NT process viewer by Andrew I. Reshin (aresh@mail.ru)

                 Modified: 31.01.2004



What's it?
----------

NT process viewer is utility showing list of processes and their properties.
Also, you can view lists and properties for threads, modules, handles, memory
and environment of *any* process.

Internal functions of NT process viewer
- search for substring in handles or/and modules
- view dump of memory
- set priority
- kill process
- suspend and resume threads of process


Installation
------------

Unpack and play:)
No additional libraries needed, only Windows NT standard modules.



Uninstallation
--------------

Run NTPVCON.EXE or NTPV.EXE with parameters "delsvc ntpvdrv"
(e.g. "ntpvcon delsvc ntpvdrv") to uninstall the driver (NTPVDRV).
Then you can erase NTPV.EXE, NTPV.INI, NTPVCON.EXE, NTPVDRV.SYS
and NTPVDLL.DLL.



Known bugs
----------

Already not :)
NT Process Viewer has been tested under Windows 2000/XP but I hope that
it works normally under Windows NT 4.0 too. If you have problems while
running NT Process Viewer, please send me short description of your
troubles and system configuration (OS version/number of SP).



Additional notes
----------------

Autorefresh feature (NTPV)

Autorefresh is active only if the list of processes is focused or "About" dialog
is activated. Autorefresh pauses during scrolling the content of a window with
the scroll bar.


"Columns" -> "Process".."Memory usage" (NTPV)

If you want to check/uncheck multiply column titles in "Process".."Memory usage"
popup menus, you can use spacebar instead of enter or mouse to prevent menu from
close.


Save default priority (NTPV)

Choose the current instance of NTPV in the list of processes and set a new
priority, then, if no error occured, chose the "Ok" button from the prompt
message box.


The "Kill" function (NTPV/NTPVCON)

"Kill" terminate process without any warnings if SHIFT key was pressed during
the action, except when a process is running in the Local System or unknown
account. .
WARNING: In this case the process will not be given the chance to save its data
before it is terminated.


"Show only owned processes" (NTPV)/"PsOnlyOwned" environment variable (NTPVCON)

If this option is checked (or this environment variable defined as "Y" or "y"
before you start the NTPVCON.EXE) all processes, starting from another user
account or associated with another Terminal Services session Id, would be
invisible in the list and the tree of processes and ignored..
..in the System Information's count of the processes, threads and handles
..in the search by module name
..in all PID-based functions of NTPVCON ("K[ill]" etc)

For example, if you execute from the command line "set PsOnlyOwned=y" and then
"ntpvcon.exe", you can't see "csrss.exe", "winlogon.exe" and other processes
starting from the Local System account. Also, you can't accidentally kill
system or somebody else's processes..;)



Disclaimer
----------

This software is free and freely distributable on a non-commercial basis.
The author disclaims any warranty for this software.
This software and any related documentation is provided "as is" without
warranty of any kind.



History
-------

16.02.1999

- First release.

26.02.1999

- Fixed: Threads/16-bitTasks column disappearance.
- Fixed: Incorrect view of localized environment strings.
- New: Ability to terminate 16-bit task (not whole NTVDM process).
Select appropriated thread of NTVDM and choose "Kill".
- New: Package now includes command line version of NTPV - NTPVCON.

28.02.1999

- Minor changes in view of Threads/16-bitTasks and Processes/Main Window columns.

07.03.1999

- Fixed: NTPVCON show localized titles of windows wrong.
- Fixed: Small handles leak in NTPV.
- Fixed: Some processes can't be open for "Kill".
- Fixed: NTPV crash if "Kill" itself.
- Fixed: Involuntary decrease of NTPV window height.
- New: Minor changes for Windows 2000 Prof. compatibility.
- New: Brief system information in "About" message.
- New: Autorefresh feature in NTPV.
- New: NTPV saves sorting modes.
- New: Package now includes TESTREG utility (see description above).

12.03.1999

- Fixed: "Process memory dump" - NTPV was unable to redraw
itself while external viewer working.
- New: The "CPU" column in the processes list.
- New: "ntpv /h" now start the program at high priority.

