualified filename.
    For 64bit processes the "Path" column inside the DLL pane will display the fully qualified filename.

    Clicking with the mouse on the "Name" column will display a tooltip shwoing th fully qualified filename for all 64bit DLLs, but pure filenames for 32bit DLLs (in most cases).

    This behaviour can be reproduced on P.E. 11.04.

    Regards,
    Karl
     
    I noticed this is corrected in version 11.11 dated feb 27th 2008
     
    Thanks a lot.
    Jose
    Friday, March 7, 2008 12:19 AM
  • I found a minor bug, where "Process Properties" window's position isn't remembered (as it should and as it was in previous versions), but after closing the previous one, the new one appears a bit below (like in cases when you open multiple such windows one after another, when the next appears a bit below, but if you close them in the right order, (i.e. last -> first), then next time the new window's position will be the same as previously remembered ...


    Regards, Ivan
    Saturday, March 8, 2008 2:37 AM
  • maybe there's a storage leak within PE (11.11 and all versions before).
     
    when running an application that subsequently calls cmd.exe each second executing some batch commands, that results in creating a new process and ending the previous.
     
    PE private storage grows steadyly until -hours later- , it exceeds windows virtual storage limit.
    Wednesday, March 12, 2008 2:39 AM
  • uploads/20080317_075655_procexp_11_11_w.rar
     
    PE 11.11 under XP SP2, running on 2x3,0GHz Pentium D925, at MB Asus P5K premium.
    The total I/O data rate in "System Information" chart shows wrong measurement when running devices under SATA controller mode AHCI.
    Included screen snapshot shows activity for three tasks/disks simultanously with true data rates that are verified by same results of test measurement tool HD Tune.
    Data rates per device at snapshot are 33,9+34,9+59,1 (sum=127,9) , but system information i/o history graph shows 59,1
    Sunday, March 16, 2008 11:58 PM
  • maybe there's a storage leak within PE (11.11 and all versions before).
     
    when running an application that subsequently calls cmd.exe each second executing some batch commands, that results in creating a new process and ending the previous.
     
    PE private storage grows steadyly until -hours later- , it exceeds windows virtual storage limit.




    I am using PE 11.11 and notice that if I run the following batch file from a DOS window (XP Pro and XP Home) the Private Bytes of procexp.exe increase until all memory is used (admittedly after many hours of use).

    :Loop
    cmd /c exit
    goto Loop


    After reading other posts I uninstalled all versions of .NET framework (1.1, 1.1 hotfix, 2.0 and 3.0) and ran the test again with the same results. Does this imply a memory leak is still in PE?





    @DarrenD
    @Ernst@at

    I don't know, why this issue continuing ignore by the developers... Confused

    There are so many posts around this behavior, e.g. my own:

    http://forum.sysinternals.com/forum_posts.asp?TID=13187




    Monday, March 24, 2008 7:49 PM
  • maybe there's a storage leak within PE (11.11 and all versions before).
     
    when running an application that subsequently calls cmd.exe each second executing some batch commands, that results in creating a new process and ending the previous.
     
    PE private storage grows steadyly until -hours later- , it exceeds windows virtual storage limit.




    I am using PE 11.11 and notice that if I run the following batch file from a DOS window (XP Pro and XP Home) the Private Bytes of procexp.exe increase until all memory is used (admittedly after many hours of use).

    :Loop
    cmd /c exit
    goto Loop


    After reading other posts I uninstalled all versions of .NET framework (1.1, 1.1 hotfix, 2.0 and 3.0) and ran the test again with the same results. Does this imply a memory leak is still in PE?





