You may have come across situations where a continuous hard disk activity taking place although your system being in an idle state. If you open Task Manager out of curiosity, you may find several processes starting and exiting of their own without you doing anything. It could be a scheduled backup task, third-party system maintenance program or anything that could be churning your hard disk. It could be even a Malware. But which application or process launches them?
You can find more information about a executable by searching on the internet. Knowing the parent process of a running process is important as well, and that can be accomplished in many ways. Here are some methods to know the parent process and process ID of a running process.
Using Process Explorer
Process Explorer is a great program that tells you everything you want to know about running processes. Download Process Explorer, unzip and run the executable.
For purpose of illustration, I’m launching the System Information Tool (msinfo32.exe) via the Tools tab of the System Configuration Utility (MSConfig.exe).
In Process Explorer, press CTRL+T to switch to Tree view (default view) as below. This view shows the list of process started by a parent process.
Fig 2: msinfo32.exe process created by msconfig.exe
Another option would be to double-click the process, and this shows the "Parent" process and its Process Identifier.
Using Process Monitor
Process Monitor is another stunning tool from Windows SysInternals, which shows what’s running under the hood in real-time. It can track process, file system, registry and network activities in real-time, plus has other useful features. Download Process Monitor and run it.
Click the "Process and Thread Activity" button and disable all other buttons. Press CTRL+E to start capture (acts as toggle)
Any process that’s created and terminated from now on, is captured and shown in the display.
There you can see msconfig.exe process launching msinfo.exe.
Editor’s note: This method is very useful in cases where an unknown process runs only for 1 or 2 seconds and remains difficult to track using the earlier tool, Process Explorer. Where as in Process Monitor, it doesn’t matter whether the process is still running or terminated, as everything is recorded already during the span of capture period.
Happy Computing!
One small request: If you liked this post, please share this?
One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:- Pin it!
- Share it to your favorite blog + Facebook, Reddit
- Tweet it!
it was very helpful. Can you please explain how to log all capture events automatically in a file.