
                                   ps

                              Version 1.4.0


                       User's Guide and Reference


                               05-May-1996




                     A Process List utility for the
               Microsoft Windows NT v3.51 Operating System


     Copyright (c) 1995-96 William Potvin II.  All rights reserved.


  Preface:
  --------

  This document describes the ps Process List utility for the
  Microsoft(R) Windows NT(TM) operating system.


  Contents:
  ---------

  Preface ......................................................... 000
  Introduction .................................................... 000
  Usage ........................................................... 000
  The Displays .................................................... 000
  License Agreement ............................................... 000
  Warranty ........................................................ 000


  Introduction:
  -------------

  ps is a Process List utility, somewhat like the Unix ps utility,
  which displays active processes on the system.  ps is designed to
  run under Microsoft Windows NT and will *NOT* run under Microsoft
  Windows 95 or Microsoft Windows Version 3.x.

  The output format is designed so that a scripting language, such as
  Rexx, can easily read, parse and act on the information the utility
  presents.  The ps utility does not use the Registry to obtain
  process information.  As a result, there is very, very little over-
  head involved with running ps.  This also makes it possible to
  quickly and easily create monitor utilities which call upon ps to
  extract process, service or driver information.

  Changes to this document are indicated by a "|" in the first column.


  Usage:
  ------

|   ps [-abdDfhIkKlmMPqsSTvw?] [-o<file>] [-p<pattern>] [pid [pid ..]
    ps [-Ypt]

      Options:

          a - All (show process threads or dependent services/drivers)
          b - Bare process display, (no column headers)
          d - Display active drivers
          D - Display inactive drivers
          f - Full process display
          h - Help (this)
          I - Display general system information
          k - Close the specified processes
          K - Kill the specified processes
          l - Long process display
          m - Display process memory information
|         M - Display system modules information
          o - Write output to <file>
          p - Display processes with names matching <pattern>
          P - Display pagefile information
          q - Quiet.  no interactive prompt with 'K'ill
          s - Display active services
          S - Display inactive services
          T - Display system times
          v - Display version information
          w - Display windowed processes
          Y - Display summary information
          z - Display output one page at a time
          ? - Usage


      Summary options: [-Ypt]

          p - Display process, thread and hwnd counts
          t - Display system uptime


  The Displays:
  -------------
  This section describes each ps option, presenting example displays
  where appropriate.


  The Default Display:
  --------------------

  rxsh C:\work>ps
   PID  PPID   TID    HWND     TC   HANDLE      TIME        MODULE
  0000  0000  0000  00010024  0001   0000   0 02:43:34.252  Idle
  0002  0000  0001  00000000  0014   00e1   0 00:00:19.538  System
  0013  0000  0012  00000000  0006   001c   0 00:00:01.422  smss.exe
  001f  0000  0020  00000000  0016   013b   0 00:07:08.556  csrss.exe
  0019  0000  0018  00000000  0002   0021   0 00:00:01.712  winlogon.exe
  0027  0000  0039  00000000  0012   00f3   0 00:00:11.827  services.exe
  0029  0000  002c  00000000  000c   0056   0 00:00:03.194  lsass.exe
  003a  0019  0028  00010050  0001   0011   0 00:00:00.280  nddeagnt.exe
  0044  0041  0043  00010052  0002   0037   0 00:01:56.357  ntvdm.exe
  004a  002b  0049  00010070  0002   002c   0 00:00:15.752  Explorer.exe
  0050  0000  004f  00000000  0005   0031   0 00:00:01.041  spoolss.exe
  0053  0000  0052  00000000  0009   0028   0 00:00:00.761  netdde.exe
  0066  004a  0065  0001009c  0001   0018   0 00:00:29.021  rxsh.exe
  0068  004a  0067  00010094  0001   000f   0 00:01:02.549  WPERF.EXE
  0045  0000  0038  00000000  0002   0014   0 00:00:00.340  clipsrv.exe
  0074  0000  0073  00000000  0003   0016   0 00:00:00.470  fingerd.exe
  0077  0000  0076  00000000  0005   0036   0 00:00:00.851  tcpsvcs.exe
  007d  0000  007c  00000000  0003   001b   0 00:00:01.171  scm.exe
  003d  0000  0061  00000000  0004   001b   0 00:00:00.330  LOCATOR.EXE
  0091  0000  0090  00000000  0003   0017   0 00:00:00.210  RPCSS.EXE
  0097  0000  0096  00000000  0003   001a   0 00:00:00.310  AtSvc.Exe
  0082  0000  00a0  00000000  0003   001a   0 00:00:00.430  https.exe
  00a4  0000  00a3  00000000  0005   0031   0 00:00:00.630  lmrepl.exe
  00b0  0066  00a6  00000000  0001   000e   0 00:00:00.150  ps.exe

