Window’s
Resource Monitor is a hidden gem within the OS that can be very useful to an
incident responder in a crunch. It
isn’t as comprehensive as SysInternals Process Monitor but it is built in to
Windows so you can use it on a computer with no internet connection. It lacks the depth of WMIC but it does have
a very nice GUI (if you are into that sort of thing). In short, resource monitor is a worthy
addition to the incident responders toolkit.
Resource Monitor isn’t a separate program, but rather it is an operational
mode for Performance Monitor (Perfmon.exe).
If you start Performance Monitor with the "/res" option you
will see the Resource Monitor interface.
Click START->Run and type “Perfmon.exe /res” and press Enter
It has
a series of Tabs across the top (Number 1) for Overview, CPU, Memory, Disk and
Network. Each of the tabs is broken
down into sections that can be expanded or collapsed by clicking the arrow on
each section's header (Number 2). The
top section on each tab allows you to check a box next to a process names that
will apply a filter to the other sections of the tab. So by checking the box next to “Firefox.exe”
you will only see disk, memory and network resources associated with the
Firefox process. The disk section
shows you files that are open by the process.
The networking section will show you the fully qualified DNS name for
each of the TCP and UDP connections in use by that process. The memory section gives you a quick look at
how much memory is in use by the process.
That’s about it for the Overview tab.
If that didn't tell you everything you wanted you can refer to the CPU,
Memory, Disk and Network tabs for more information. Lets take a look at the CPU tab.
The CPU
tab has some nice features. By selecting a process you can see all of the OS
Handles in use by the process (number 4).
It even has a search feature that allows you search all of the open
handles. The Modules section (number 5)
will show you all of the DLLs that are in use by the process.
I’ll
leave the remaining tabs for you to explore on your own. I think you will find that in a pinch
resource monitor is a good way for a first responder to get a first look at
what is happening on a computer.
Performance
monitor used Performance counters and Event Tracing for Windows to capture data
from various sources. The
"/res" option is one of performance monitors way of displaying that
information to you. If you are curious
what other modes Performance Monitor has give “perfmon.exe /report” a try.
Reference:
http://dshield.org/diary.html?storyid=13735