    @DarrenD
    @Ernst@at

    I don't know, why this issue continuing ignore by the developers... Confused

    There are so many posts around this behavior, e.g. my own:

    http://forum.sysinternals.com/forum_posts.asp?TID=13187






    Seeing large memory leaks in PE 11.11. I run the Cruisecontrol CI server, which I kick off from the command line in Win 2k. I was away on holidays for a week and came back to PE using 580 MB Private Bytes. I closed and re-started and PE was back down to 8MB.  Cruisecontrol kicks off a large number of java instances through its use of Ant. Since I started up PE again about an hour ago, the memory usage has grown 2MB.
    I'm not sure if it's a related issue, but some of the icons for the processes disappear. The icons are for processes that Cruisecontrol has nothing to do with, so I can't see how they are related.
    Wednesday, March 26, 2008 2:20 AM
  • This report by HAL07 seems to fit in here and to confirm the reported issue: PE leaks memory.

    Karl
    Thursday, March 27, 2008 7:11 AM
  • Process Explorer 11.11

    It crashes everytime when I switch Windows theme between windows classic and Zune style.

    Thursday, March 27, 2008 10:21 AM
  • Hi creyle,
     
    Sounds similar to this (confirmed) report:
    Thursday, March 27, 2008 10:39 AM
  • Hi creyle,
     
    Sounds similar to this (confirmed) report:


    Correct, thanks
    Friday, March 28, 2008 12:38 AM
  • Hi,
     
    Please note that Process Explorer 11.12 has been released:
     
    Those that have reported concerns about the memory usage of Process Explorer, please see if this helps.
    Monday, April 7, 2008 11:19 AM


  • Those that have reported concerns about the memory usage of Process Explorer, please see if this helps.


    Tongue Fine! After some tests with the new version 11.12 I would say: The problem has been solved! Thanks for that great work!

    You can test it with the following code (from DarrenD):

    :Loop
    cmd /c exit
    goto Loop

    The memory usage respectively the Private Bytes of procexp.exe do not increasing!


    Thursday, April 10, 2008 1:49 AM
  • Pause, and allow I/O to accumulate.  Unpause procexp.  The I/O Bytes display will briefly display the total of all I/O while paused.

    This causes the peak level of the I/O Bytes graph to be set to that value; a peak value of several gigabytes means that normal access from then on never shows up in the graph.

    I/O statistics during a pause should be discarded before continuing the graph.

    11.12.

    Sunday, April 13, 2008 9:23 AM
  • Hi, hurf,
     
    Confirmed - I see the I/O spike after resuming from pause.
    Sunday, April 13, 2008 11:12 AM
  • PE 11.13 Set Priority submenu missing current value.

    In 11.12 and previous, if you right click on a process and select "Set Priority ..." from the submenu, it would show you the current priority value with a black dot beside the currently selected value.

    That black dot indicator has disappeared from 11.13.  By design or regression?

    Windows XP Pro x64 with all the patches available from Microsoft Update, and another machine with Windows XP Pro SP2 with most patches, though IT controls some of that.  Wink  Both show the same behavior.
    Thursday, April 17, 2008 5:02 AM
  • Hi Philip,
     
    Confirmed, on XP Pro SP2 with PE 11.13 - no indication of priority, before or after setting it, in the "Set Priority" context menu.
     
    Thanks for the report.
    Thursday, April 17, 2008 5:04 AM
  • Note: on Vista, one does get a light indication of the current priority, but the black dot is obviously missing:
    Thursday, April 17, 2008 8:36 PM
  • This not a bug, just a design decision that has been overlooked or changed in recent releases.

    Quite naturally when a process is highlighted or selected, process explorer will consume more resources in order to provide you with extra detail.

    In version 10.21.0.0 if you highlighted a process, to un-highlight or deselect that process you could simply press Ctrl+Spacebar. When a process is deselected, process explorer produces way less CSwitches.

    In the later versions, current being 11.13.0.0, Ctrl+Space key combination no longer deselects a selected process. Currently the method I use for "deselecting" a process, is to open notepad, highlight it in ProcExp, then close the notepad. Round-a-bout eh?