  PID     - Process id
  PPID    - Parent process id
  TID     - Primary thread id
  HWND    - HWND, 0 means no HWND on the Desktop
  TC      - Thread count; the number of threads under the process
  HANDLE  - Number of handles, (i.e. file handles), held by the process
  TIME    - Active time of the process "days hrs:min:sec.hun"
  MODULE  - The process module name


  Next, the 'long' display:

  rxsh C:\users\bill>ps -l
  ST  S   PID   TID   TC   PR    ADDR      SIZE         TIME       MODULE
  00  O  0000  0000  0001  00  00000000         0  1 10:03:25.648  Idle
  08  W  0002  0001  0014  08  801aa9c4   1523712  0 00:00:52.745  System
  06  W  0013  0012  0006  0b  01e0654c   8925184  0 00:00:01.772  smss.exe
  10  W  001f  0020  0017  0d  5fe62e7b  49754112  0 02:41:53.016  csrss.exe
  0e  W  0019  0018  0002  0d  0216dfc6  12517376  0 00:00:02.473  winlogon.exe
  ...

  ST      - Status; thread 'wait' reason code.
                x'00'  - Wait executive
                x'04'  - Wait delay execution
                x'06'  - Wait user request
                x'08'  - Wait free page
                x'0e'  - Wait event pair high
                x'0f'  - Wait event pair low
                x'10'  - Wait lpcreceive
                x'11'  - Wait lpcreply
                x'12'  - Wait virtual memory

  S       - Primary thread state
                R  - The process is ready to run
                O  - The process is running
                S  - The process is in a standby state
                T  - The process has been terminated
                W  - The process is in a wait state
                ?  - ps does not recognize the given state

  PID     - Process id
  TID     - Primary thread id
  TC      - Thread count; the number of threads under the process
  PR      - Priority
  ADDR    - Thread start address
  SIZE    - Virtual storage used by the process
  TIME    - Active time of the process "days hrs:min:sec.hun"
  MODULE  - The process module name


  Next, the 'full' display:

  rxsh C:\users\bill>ps -f
   PID   TID   TC   PR           STIME                TIME       MODULE
  0000  0000  0001  00  1995-09-01 07:39:37.000  1 10:09:41.548  Idle
  0002  0001  0014  08  1995-09-01 07:39:37.000  0 00:00:52.856  System
  0013  0012  0006  0b  1995-09-01 07:39:47.204  0 00:00:01.772  smss.exe
  001f  0020  0017  0d  1995-09-01 07:40:00.834  0 02:42:20.055  csrss.exe
  0019  0018  0002  0d  1995-09-01 07:40:08.224  0 00:00:02.473  winlogon.exe
  ...

  PID     - Process id
  TID     - Primary thread id
  TC      - Thread count; the number of threads under the process
  PR      - Priority
  STIME   - Process start date and time
  TIME    - Active time of the process "days hrs:min:sec.hun"
  MODULE  - The process module name


  Next, the 'memory' display:

  rxsh C:\users\bill>ps -m
   PID   VIRTUAL WORK-SET PAGEFILE  PRIVATE       TIME       MODULE
  0000         0    16384        0        0  1 10:11:49.572  Idle
  0002   1523712    20480    36864    32768  0 00:00:52.916  System
  0013   8925184        0   172032   172032  0 00:00:01.772  smss.exe
  001f  49754112  3850240  3362816  3096576  0 02:42:37.851  csrss.exe
  0019  12517376    24576   393216   389120  0 00:00:02.473  winlogon.exe
  ...