28.03.1999

- Fixed: Incorrect calculation of uptime.
- New: NTPV saves columns width.

26.04.1999

- Fixed: Incorrect view of system error messages in NTPVCON under
localized versions of Windows NT.
- Fixed: Incorrect view of localized names of 16-bit modules in NTPV.
- New: "ntpv /h" now start program at high priority or activate
previous instance of NTPV if any.

06.06.1999

- New: Pagefile space and kernel memory information in "About" message.
- "Paging file" in "About" message was renamed to "Commit charge".

27.07.1999

- New: Memory usage summary in NTPV. Some information
from processes list was moved to this new location.
- New: Summary of commited memory (NTPV -> Memory usage
or NTPVCON ->process information).
- NTPV menu bar was changed.

09.08.1999

- Fixed: Incomplete deletion of NTPV owned temporary files.
- New: Search for substring in handles or/and modules.
- Some changes in shell and engine :)

12.09.1999

- Now NTPV/NTPVCON use common driver NTPVDRV.SYS and library NTPVDLL.DLL.
- Full path for files in handles list now is really full ;)
- Registry changes no more necessary, so TESTREG utility
was removed from package.
- Package now includes DELSVC utility.
- Handles references count information was removed.

18.10.1999

- Windows 95/98 stub subroutine was removed, thereby was significantly
decreased the size of executable files.
- New: Command line switches are ignored in this version of NTPV, but
most settings can be changed from the "Commands" -> "Options" menu.
- New: NTPV can save its priority (see "Additional notes" above).

16.11.1999

- Ctrl + Gray+ key combination was disabled in NTPV.
- Fixed: Under some circumstances the system message
appears as "System Process - License Violation".

09.01.2000

- Fixed: Incorrect view of NTPV after restart if its window has been maximized.
- Some changes in the "Kill" function (see "Additional notes" above).

14.02.2000

- Fixed: (NTPV) Under some circumstances state of "Columns"
menu's items may be wrong.
- New: System uptime information in "About" message.
- Ctrl + Gray+ key combination was re-enabled in NTPV ;)

26.04.2000

- Fixed: Memory leak if the NTPVDRV.SYS can't start.
- New: "Version" in the list of modules (NTPV/NTPVCON).
- New: NTPV save its current directory.
- New: NTPV use a filename of the form "ATHHMMSS.SAV" (HH - hours, MM - minutes,
 SS - seconds) to initialize the "File Name" field in the "Save as" dialog.
- New: NTPVCON start with high priority.
- New: "NTPVCON C"  - display list of processes + CPU usage.

17.06.2000

- Fixed: A process memory at 0x00000000 could not be read anyway.
- Fixed: NTPV work incorrectly with focused but not selected items of lists.
- New: Memory mapped files information in lists of modules.
- New: Information about processes and threads in the list of handles.
- New: Internal memory viewer in NTPV. External viewers and temporary
files are obsolete :)
- New: Now it is possible to dump memory also as a raw data.
- New: "Commands" -> "Autorefresh" menu item (turn this option on/off
at one stroke).
- New: You still can, but no longer must use wildcards to find any substring.
- New: NTPV cancel sorting in a list if you click the right mouse button within
a list's header.
- New: Menu items "Commands -> "Priority" -> "Increase"/"Decrease".
- Some changes in the "Kill" function (see "Additional notes" above).
- NTPV.INI format changes caused columns width and sorting settings to be lost.
Sorry for inconvenience :(
- DELSVC utility was removed from package (see "Uninstallation" above).

13.07.2000

- Fixed: Incorrect view of the memory viewer's windows (NTPV) if the choosed
font is one of some raster fonts and its style is Bold and/or Italic.
- New: Tree of named objects.
- New: Tree of processes.
- New: For modules that has not version information, TimeDateStamp (creation
time, dd/mm/yy hh:mm, GMT) is displayed instead.
- The "About" dialog box and the memory viewer's windows (NTPV) uses common
monospace font  ("Commands"->"Options"->"Fixed font").
- The "Goto" dialog box (NTPV - memory viewer) now is modal.
- Autorefresh in the window, that displays system information (NTPV - "About"),
paused if this window is focused.
- System information in the NTPVCON was separated from the help screen.