    Anyway, appreciate the utility in any form, but can that be added back ? Thanks...
    Saturday, April 19, 2008 10:37 AM
  • Hi Intuit,
     
    Behavior difference between 10.21 and 11.13 confirmed - CTRL+space in 10.21 does deselect the process while the same act in 11.13 does not.
    Saturday, April 19, 2008 11:23 AM
  • Ctrl+Space key combination no longer deselects a selected process. Currently the method I use for "deselecting" a process, is to open notepad, highlight it in ProcExp, then close the notepad.
    There is one issue with this approach: when I close such application window and the corresponding process disappears, my PE 11.13 selects the next process up in the list.
    Sunday, April 20, 2008 9:21 PM
  • Whether or not it does that is intermittent with me and regardless, the closed process can be reselected again before it disappears. Set that delay to maximum under menu, options -> differential highlight duration.
    Sunday, April 20, 2008 9:32 PM
  • There is one issue with this approach: when I close such application window and the corresponding process disappears, my PE 11.13 selects the next process up in the list.


    Yeah that's true, when the corresponding process disappears, the PE selects the next process in the list. And also I can confirm that there's no "bullet" beside process' current base-CPU-priority as it was in all the previous versions before the latest 11.13 one ...

    P.S. - Oh and yes, I am reminding you all (users of this forum, but especially mods/admins, and program's author) about that minor bug that I have found and already mentioned it in this thread. I am talking about the bug which causes PE's "Process Properties" window position not being remembered (as it was in previous versions till version 11.10 or 11.11, if I recall correctly), i.e. after closing the previous "Process Properties" window, the new one appears a bit below the last one (like when you open multiple such windows one after another); in previous versions if you opened only one, the next time the "Process Properties" window had the same position, while in case if you opened multiple windows one after another (and closed them in the right/same order, i.e. last -> first), then the next time the "Process Properties" window also had exact same position.

    Regards, Ivan
    Monday, April 21, 2008 8:36 AM
  • There is one issue with this approach: when I close such application window and the corresponding process disappears, my PE 11.13 selects the next process up in the list.


    Yeah that's true, when the corresponding process disappears, the PE selects the next process in the list.
    But there is stil one even simpler workaround. If the processes are displayed as a hierarchy tree, select any child process and select the [-] sign to the left of its parent. Selection (and childs) will disappear. After selecting the now [+] sign to the left of the parent, child process(es) appear(s) again, but the selection is away.
    Monday, April 21, 2008 9:01 AM
  • Whether or not it does that is intermittent with me and regardless, the closed process can be reselected again before it disappears. Set that delay to maximum under menu, options -> differential highlight duration.



    Again, simply reselect the process while it is highlighted in red. Process Explorer will not select the next process for a second time.
    Monday, April 21, 2008 10:44 AM
  • uploads/20080317_075655_procexp_11_11_w.rar
     
    PE 11.11 under XP SP2, running on 2x3,0GHz Pentium D925, at MB Asus P5K premium.
    The total I/O data rate in "System Information" chart shows wrong measurement when running devices under SATA controller mode AHCI.
    Included screen snapshot shows activity for three tasks/disks simultanously with true data rates that are verified by same results of test measurement tool HD Tune.
    Data rates per device at snapshot are 33,9+34,9+59,1 (sum=127,9) , but system information i/o history graph shows 59,1
     
    Please remember this maybe unnoticed post.
     
    PE 11.13 still shows wrong data in the System Information I/O Byte history graph.
    It seems PE shows only the data for the heaviest used device instead of the sum of all devices (as defined in the help file).
    This is independent of controller mode, it happens also in IDE controller mode
    Wednesday, April 23, 2008 2:45 PM
  • Comment retracted. Apparently the most recent version(s) do reselect the process without fail. While collapsing the tree does unhighlight the process, it does not deseelect the process. All the information is still displayed, resources consumed and therefore defeats the purpose of unhighlighting it.
    Wednesday, April 23, 2008 3:37 PM
  • [moved gtchamp7's post to Process Explorer - High CPU utilization?]
    Friday, April 25, 2008 6:26 AM
  • Hi

    Not sure if this constitutes a (GUI) (minor)bug, or that it is intentional.
    But when the PE-"Hide when Minimized" option is active,
    The main PE-window "Close" button/function will also Hide PE, instead of closing the PE process.