  PID     - Process id
  VIRTUAL - Virtual storage used by the process
  WORK_SET- The process working set size
  PAGEFILE- Page file bytes used by the process
  PRIVATE - Private bytes used by the process
  TIME    - Active time of the process "days hrs:min:sec.hun"
  MODULE  - The process module name


| Next, the 'system modules' display:
|
| rxsh C:\users\bill>ps -M
| MODULENAME      IMAGBASE  CODESIZE  DATASIZE  PAGEFILE  LOAD  LINKTIME
| ntoskrnl.exe    80100000     3d5c0      9440     66dc0     0  1996-01-25 20:14
| hal.dll         80400000      4b40       8a0      2140     1  1996-01-18 16:28
| Pcmcia.sys      80010000      3b60       2a0         0     2  1996-01-19 21:52
| T338.sys        80019000      2800       200         0     3  1994-06-14 21:28
| SCSIPORT.SYS    80001000      2400        20      3780     4  1996-01-19 13:19
| ...
|
| MODULENAME - Module name
| IMAGBASE   - Image base address, (load address)
| CODESIZE   - Executable code size
| DATASIZE   - Data size
| PAGEFILE   - Page file usage
| LOAD       - Load sequence
| LINKTIME   - Module link time
|

  Next, the 'all' display.  This lists each process as well as each thre
  running under the process:

  rxsh C:\users\bill>ps -a
   PID  PPID   TID    HWND     TC   HANDLE      TIME        MODULE
  0000  0000  0000  00010024  0001   0000   0 02:47:13.827  Idle

  ...


  003a  0019  0028  00010050  0001   0011   0 00:00:00.280  nddeagnt.exe
  0044  0041  0043  00010052  0003   0040   0 00:01:57.318  ntvdm.exe
              004e  00000000                0 00:00:00.130   (Wait:UserRequest)
              008e  000b00da                0 00:00:00.711   (Write - (Untitled))
  004a  002b  0049  00010070  0002   002c   0 00:00:15.892  Explorer.exe
              0054  00000000                0 00:00:00.020   (Wait:UserRequest)
  0050  0000  004f  00000000  0005   0035   0 00:00:01.281  spoolss.exe
              002a  00000000                0 00:00:00.020   (Wait:UserRequest)
              0051  00000000                0 00:00:00.610   (Wait:UserRequest)
              0047  00000000                0 00:00:00.000   (Wait:UserRequest)
              00af  00000000                0 00:00:00.020   (Wait:LpcReceive)
  0053  0000  0052  00000000  0009   0028   0 00:00:00.761  netdde.exe
              0057  00000000                0 00:00:00.040   (Wait:UserRequest)
              0058  00000000                0 00:00:00.050   (Wait:UserRequest)
              0059  00000000                0 00:00:00.010   (Wait:UserRequest)
              005b  00000000                0 00:00:00.070   (Wait:UserRequest)
              005c  00000000                0 00:00:00.270   (Wait:EventPairHigh)
              005f  00000000                0 00:00:00.010   (Wait:Execute)
              006c  00000000                0 00:00:00.020   (Wait:UserRequest)
              006e  00000000                0 00:00:00.090   (Wait:EventPairHigh)
  0066  004a  0065  0001009c  0001   0018   0 00:00:30.113  rxsh.exe
  0068  004a  0067  00010094  0001   000f   0 00:01:03.971  WPERF.EXE

  ...


  For a Process line:

  PID     - Process id
  TID     - Primary thread id
  HWND    - HWND, 0 means no HWND on the Desktop
  TC      - Thread count; the number of threads under the process
  HANDLE  - Number of handles, (i.e. file handles), held by the process
  TIME    - Active time of the process "days hrs:min:sec.hun"
  MODULE  - The process module name


  For a Thread line:

  TID     - Thread id
  HWND    - HWND, 0 means no HWND on the Desktop
  TIME    - Active time of the thread "days hrs:min:sec.hun"
  MODULE  - Thread (State:Reason), if HWND is zero.
            This corresponds to an 'english' version of (S:ST) as
            presented in the 'long' display.
          - The window title of the indicated HWND.  Most noticably,
            this will show 16bit applications running under an ntvdm.