15.08.2000

- Fixed: Some small and rare bugs.

12.09.2000

- Fixed: "Floating" selection in the list of processes (NTPV).
- Fixed: The horizontal area at the top of listview windows could not be drawn
if the first item in a list is not visible.
- New: The "Run" dialog box ("Commands" -> "Run").
- New: NTPV/NTPVCON show an appropriate error message if initialization fails
due to insufficient user permissions.

23.10.2000

- New: TEBs base addresses in the list of threads.
- New: The file cache peak size in the system information.
- New: "NTPVCON <PID> KF" - force kill (primarily for usage in batch files).
- New: The "AccessMask" column in the list of handles (NTPV).
- New: The "Address" column in the list of search results (NTPV).
- The "PPID" and "StartAddress" columns was removed from the list of threads,
because this information seems useless. Let me know if you have another opinion :)
- Some changes in the "Save" function (see "Additional notes" above).

13.12.2000 (NTPV only changes)

- New: The Properties dialog box for files from the list of modules and for
processes or, rather, for files used to create processes ("Commands"->"Properties").
- New: Now you can copy to the clipboard contents of tables ("Commands"->"Copy")
and formatted dump of memory ("Copy" in the memory viewer).
- The function that initializes coordinates of dialog windows now ensures that
a dialog window is entirely or at least partially visible within the desktop area.
- Format of the list of environment strings was changed.
- Some changes in view of the "Commands" menu.

29.01.2001

- Fixed: "[#5] Access denied" error when changing priority of some processes.
- New: Autorefresh pauses during scrolling the content of a window with the
scroll bar (NTPV).

17.02.2001

- New: You can use the environment variable "NTPV_SOOP" to hide some processes
(see "Additional notes" above).
- New: The "Delta" column in the "Memory usage" list (NTPV).

24.05.2001

- New: NTPV options "Show only owned processes" (previously controlled by
the "NTPV_SOOP" environment variable, see "Additional notes" above), "Tab size
(for Save/Copy)" (previously controlled by the "Options"->"Tab" variable of
NTPV .ini file) and "Show only named handles".
- The "NTPV_SOOP" environment variable was renamed to "PsOnlyOwned" and now
affect only NTPVCON's functioning (see "Additional notes" above).
- NTPV menu bar was changed.

09.06.2001

- The "Memory usage" window was renamed to "Counters" (NTPV).
- New: (Windows 2000 only) IO counters (Read, Write, Other) in the process
information (NTPVCON) and in the "Counters" window (NTPV). Also new column
"IO" was added in the list of processes (NTPV) for indication of IO activity.

23.08.2001

- Fixed: On computers with Windows 2000 and 4 GB of memory or more, NT Process
Viewer show incorrect information about "Physical memory" and "Commit charge".
- Fixed: Did not work sorting by CPU usage in the list of processes (NTPV).
- Fixed: Rare "Division by zero" error.
- New: The "Follow" menu item in the memory viewer (NTPV). This feature is
like the similar one in the Borland Turbo Debugger.
- New: The "Minimize on Escape" option (minimize or close the main NTPV window
if the Escape key was pressed).
- New: The "Hide when minimized" option (hide the main NTPV window when minimized).
- New: Free system PTEs (page table entries) in the system information.
- New: CPU usage in the "About" dialog (NTPV, the autorefresh feature must be activated).

22.11.2001

- New: Domain and user names in the list of environment strings of process.
- New: Now you can set process priority to "Above/Below normal" under Windows 2000/XP.
- Significantly changed the procedure to determine obect's name by handle.
Now it works under Windows XP too.

28.07.2002

- Improvement of the algorithm for obtaining domain and user names of process owner.
Now works under TSE too.

31.01.2004

- Fixed: Sometimes start of the driver fails under Windows 2000 TSE.
- New: Suspend/resume all threads of selected process.
- New: If the current sort mode is by CPU usage, NTPV not scroll list
of processes to ensure the currently selected process is visible.