    If intentional, please enlighten me on the subject.
     (or redirect me to the appropriate tread)

    Cheers.
    MvG

    [ PE:11.13 ].[W.XP.Pro.SP2+]
    -- -- --
    Hi MvG,
     
    Perhaps this topic covers it:


    Yep
    Thanks.
    Saturday, April 26, 2008 11:23 AM
  • Hi MvG,
     
    Perhaps this topic covers it:
    Saturday, April 26, 2008 11:39 AM
  • I am seeing windows DEP having to kill PE 11.13 after you make some changes to the display properties and click on OK.

    E.g., this will reliably kill PE on my machine:
    1. Go to the "Display Properties" window
    2. Navigate to the "Appearance" tab
    3. Change the Color Scheme to, e.g. Silver
    4. Click "Apply"
    5. Boom!  DEP closes PE. Or if DEP is not enabled then PE seems to just crash.

    Anyone else seeing this?

    Monday, April 28, 2008 10:33 AM
  • Hi BertrandRussell,
     
    This is discussed here:
    PE 11.11 - Crashes after change Display Properties
     
    and in this very topic, here.
    Monday, April 28, 2008 10:43 AM
  • Sorry that I didn't find that it was already reported.  I am glad to see it is a known defect.  You wouldn't have any idea when we might get a fixed version?  I keep checking every couple of days to see if there are new versions released Smile.
    Monday, April 28, 2008 11:02 AM
  • No, I can't say either when this may be fixed, or even when a new version may be released.
     
    I keep checking every couple of days to see if there are new versions released .
    You may be interested in the Site Blog, which has an RSS feed you can subscribe to (if you do RSS).
    Monday, April 28, 2008 11:07 AM
  • I did a search but didn't find any other reports of the issue, so apologies if it's been reported already, but Process Explorer doesn't seem to like non-English characters (this is with the Russian language pack installed on Vista Ultimate x64)

    .
    Sunday, May 4, 2008 10:33 AM
  • "Set priority" sub-menu (Main menu -> Process -> Set priority or Right-click on process -> Set priority) no longer indicates current process priority. This used to work in previous Process Explorer versions, at least v11.11 showed priority correctly. But after I installed v11.13 - Set priority sub-menu still has margin to the left of menu items text, but there is no indicator for current process priority (PE v11.11 used to put something like list/radio-button bullet next to current priority). This repros on both  Vista SP1 and Win Server 2008.

    Monday, May 12, 2008 5:50 AM
  • Hi Sergey,
     
    Monday, May 12, 2008 6:13 AM
  • hello :)

    do the following problem is a bug? ver. 11.13

    I have an Intel E6750

    when I open the window "System Information" each CPU graph shows the activity of each core.

    when you put your pointer on the graph, you see a pop-up informing the process causing the CPU consumption.

    but here comes the problem, when I try to find what causes a peak in core1.

    EP shows the information of core0 processes in the pop-up of core1, making it impossible to know the process causing the peak consumption in core1.

    Thanks All :)
    Saturday, May 24, 2008 6:10 AM
  • Hi
     
    Just downloaded Process Explorer V11.13 (current version)
     
    And noticed that when you click on File, you have:
     
    Run...
    Runas...
    Run as Limited User...
     
    Probably someone (or many others) has mentioned that "runas" is not a word, it should be written "Run as..."
     
    But with all this youth newspeak, maybe runas is now accepted?
     
    Tuesday, May 27, 2008 8:55 PM
  • Hi KimslanD,
     
    I suspect that "Runas" is meant to convey an implementation detail - use of the Runas verb to ShellExecute, which would be used to launch the process specified in the dialog box that comes up when "Runas" is selected...
     
    Also, perhaps a tip of the hat to runas.exe...
    Tuesday, May 27, 2008 9:16 PM
  • I see, Runas is representing Runas.exe being the Run As Utility.
    Except it also automatically asks for the user account to run from.
     