  Next, the 'windowed process' display.  This displays those processes
  running with an hwnd available on the desktop.  This should show, at
| least, the same processes as the Task Manager, unless the 'all'
| switch is specified.  In that case, all windows on the system are
| presented.

  rxsh C:\users\bill>ps -w
   PID  TID   HWND   PR      TIME     %KRNL %USER NAME
  0064 0063 00010098 20   0:01:45.261 86.74 13.26 rxsh
  0066 0065 00010094 20   0:09:46.122 31.64 68.36 Perf Meter
  004a 0049 00010062 80   0:00:55.949 42.99 57.01 Program Manager

  PID     - Process id
  TID     - Primary thread id
  HWND    - HWND, 0 means no HWND on the Desktop
  PR      - Thread priority class
                Note that this is different from the priority given
                in the displays above.  I will be changing this so
                that the two are the same.  Actually, both the class
                and the priority within the class are useful.

  TIME    - Active time of the process "hrs:min:sec.hun"
  %KRNL   - % Time in kernel mode
  %USER   - % Time in user mode
  NAME    - The name associated with the process, usually different
            than the module name.


  Next, the 'PageFile information' display:

  rxsh C:\users\bill>ps -P
   CURRENT        USED        PEAK  NAME
  31457280    13185024    14913536  \DosDevices\D:\pagefile.sys

  CURRENT - Current pagefile size
  USED    - Used pagefile space
  PEAK    - Peak used pagefile space
  NAME    - Pagefile name


  Next, the 'System Times' display:

  rxsh C:\users\bill>ps -T
           START                   CURRENT              ELAPSED
  1995-09-01 07:39:37.000  1995-09-03 14:51:12.490  2 07:11:35.490

  START   - System start date/time
  CURRENT - Current date/time
  ELAPSED - Elapsed, (current-start), time: "days hrs:min:sec.hun"


  Next, the 'General System Information' display:

  rxsh C:\users\bill>ps -I
  PROCARCH PAGESIZE TOTALMEM ALOCSIZE MIN_ADDR MAX_ADDR PROCMASK
  00000000 00001000 013d0000 00010000 00010000 7ffeffff 00000001

  PROCARCH- Processor Architecture:

            Intel     - x'00000000'
            MIPS      - x'00000001'
            Alpha     - x'00000002'
            PowerPC   - x'00000003'
            Unknown   - x'0000FFFF'

  PAGESIZE- Memory page size
  TOTALMEM- Total installed memory
  ALOCSIZE- Memory allocation granularity
  MIN_ADDR- Lowest memory address accessible by user programs
  MAX_ADDR- Highest memory address accessible by user programs
  PROCMASK- Active processor mask

  This is, basically, the information returned by the documented Win32
  API GetSystemInfo, however, ps does not get it that way :-).  New,
  interesting data will be added to this display as time permits.

  Next, the 'Process summary' display:

  rxsh C:\users\bill>ps -Yp
   PROCESS    THREAD      HWND
        25       138        24

  PROCESS - The number of processes on the system.
  THREAD  - The number of threads within the processes on the system.
  HWND    - The total number of HWNDs on the system.

  This is a summary of the processes, threads and hwnds that are on
  the system, including the running ps process.  The hwnd count is
  the total number of hwnds on the system.  This count should exactly
  correspond to that presented by ps with the '-wa' option.

  Next, the 'Machine uptime' display:

  rxsh C:\users\bill>ps -Yt
  This machines uptime is 1 days 18 hours and 6 minutes.

