Watching What Your Computer Is Doing

Your computer, as it runs the many programs that you (or others) start on it, and access other computers on your local or wide area network, is very busy. Even when you aren't doing anything intentionally, your computer is still busy. Sometimes, knowing what your computer is actually doing, at any time, is a critical need.

Long years ago, a computer would be pictured in a movie as a big metal box, with lots of flashing lights. Those lights were used, at that time, to tell what the computer was doing. Those computers ran very slowly (sometimes, not at all), and the flashing lights were critical to knowing what was going on, at any time.

The equivalent of a Blue Screen Of Death was known as (among other terms, some of which won't ever be discussed here) a Hard Stop. When a Hard Stop occurred (which could be many times / day, depending upon what programs were running), the lights would be used to describe what the computer had been doing, and to display the contents of memory and registers.

Today, no computer could ever drive enough lights to tell you anything useful. You typically have three lights on your computer. These lights tell you that the computer is doing something, Period.

  1. Disk activity.
  2. Network activity.
  3. Power.

If you want to have any idea what your computer is doing, you'll have to at least list the tasks it's running. Task Manager is provided as a native component in Windows. Process Explorer (free) from the SysInternals division of Microsoft, provides more detail than Task Manager.

Knowing what tasks are running is a good place to start, but it's only a start. How do you know what each task is doing? I use Filemon and Regmon (both free, and both again from SysInternals).
  • Filemon lists files, as accessed (read and / or written) by any given process.
  • Regmon lists registry values, as accessed (read and / or written) by any given process.

You can use both programs simultaneously, or either program separately, at your convenience.
  1. Open the application that interests you.
  2. Identify the application in Process Explorer, and get its PID. Maybe use the Process Finder to automatically locate the entry for any visible window.
  3. Start Filemon / Regmon.
  4. Create a filter in either application, ":PID" where PID is the PID of the application in question.
  5. Go back to your application, make the change, and watch what Filemon / Regmon displays.
  6. When you find an interesting entry in Filemon, you can double click on it, to open Windows Explorer, and display the folder containing it.
  7. When you find an interesting entry in Regmon, you can double click on it, to automatically open Regedit, and display the registry entry in question.
  8. The filter used by Filemon and Regmon is very simple, and easy to use - it's a simple text string. If you know a process name, or file or registry path, you can filter on whatever you know. Use your imagination.
  9. Both Filemon and Regmon use a context menu (right mouse click) for displayed entries, and a toolbar with several other possibilities. Both can display changes continually (automatically scrolling as you watch), or will let you freeze the display, and manually scroll, at your convenience.

Besides knowing what your computer is doing right now, it is useful sometimes to know what your computer did when it started up. A lot of processes - legitimate, not legitimate, and some in between the two, are started, by other processes, when the computer starts up. Knowing how any process starts up can be important to knowing what it's doing right now. Autoruns (another SysInternals product) and HijackThis are key tools (both free) that I use for this purpose.

Now all of the above tools are used to monitor your computer, and what it's doing on its own. Most computers are used on a network, and make connections to other computers. TCPView, another SysInternals product, shows you what other computers your computer is connected to, local and distant.

If your computer uses WiFi for connectivity, knowing who shares the WiFi spectrum with you could be relevant.

And remember that most computers running Windows contain some server functionality. If your computer is on a local network with other Windows computers, sometimes knowing who else is accessing it is useful too.

>> Top

Network Diagnostics Using Net Config

When you're having a problem accessing network resources, or displaying what network resources are available, Browstat is a good starting point. To check IP connectivity setting, you use IPConfig. Sometimes, though, neither "browstat status" nor "ipconfig /all" tells you what you need to know.