    Ok it can stay :)
     
    Tuesday, May 27, 2008 9:52 PM
  • I'm using new Process Explorer 11.20 with Windows XP SP3. I still cannot view the dot representing current priority in the Set Priority submenu
    Wednesday, May 28, 2008 11:22 PM
  • Confirmed - the "priority dot" does not appear with 11.20 (XP SP2 & Vista SP1).
    Wednesday, May 28, 2008 11:23 PM
  • With 11.20 on Vista x64 when I launch and try to "Show Details for all Processes" - I get error - Windows cannot find C:\Users\usersname\Appdata\Local\temp\propexp.exe Make sure you typed the name correctly, and try again. The app was started from "C:\Program Files\Sysinternals Suite" (tried C:\PSTools - works fine when user has write to folder). It seems to work fine on x32 Vista lauching from same path location.
    So when opening from restricted folder on x64 the procexp64.exe image is copied to C:\Users\usersname\Appdata\Local\temp\ but procexp seems to be looking for procexp.exe not procexp64.exe. Anyway some minor bug here.
    Pete
    Friday, May 30, 2008 7:07 AM
  • I am using 11.20 on Windows XP Professional x64 Edition. I added columns for working set size and working set maximum. Many working set sizes are shown as greater than the working set maximum. Is this a bug?
    Monday, June 2, 2008 10:45 PM
  • Moved John_Mc's post to its own topic:
    Tuesday, June 3, 2008 11:26 PM
  • I found a minor bug, where "Process Properties" window's position isn't remembered (as it should and as it was in previous versions), but after closing the previous one, the new one appears a bit below (like in cases when you open multiple such windows one after another, when the next appears a bit below, but if you close them in the right order, (i.e. last -> first), then next time the new window's position will be the same as previously remembered ...


    P.S. - Oh and yes, I am reminding you all (users of this forum, but especially mods/admins, and program's author) about that minor bug that I have found and already mentioned it in this thread. I am talking about the bug which causes PE's "Process Properties" window position not being remembered (as it was in previous versions till version 11.10 or 11.11, if I recall correctly), i.e. after closing the previous "Process Properties" window, the new one appears a bit below the last one (like when you open multiple such windows one after another); in previous versions if you opened only one, the next time the "Process Properties" window had the same position, while in case if you opened multiple windows one after another (and closed them in the right/same order, i.e. last -> first), then the next time the "Process Properties" window also had exact same position.


    Well, I am glad to report that version 11.20 fixes this bug/glitch ...


    Thanks to the author(s), Ivan
    Friday, June 13, 2008 10:56 PM
  • Hi, I returned to bug you again with something I really think it's easy to fix yet an annoyance:

    When Explorer crashes/restarts/etc, the PE icon is returned to the tray, but the IO history is not. One must uncheck and recheck "show IO history" menu bar.

    Shouldn't be too hard, could you please add it to a todo?
    Friday, June 27, 2008 7:11 PM
  • Hi IMNdi,
     
    Similar to your own report, as well as pterry's.
    Friday, June 27, 2008 10:52 PM
  • [Note: moved ptr727's post into its own topic: procexp.exe - random crashes VistaSP1 x86]
    Monday, June 30, 2008 9:01 AM
  • [Note: moved Steve G.'s post into its own topic: PE Crash after Thread Inspection]
    Wednesday, July 2, 2008 8:44 PM
  • Hi,
     
    This is not so much a bug as it is a usabillity issue.
     
    I had a shockwave update window in the middle of the screen when I got home today. My only options were "Update now" or "Remind me later."
     
    Not wanting to choose either of these, I fired up process explorer to kill the Shockwave process. The confirm dialogue popped up under the Shockwave window though, and I thought something had gone wrong as it appeared that process explorer had stopped responding.
     
    Luckily I was able to kill the Shockwave thing with an ALT-F4 (I don't know why I didn't try that first) and then I saw the confirmation dialogue.
     
    Anyway, perhaps an auto-cancel after 15 seconds or something on that dialogue box might prevent something like this in the future?
     