  This is a verbose representation of the machine uptime.  The format
  of this display will likely change with the next release of ps into
  one more consistant with the other displays.


  ps has a 'bare' option, '-b', which prevents the display of column
  headers in the displays.  This is to make it simpler to process the
  output from within a Rexx program in particular, but from within any
  sort of program able to read the output file and process the lines of
  information.  For example, you could write a Rexx program that scans
  the output from periodic invocations of ps and then performs other
  actions based upon information contained in the display.


  Now, what might be the most confusing aspect of the ps options, the
  specification of a regular expression for pattern matching.  This is
  the '-p <pattern>' option and it allows processes to be selected for
  display based upon the matching of the pattern with the process name
  or the process module name.

  The <pattern> may be expressed in the following form:
          *  - Matches any sequence of zero or more characters (default)
          ?  - Matches any single character
       [set] - Matches any single character in <set>
      [!set] - Matches any single character not in <set>
      [^set] - Matches any single character not in <set>

  The <set> may be expressed as a sequence of characters or as a range
  of characters, in example: '[abc]', or '[a-c]'.  Multiple ranges may
  be included within a <set>, in example: '[a-zA-Z0-9]'.  Sequences and
  ranges may appear within the same <set>, in example: '[a-dMRVZ]'.

  The '\' character is used to remove the syntactical signifigance of
  the following character.  In example, to match a name whose first
  character is either a number or the ']' character, use the following
  <set>: '[0-9\]]*'.  To match a name whose third character is a '!',
  use: '??\!*'.  The '\' character is effective with the following
  special characters: '[]*?!^-\'.

  The best thing would be to offer several examples:


      ps -p *

  This matches all names and is the default, (i.e. if no pattern is
  specified).


      ps -p r*

  This matches all names beginning with an 'r'.  Note that the match
  is case sensitive.


      ps -p [Rr]*

  This matches all names beginning with either an 'R' or an 'r'.


      ps -p [RrSs]*

  This matches all names beginning with either 'R', 'r', 'S', or 's' and
  illustrates that multiple components can be specified within a regular
  expression set.


      ps -p [a-d]*

  This matches all names beginning with 'a', 'b', 'c', or 'd' and serves
  to illustrate the specification of ranges within a regular expression
  set.  As noted above, multiple ranges may be included within a regular
  expression set, i.e. '[a-dA-D]*'.


      ps -p [!r]*

  This matches all names which do not begin with an 'r'.  Both the '!'
  and the '^' characters signify negation.  When used, the negation
  operator must be the first character in the set and it operates on all
  of the characters and ranges in the set.



  The examples above deal only with the first character in a pattern.
  Below are examples filtering on other characters.



      ps -p ?[Xx]*

  This matches all names whose second character is an 'X', or an 'x'.
  The '?', as expected, matches any single character.  So it follows
  that matching specific character positions would entail adding the
  appropriate number of '?'s to the pattern:


      ps -p ???[Xx]*          [to match the fourth character]

      ps -p ??[Xx]??[Nn]*     [to match the third and sixth]


  To match characters from the end of a name, just move the trailing
  '*' in the examples above to the beginning of the pattern:


      ps -p *r                [last character is an 'r']

      ps -p *[Rr]             [last character is an 'R', or an 'r']

      ps -p *[RrSs]           [last character 'R', 'r', 'S', or 's']

      ps -p *[a-d]            [last character 'a', 'b', 'c', or 'd']

      ps -p *[!r]             [last character not an 'r']

      ps -p *[Xx]?            [to match the next to last character]



  Finally, what if the name you want to match contains one of the
  special characters, '[', ']', '!', '^', '*', '?', '-', or '\'?  How
  are they specified in a pattern?  The last character in the list
  above is a hint; we haven't talked about it yet.  The '\' character
  is the 'escape' character, meaning that it removes the syntactic
  signifigance of the next character.

  So, suppose that you have a process running on your machine that is
  named '[myproc'.  To specify a filter pattern that would match this
  name, use:

      ps -p \[*


  To conclude the discussion of the ps utility, the current version is
  1.2.1, which is much newer than the last version posted on CompuServe.
  This current version incorporates many new features, including the
  ability to terminate processes, display services, display drivers, and
  the ability to specify a file name into which output will be written.