Starting from the lower level of the OSI Network Model, you look at an "ipconfig /all" log, and see a network connection, identified as:

Physical Address. . . . . . . . . : 00-04-76-D7-C5-6A

IP Address. . . . . . . . . . . . :

You suspect, but you can't tell for sure, that that same connection is identified in the accompanying "browstat status" log, as:

Status for domain WORKGROUP on transport NetBT_Tcpip_{B7E18D15-D9B1-4295-9DAD-C733C695294F}

To correlate the information provided by "browstat status" and "ipconfig /all", or in cases where IPConfig is irrelevant (such as where IPX/SPX must be used), you can use the "net config" commands:

net config server
net config workstation

As with any other command, you run it from a Command Window (or a command window in Windows Vista), which gives you the ability to redirect the output, to a text file, for analysis later. Since you're running 2 commands, one after the other, be sure to concatenate the output from the second after the first. Only type the command itself into a command window - do not type Start - Run - "net config...".

Let's look at "net config" from my mythical computer, "PChuck1".

First, "net config server".

Server Name \\PChuck1
Server Comment Primary

Software version Windows 2002
Server is active on
NetbiosSmb (000000000000)
NetBT_Tcpip_{B7E18D15-D9B1-4295-9DAD-C733C695294F} (000476D7C56A)

Server hidden No
Maximum Logged On Users 10
Maximum open files per session 16384

Idle session time (min) 15
The command completed successfully.

Next, "net config workstation".

Computer name \\PChuck1
Full Computer name
User name pchuck

Workstation active on
NetbiosSmb (000000000000)
NetBT_Tcpip_{B7E18D15-D9B1-4295-9DAD-C733C695294F} (000476D7C56A)

Software version Windows 2002

Workstation domain PChuck
Workstation Domain DNS Name pchuck.local
Logon domain PChuck

COM Open Timeout (sec) 0
COM Send Count (byte) 16
COM Send Timeout (msec) 250
The command completed successfully.

What does all of this tell us?

  • First,
    Computer name \\PChuck1

    PChuck1 is the name of the computer, which matches the browstat and ipconfig logs.
  • Next,

    Server is active on
    NetbiosSmb (000000000000)
    NetBT_Tcpip_{B7E18D15-D9B1-4295-9DAD-C733C695294F} (000476D7C56A)

    Shows us two key items:

    • The network connection is using NetBT and SMB. This is a normal binding list.

      • If there was only an entry for "NetbiosSmb", file sharing would work, but access by name will be a problem. Always Enable NetBT for best results.
      • If there was an entry for "NwlnkIpx" and / or "NwlnkNb", file sharing MAY work, but irregularly.

    • The entry

      as shown in "browstat status", corresponds to MAC address

      as shown in "ipconfig /all".

  • A small, but still important detail,

    Server hidden No

    tells us that the server is intended to be visible in Network Neighborhood.
  • And some more details,

    Maximum Logged On Users 10
    Maximum open files per session 16384

    Idle session time (min) 15

    may tell us why all of the computers in the workgroup can't access shares on the server simultaneously.
  • Finally,

    Workstation domain PChuck
    Logon domain PChuck

    Shows that this computer is a member of domain (or workgroup) PChuck, and is logged on to domain PChuck. If your domains and workstations are named with some thought, this likely indicates that the computer in question is logged in to domain PChuck. On the other hand, if we had

    Workstation domain PChuck
    Logon domain PChuck1

    then we know that this computer is a member of domain (or workgroup) PChuck; but, in this case, the computer is logged on locally, to PChuck1. Note that since you can generally logon locally to any computer, even if it's a domain member, we still cannot tell if it's a domain or workgroup member.

A Gratuitous Protocol
But look closely at the list of protocol bindings. If "net config server" shows us, for instance,

Server is active on
NwlnkIpx (000000000001)
NwlnkNb (0016f004143e)
NetBT_Tcpip_{747CE691-1460-4F27-AB2F-F19C2110CCFB} (0016f004143e)
NetbiosSmb (000000000000)

Here we see another example of the presence of IPX/SPX ("NwlnkIpx"), and of NetBEUI ("NwlnkNb"). If you're having problems, which I presume is why you're here, always start by removing IPX/SPX and / or NetBEUI.