    Thanks for the software in any case.
    Wednesday, July 9, 2008 12:44 PM
  • Hi Cam,
     
    In that case, too, it would seem to be quite helpful if Shockwave would not assume you wanted it to be on top of everything else in the world.  After all, it would have been on top of all other windows, preventing you from interacting with them as well (if Word had popped up a macro security dialog, or Outlook was prompting for a profile, or...).
    Wednesday, July 9, 2008 7:50 PM
  • High DPI Bug in Process Explorer's TCP Tab:

    OS: Windows XP MCE SP3
    Process Explorer Version: 11.20

    Repro:
    1. Set your DPI to 128 (133%)
    2. Set the screen resolution to 1680x1050
    3. Run Process Explorer
    4. Find a running program that has open TCP connections
     
    Observe that the each item in the list is shorter than necessary, which chops off the bottom of the text.
    Monday, July 14, 2008 10:03 PM
  • Confirmed - the "priority dot" does not appear with 11.20 (XP SP2 & Vista SP1).
     
    Looks like this has been addressed in the newly released Process Explorer 11.21 (the priority dot is now visible).
    Friday, August 8, 2008 7:22 PM
  • There is a GDI leak in v11.21. Looks like the code that clips the repaint region for the history graphs leak hRegion handles.  Happens when the history graphs are clipped by horizontal scrolling.

    Wednesday, August 20, 2008 10:42 AM
  • Hi ShawnNa,
     
    If you mean that you witness an increase in the GDI object count of procexp.exe, when adding one or more History columns to the main display and scrolling left/right, I believe I can confirm the reported behavior.  Bear indeed indicates that the "leaked" objects seem to be regions...
    Wednesday, August 20, 2008 1:41 PM
  • Another issue of PE in v11.20/.21: The display of the process tree is a bit suboptimal, at least at my machine (Vista, monitor settings at approx. 110 dpi):



    There's too much space between the lines because the icons and particularly the TreeView extenders are rendered way too big.

    While this does not affect the functionality, it is at least a bit annoying because it reduces the number of visible entries.

    Other than that: Thanks for this great tool that I'm using nearly on a daily basis!
    Friday, August 29, 2008 11:22 PM
  • Hi ShawnNa,


    If you mean that you witness an increase in the GDI object count of procexp.exe, when adding one or more History columns to the main display and scrolling left/right, I believe I can confirm the reported behavior.� Bear indeed indicates that the "leaked" objects seem to be regions...

    Yup, I can confirm too, and when 10k GDI objects are reached program will crash.

    check these in order to recreate crashing conditions
    http://hezer.naraku.org/sekalaista/procexp/pic/
    Thursday, September 11, 2008 12:04 AM
  • That's pretty cool - I tried out what you did and it worked the same on my machine as well. Very nice!
    Thursday, September 11, 2008 5:57 AM
  • Simon - to what are you referring?  Hezer's post?  I expect the problem to be addressed in an upcoming version of Procexp. 
    Thursday, September 11, 2008 5:58 AM
  • Simon - to what are you referring?� Hezer's post?� I expect the problem to be addressed in an upcoming version of Procexp.�

    Yeah, sorry, I should have quoted the post. That is what I was referring to. I added the GDI counter, and moved my CPU history graph over to the left so that half of it would be hidden when I scrolled and the GDI counter quickly hit the 10,000 limit and crashed PE.
    This doesn't really affect me as I never have the GDI counter present - and have the CPU graph off to the right.
    But - interesting behavior none the less.
    Thursday, September 11, 2008 6:07 AM
  • Hi PGomersall,
     
    I've got the same problem.  I would appreciate if someone could tell me what is going on.
    Monday, September 15, 2008 9:44 PM
  • Hi alfi819,

    No x64 to test with here, but it sounds like PGomersall has a pretty good description of what is going on.  Note that PGomersall references Process Explorer 11.20 (likely, the latest version at the time of the post); the current version is now 11.21.
    Tuesday, September 16, 2008 3:14 AM
  • Hi molotov,
     
    I have 11.21 but the same problem arise.
     
    Fortunatelly, I had just find a solution.  You should simply change the NTFS security descriptors...
     
    Ok, I will explain:
     
    1. Put PE files into [DRIVE LETTER:]\Programs\Process Explorer
    2. Open "[DRIVE LETTER:]\Programs\Process Explorer" properties, go to security tab, add "write" permission to "users group"
    Close and reload PE.  It should work correctly now.
     