  License Agreement:
  ------------------

  This software is Copyright William Potvin II.  All rights reserved.

  This is a legal agreement between you (either an individual or an
  entity) and William Potvin II (the "Author").  By opening the sealed
  disk container(s) you are agreeing to be bound by the terms of this
  Agreement.  If you do not agree to the terms of this Agreement,
  promptly return the unopened disk container(s) and acompanying items
  (including written materials and binders or other containers) to the
  place you obtained them for a full refund.

  1. GRANT OF LICENCE TO USE.  William Potvin II (the "Author") grants
  to you the non-exclusive right to use the enclosed software and
  electronic text files comprising the documentation and the electronic
  text files comprising the sample Rexx programs (the "SOFTWARE") on an
  unlimited number of computers, provided that you are the only
  individual using the SOFTWARE.  If you are an entity, the Author
  grants you the right to designate one individual within your
  organization to have the right to use the SOFTWARE in the manner
  provided above.  The Author reserves all rights not expressly
  granted.

  2. COPYRIGHT.  The SOFTWARE is owned by William Potvin II (the
  "Author") and is protected by United States copyright laws and
  international treaty provisions.  Therefore, you must treat the
  SOFTWARE like any other copyrighted material, (in example, a book or
  musical recording).  You may not use or copy the SOFTWARE or any
  accompanying materials except as described in this Agreement.

  3. OTHER RESTRICTIONS.  You may not rent or lease the SOFTWARE, but
  you may transfer the SOFTWARE and accompanying written materials on a
  permanent basis, provided you retain no copies and the recipient
  agrees to the terms of this Agreement.  You may not reverse-engineer,
  decompile, or disassemble the SOFTWARE.

  4. SAMPLE SOFTWARE.  The Sample Rexx Programs included with the
  SOFTWARE are specifically identified in the documentation text files.
  In addition to the rights granted in Section 1, the Author grants you
  the right to use and modify the included Sample Rexx Programs and to
  distribute the Sample Rexx Programs along with any modifications
  thereof.

  5. REDISTRIBUTABLE CODE.  In addition to the rights granted in Section
  1, the Author grants you additional rights to the SOFTWARE designated
  as "Freeware".  The Freeware files are specifically identified in the
  documentation text files and are provided to augment the functionality
  of the SOFTWARE.  The Freeware files are useful in and of themselves
  and do not require the SOFTWARE to operate and may be freely
  distributed, royalty free.

  6. EXPORT RESTRICTIONS.  You agree that you do not intend to or will,
  directly or indirectly, export or transmit the SOFTWARE or related
  documentation and technical data to any country to which such export
  or transmission is restricted by any applicable U.S. regulation or
  statute, without the prior written consent, if required, of the
  Bureau of Export Administration of the U.S. Department of Commerce,
  or such other governmental agency as may ahve jurisdiction over such
  export or transmission.

  Should you have any questions concerning this Agreement, or if you
  desire to contact the Author for any reason, please send electronic
  mail to either 70540,120 on the Compuserve Information Service, or
  70540.120@compuserve.com from the Internet.


  Warranty:
  ---------

  NO WARRANTEES.  This software is provided by the author "as is"
  without any warranty of any kind, either expressed or implied,
  including, but not limited to, the fitness of this  software for a
  particular purpose or merchantability.  The user holds all risk with
  respect to the quality and performance of this software and the user
  assumes all costs relative to all necessary servicing, repair or
  correction.

  NO LIABILITY FOR CONSEQUENTIAL DAMAGES.  Under no circumstances will
  the author of this software be liable to the user for any damages
  whatsoever, including general, incidental or consequential damages
  resulting from the use, or from the inability to use this  software,
  including, but not limited to loss of data or business profits or
  business interruption or a failure of this software to operate with
  any other programs or any other pecuniary loss sustained by you or
  third party users, even if the author has been advised of the
  possibility of such damages.

  CUSTOMER REMEDIES.  The Author's entire liability and your exclusive
  remedy shall not exceed the price paid for the SOFTWARE.