CPSServ ("Comprehensive PSService") Source

Any computer running Windows Networking has certain network components and services, and requires those services to be running (generally Started and Automatic) for proper functionality. CPSServ checks your network, for the presence of those services, and their visibility from each computer on the network. When you are researching a network problem, having redundant information is useful.

Proper interpretation of the output from CPSServ requires identification of the version and edition of Windows, running on each computer. CPSServ will run on any Windows NT (NT, 2000, XP, Vista) computer, though it will provide essential diagnostic data, through the network, from computers running Professional operating system editions (Windows XP Pro / Windows Vista Business or Ultimate), with administrative access available (Simple File Sharing disabled / Password Protected Sharing enabled, and not restricted by Guest-only access).

Windows XP Home and Vista Home Basic don't run the Remote Registry Service, so they won't appear through the network. With a LAN of all Professional edition computers with administrative access, you could possibly obtain a complete diagnostic from running CPSServ on just one computer (though it is more valuable when run on more than one); with a LAN of Home edition computers, you will need CPSServ run on each computer.

Take the following code (look below, and copy everything BETWEEN the two lines, that contain "#####"). Please DO NOT include ANY portion of the two lines that contain "#####". Follow instructions below, precisely.

  1. Create folder C:\Utility on your computer, and make that folder part of the Path.
  2. Download PSTools (free) From SysInternals. Copy all components of PSTools, unzipped, into C:\Utility.
  3. Identify the Code below.
    • Look below, and find the first line "##### Start CPSServ Base Code".
    • Look below, and find the second line "##### End CPSServ Base Code".
    • The Code is everything BETWEEN those two lines.

  4. Open Notepad. Ensure that Format - Word Wrap is not checked. Highlight then Copy the code (Ctrl-C), precisely as it is presented below, and Paste (Ctrl-V) into Notepad.
  5. Save the Notepad file as "cpsserv.cmd", as type "All Files", into C:\Utility.
  6. Run it by Start - Run - "cpsserv".
  7. Wait patiently.
  8. When Notepad opens up displaying c:\cpsserv.txt, first check Format and ensure that Word Wrap is NOT checked! Then, copy the entire contents (Ctrl-A Ctrl-C) and paste (Ctrl-V) into your next post.

Do this from each computer, please, with all computers powered up and online. Running this code from each computer will give us a more complete picture of how each computer is setup, and what each computer can see from the others. On a completely working LAN, the multiple copies produced should be symmetrical. Running this, repeatedly, would be redundant. Since you're here, it probably won't be for you.

##### Start CPSServ Base Code

@echo off
set Version=V1.10
@echo CPSServ Comprehensive Networking Services %Version% - %computername%
@echo Start CPSServ %Version% - %computername% >c:\cpsserv.txt
@echo. >>c:\cpsserv.txt
@echo Find Computer Browser ("browser").
@echo Find Computer Browser ("browser") >>c:\cpsserv.txt
psservice find browser >>c:\cpsserv.txt
@echo. >>c:\cpsserv.txt
@echo Find DHCP Client ("dhcp").
@echo Find DHCP Client ("dhcp") >>c:\cpsserv.txt
psservice find dhcp >>c:\cpsserv.txt
@echo. >>c:\cpsserv.txt
@echo Find TCP/IP NetBIOS Helper ("lmhosts").
@echo Find TCP/IP NetBIOS Helper ("lmhosts") >>c:\cpsserv.txt
psservice find lmhosts >>c:\cpsserv.txt
@echo. >>c:\cpsserv.txt
@echo Find Remote Registry ("remoteregistry").
@echo Find Remote Registry ("remoteregistry") >>c:\cpsserv.txt
psservice find remoteregistry >>c:\cpsserv.txt
@echo. >>c:\cpsserv.txt
@echo Find Server ("server").
@echo Find Server ("server") >>c:\cpsserv.txt
psservice find server >>c:\cpsserv.txt
@echo. >>c:\cpsserv.txt
@echo Find WF / ICS ("sharedaccess").
@echo Find WF / ICS ("sharedaccess") >>c:\cpsserv.txt
psservice find sharedaccess >>c:\cpsserv.txt
@echo. >>c:\cpsserv.txt
@echo Find Workstation ("workstation").
@echo Find Workstation ("workstation") >>c:\cpsserv.txt
psservice find workstation >>c:\cpsserv.txt
@echo End CPSServ %Version% - %computername% >>c:\cpsserv.txt
notepad c:\cpsserv.txt

