Process Monitor is a powerful tool and it can be used to track down exactly what program on your machine is responsible for internet activity.
Leo, my wife and I share a laptop, using Windows and connected to a satellite. The ISP limits our bandwidth. Recently, we received a message that we were using too much: about 150 MB during one recent hour. We do not run any videos, such as YouTube. We just browse some and use email.
Leo, my download speed is abysmal. I should be getting more than enough speed from my internet connection to watch videos non-stop, and yet stop and start and stop and start is exactly what they do. I suspect something else is downloading or something, but I can’t figure out what.
Is there any program which could monitor Internet activity and let me know what’s running?
Yes, there is.
Both of these problems are quite common, and it’s quite frustrating when they arise. With the amount of information now being stored and/or delivered over the internet, our connections are being stressed more than ever.
The technique I’ll describe uses a free tool called Process Monitor. I suspect it’ll be perfect for this problem. While it’s a little geeky, this extremely powerful tool can be used to diagnose many issues, and runs in all versions of Windows from XP to the most recent.
I’ll walk you through how to set it up for this scenario.
Download Process Monitor
We’ll start by downloading and installing Process Monitor.
Process Monitor, or simply “Procmon”, downloads as a zip file. Save that to a folder of your choosing and then extract the .exe program from the zipped archive.
Place procmon.exe and procmon.chm (the help file) in a convenient folder.
How Process Monitor works
Using Procmon is a two-stage affair:
- First, Process Monitor simply collects data, which it calls “events”. To do this we’ll run Procmon for “a while”, and then tell it to stop collecting.
- Second, Process Monitor allows us to examine and analyze the data that it’s collected in several different ways, using filters and summaries.
As we’ll see, Process Monitor collects a lot of data. Fortunately, it also has very powerful tools to make sense of it all.
Run Process Monitor
Run Process Monitor by double-clicking on procmon.exe in whatever folder you placed it. The first time you run it, you’ll need to agree to some license terms. This should only happen once.
Each time you run Process Monitor, you’ll most likely get the User Account Control dialog:
In order for Procmon to monitor the things that it needs to, it must have full administrative access.
As soon as Procmon begins to run, it starts collecting events:
The numbers in the status bar at the bottom will continue to increase as Procmon counts the number of events being collected.
Note that it’s only showing a subset of the collected events. Process Monitor actually includes some pre-set filters that prevent displaying events that aren’t typically helpful, such as all the events generated by procmon.exe itself.
When you’ve collected enough, type CTRL+E or click on the magnifying glass in the Procmon toolbar to stop data collection.
How much data to collect
That’s difficult to say just how much data should be collected by Process Monitor in order to be useful, because it really depends on the specific situation that you’re attempting to diagnose.
The simple rule of thumb is to collect data while the problem you’re experiencing is happening. In general, I start it when I know or suspect that a problem is happening, (like your unknown internet usage), and let Procmon collect until the problem has indeed happened and occurred long enough to have generated meaningful data.
Depending on the problem you’re experiencing, this might take some experimentation. Procmon discards its data when you exit, so there’s no problem at all running it multiple times experimenting with the timing or duration.
Analyze Process Monitor results
As I mentioned, Procmon includes a fairly powerful filtering interface which is on the Filter menu. This interface really is quite complex, because it assumes you know a little bit about how Windows works internally. But don’t worry, we won’t use it here.
Instead, Procmon also includes some summary analysis tools that make what we’ll do next fairly easy.
On the Tools menu, click on Network Summary…
Unfortunately, the default width of this dialog actually hides some interesting columns. Fortunately, the dialog is resizable, so click and hold on the right border and drag it to the right to make the dialog wider to expose the “Path” column:
This is a summary of all the network-related events that have been captured. Initially these are sorted by decreasing number of events, but the column headers are all clickable. In the example above, the next-to-last column is labeled Receiv…, which is truncated from Received Bytes. I’ll click on that to see which event has been downloading (aka receiving) the most data:
Here, we can see that during this capture, my machine was downloading a lot of data from 18.104.22.168, on the http port. The problem is that doesn’t really tell us what program is doing the downloading. Not to worry, Process Monitor makes that easy.
Double-click on the line of interest and the Process Monitor main window will update to show only the events related to that line. (You can close the Network Summary window if you need to, in order to see Procmon’s main window.)
Sure enough, it was Internet Explorer running on this machine. In order to show something interesting, I visited Ask Leo! in the browser and browsed a few of the articles there.
In many cases, Process Monitor will show you the “reverse DNS” for the IP address that the computer is connecting to. In other words, it’ll show you a traditional domain name like lw3.pugetsoundsoftware.com, the server that currently hosts Ask Leo!. In cases where there is no reverse DNS, the IP address is listed. Our example IP address, 22.214.171.124, is owned by “NetDNA”, which is the content delivery network I use to speed up AskLeo! page loads. http://whois.domaintools.com will show you the ISP or other major provider that owns an IP address (though it cannot show you specific users or computers).
The one-machine assumption
One final note on using Process Monitor: this analysis assumes a single machine connected to your internet connection. Other machines on your local network should be disconnected or turned off for this analysis to really have meaning. Network activity from other machines could impact your internet connection in terms of both quantity and speed.
If you have multiple machines, my advice is to repeat this process on each machine. Unfortunately full-network traffic analysis is difficult to come by. There are high-end routers and traffic analysis tools, but by and large they are all significantly more expensive and complex than would make sense for the home or even small business user.
Speeding up your connection
The goal in using Process Monitor has been to collect data to allow you to identify what programs are making heavy use of your internet connection.
What happens next depends on what you find, and what decisions you can make.
In many cases, you may find that the program identified can be reconfigured so as not to make such heavy use of the internet. Perhaps you can turn it off completely by not running it or by not leaving it running.
In other cases you may determine that while you do need to run whatever it is you’ve found, you can run it or use it at a different time so as not to adversely impact something else that you’re doing.
And, naturally, it’s also quite possible that you’ll find you simply need a faster connection to meet your needs, or a connection with a higher data cap.
The bottom line to speeding up your connection without that last step remains simple: move, remove, or disable the programs or activities that are competing for your internet bandwidth. Doing so will free it up and make more of it available to the programs you leave running. The net result is a faster internet experience.
We’ve only scratched the surface here, but as you can see, it’s fairly easy for such a powerful program to quickly generate a summary analysis of many common operations, not just network access. While you’ve got Procmon open, spend a few moments, particularly with the other items on the Tools menu, to see how it might help you face other issues in the future.
In tracking down your network usage just running Procmon for a while as you experience your issue should allow it to gather enough data such that the Network Usage Summary can tell you exactly what program is downloading all that data.