    That's it.
     
    It is working for me, hopefully it will for all of you too!!!
     
     
    Hi alfi819,

    No x64 to test with here, but it sounds like PGomersall has a pretty good description of what is going on.  Note that PGomersall references Process Explorer 11.20 (likely, the latest version at the time of the post); the current version is now 11.21.
      
     
     
    Hi PGomersall,
     
    I've got the same problem.  I would appreciate if someone could tell me what is going on.
     
     
    With 11.20 on Vista x64 when I launch and try to "Show Details for all Processes" - I get error - Windows cannot find C:\Users\usersname\Appdata\Local\temp\propexp.exe Make sure you typed the name correctly, and try again. The app was started from "C:\Program Files\Sysinternals Suite" (tried C:\PSTools - works fine when user has write to folder). It seems to work fine on x32 Vista lauching from same path location.
    So when opening from restricted folder on x64 the procexp64.exe image is copied to C:\Users\usersname\Appdata\Local\temp\ but procexp seems to be looking for procexp.exe not procexp64.exe. Anyway some minor bug here.
    Pete
    Tuesday, September 16, 2008 7:45 AM
  • Cosmetic bug

    Process Explorer v11.21
    Windows XP Pro SP2/3, W2003sp1

    in "Regional and Language Options" applet chosen Regional Options - Russian.

    in default for this regional setting "Digit grouping symbol" - ' ' (Space)

    this equal to:
    [HKEY_CURRENT_USER\Control Panel\International]
    "sThousand"=" "

    all OK, PE show digit in data: memory,handles is right, but if i change
    "Digit grouping symbol" to symbol - ',',

    this equal to:
    [HKEY_CURRENT_USER\Control Panel\International]
    "sThousand"=","

    PE show wrong digit data...

    see pictures:
    http://picasaweb.google.com/Zeroes1/BugAlbum#5249982973003783522
    http://picasaweb.google.com/Zeroes1/BugAlbum#5249983010278664706

    if in "Regional and Language Options" applet chosen Regional Options - English
    by default "sThousand"="," and by default PE show wrong data?

    P.S. Reproduce - 100%
    Thursday, September 25, 2008 10:04 AM
  • Hi Zeroes,

    This, or something like it, has been previously reported:
    SystemInfo: MB displayed but KB indicated (and in this topic, here)
    Private Bytes shows wrong numbers

    if in "Regional and Language Options" applet chosen Regional Options - English
    by default "sThousand"="," and by default PE show wrong data?
    In this case, on restarting PE, the values are displayed correctly.
    Thursday, September 25, 2008 7:25 PM
  • Hi Zeroes,This, or something like it, has been previously reported:SystemInfo: MB displayed but KB indicated (and in this topic, here)Private Bytes shows wrong numbers
    if in "Regional and Language Options" applet chosen Regional Options - Englishby default "sThousand"="," and by default PE show wrong data?
    In this case, on restarting PE, the values are displayed correctly.


    ok. thanks for answer.
    What your opinion this bug PE or not? I'm as user, think what i have right change parameter sThousand to as i'm wish, but PE do not like this.

    anyaway Mark answer to me (i'm send e-mail)
    "Thanks for the bug report, Zeroes."

    may be this auto answer to me, and Mark not looking problem...

    Friday, September 26, 2008 7:25 AM
  • What your opinion this bug PE or not? I'm as user, think what i have right change parameter sThousand to as i'm wish, but PE do not like this.
    As I seldom have need to change regional settings (only for testing things like this, in fact), I do not know how I would classify this behavior.  I do not know what factors are at play, and I also do not know how other apps behave under similar conditions. Embarrassed

    may be this auto answer to me, and Mark not looking problem...
    I would be quite surprised if this was some kind of auto-response.  I assume various considerations are given to each bug report, similar to (and perhaps in competition with) feature requests, that determine any future action that may be taken toward it.
    Friday, September 26, 2008 8:30 AM