##### End CPSServ Base Code

My Principles and General Advice

Let's see what I come up with here. Like this entire website, this article will start out small, and will probably grow. If you think this is less than useful, check back again later.


Microsoft Windows, in its default state, uses TCP/IP, and NetBIOS Over TCP/IP, for networking. Sometimes, we forget this detail. NetBT is so easily overlooked, yet it is essential.

If we are looking at the output from "ipconfig /all", and we see

IP Address. . . . . . . . . . . . :
Subnet Mask . . . . . . . . . . . :
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . :
DNS Servers . . . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled
Lease Obtained. . . . . . . . . . : Wednesday, April 16, 2003 11:19:12
Lease Expires . . . . . . . . . . : Wednesday, April 23, 2003 11:19:12

Obviously, we're going to correct that. But what if we simply see

IP Address. . . . . . . . . . . . :
Subnet Mask . . . . . . . . . . . :
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . :
DNS Servers . . . . . . . . . . . :
Lease Obtained. . . . . . . . . . : Wednesday, April 16, 2003 11:19:12
Lease Expires . . . . . . . . . . : Wednesday, April 23, 2003 11:19:12

Do we see any problem there? Probably not. Look in the TCP/IP - Advanced Properties wizard, WINS tab. There are 3 possible settings for NetBIOS Over TCP/IP
  • Default.
  • Enable.
  • Disable.

The last setting, Disable, becomes apparent when we see the first example above. But what if if we see the second example above? Well, that display can result from either the "Default", or the "Enable" setting. If it's not showing Disabled, it could be either.

The Default setting, according to the wizard, is for

Use NetBIOS setting from the DHCP server.

If your LAN
  • Has a domain.
  • Has computers running only Windows 2000, Windows 2002 (aka Windows XP), and Windows 2003 (aka Server 2003).
  • Uses DNS, properly setup, for name resolution.
then you may wish to disable NetBT, and use directly hosted SMBs.

But what if your LAN has a NAT router providing DHCP services, and / or has no domain? NAT routers are Operating System independent, and NetBT is a Microsoft Windows Networking feature. NAT routers have no setting for NetBIOS Over TCP/IP. If you select "Default", and you have a NAT router, what network functionality do you get?

The challenge is that this one setting affects multiple functions between your computer, and other computers, in both directions.
  1. Browsing: Ability to see other computers.
  2. File sharing: Ability to access resources on other computers.
  3. Name resolution: Ability to find out the addresses of other computers.

Depending upon what network hardware and software you have, any or all of the above functions may or may not work, in either direction (incoming or outgoing), between any pair of computers. And each different pair of computers may yield a different set of symptoms. If you have a NAT router providing DHCP services, the only way to deal with this reliably is to Enable NetBT consistently, on all computers.

In the TCP/IP - Advanced Properties - WINS wizard for all relevant network connections,

  • Select the radio button "Enable NetBIOS over TCP/IP".
  • Hit OK 3 times.
  • Close Network Connections, after enabling NetBT on all relevant network connections.

If you still see

NetBIOS over Tcpip. . . . . . . . : Disabled
after Enabling NetBT, check the TCP/IP NetBIOS Helper service.

Be safe - don't settle for "Default".

>> Top