Solved

How to Collect the Task Manager logs for some Period of Time?

Posted on 2016-08-25
6
23 Views
Last Modified: 2016-10-03
Hi there,

   Is there any way we can collect the data of Task Manager (Applications & Processes details) for a specific period of time?

   This main need is to capture the processes details which includes processes name and Process ID(PID) for specific time period in order to solve some issue in SQL server which has given only the clue of Process ID.

Thanks
Deepak
0
Comment
Question by:Deepak Kumar
6 Comments
 
LVL 3

Expert Comment

by:Ganga Sagar
Comment Utility
0
 
LVL 12

Expert Comment

by:Benjamin Voglar
Comment Utility
The best tool to monitor processes is "Process Monitor" wrote by Mark Russinovich.

It's a free tool.

https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx

You can use Process Explorer:

https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx

This is 10-time beater version of Task Manager.
0
 
LVL 51

Accepted Solution

by:
Joe Winograd, EE MVE earned 500 total points (awarded by participants)
Comment Utility
You could use the TASKLIST command, redirect the output to a CSV file, and then analyze it in Excel. Here's its syntax (which you can get via tasklist /?):

TASKLIST [/S system [/U username [/P [password]]]]
         [/M [module] | /SVC | /V] [/FI filter] [/FO format] [/NH]

Description:
    This tool displays a list of currently running processes on
    either a local or remote machine.

Parameter List:
   /S     system           Specifies the remote system to connect to.

   /U     [domain\]user    Specifies the user context under which
                           the command should execute.

   /P     [password]       Specifies the password for the given
                           user context. Prompts for input if omitted.

   /M     [module]         Lists all tasks currently using the given
                           exe/dll name. If the module name is not
                           specified all loaded modules are displayed.

   /SVC                    Displays services hosted in each process.

   /V                      Displays verbose task information.

   /FI    filter           Displays a set of tasks that match a
                           given criteria specified by the filter.

   /FO    format           Specifies the output format.
                           Valid values: "TABLE", "LIST", "CSV".

   /NH                     Specifies that the "Column Header" should
                           not be displayed in the output.
                           Valid only for "TABLE" and "CSV" formats.

   /?                      Displays this help message.

Filters:
    Filter Name     Valid Operators           Valid Value(s)
    -----------     ---------------           --------------------------
    STATUS          eq, ne                    RUNNING |
                                              NOT RESPONDING | UNKNOWN
    IMAGENAME       eq, ne                    Image name
    PID             eq, ne, gt, lt, ge, le    PID value
    SESSION         eq, ne, gt, lt, ge, le    Session number
    SESSIONNAME     eq, ne                    Session name
    CPUTIME         eq, ne, gt, lt, ge, le    CPU time in the format
                                              of hh:mm:ss.
                                              hh - hours,
                                              mm - minutes, ss - seconds
    MEMUSAGE        eq, ne, gt, lt, ge, le    Memory usage in KB
    USERNAME        eq, ne                    User name in [domain\]user
                                              format
    SERVICES        eq, ne                    Service name
    WINDOWTITLE     eq, ne                    Window title
    MODULES         eq, ne                    DLL name

NOTE: "WINDOWTITLE" and "STATUS" filters are not supported when querying
      a remote machine.

Examples:
    TASKLIST
    TASKLIST /M
    TASKLIST /V /FO CSV
    TASKLIST /SVC /FO LIST
    TASKLIST /M wbem*
    TASKLIST /S system /FO LIST
    TASKLIST /S system /U domain\username /FO CSV /NH
    TASKLIST /S system /U username /P password /FO TABLE /NH
    TASKLIST /FI "USERNAME ne NT AUTHORITY\SYSTEM" /FI "STATUS eq running"

Open in new window

So you could do something like this:

tasklist /fo>taskmanagerdata.csv

Open in new window

It creates these columns:

"Image Name","PID","Session Name","Session#","Mem Usage"

To have it run for a specific period of time, set up a task in the Task Scheduler. Regards, Joe
1
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:Deepak Kumar
Comment Utility
Hi Joe,

   Thank you very much for your reply .

As you stated, I have ran the command as "tasklist /fo>taskmanagerdata.csv". I got an error something like this
ERROR: Invalid syntax. Value expected for '/fo'
Type "TASKLIST /?" for usage.

could you help me out on this ?

Thanks in advance!!

Regards
Mohan
0
 
LVL 51

Assisted Solution

by:Joe Winograd, EE MVE
Joe Winograd, EE MVE earned 500 total points (awarded by participants)
Comment Utility
Hi Mohan,
My error — sorry about that! You need to specify the format after the fo option (table or list or csv). So the correct syntax is:

tasklist /fo csv>taskmanagerdata.csv

Open in new window

You should get a spreadsheet that looks like this (I bolded the heading in Excel and then sorted ascending by PID):

tasklist output
Then, of course, schedule it via the Task Scheduler. Regards, Joe
0
 
LVL 51

Expert Comment

by:Joe Winograd, EE MVE
Comment Utility
Accepting the post that the asker had already endorsed, along with the follow-up post that corrected a typo.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now