Tools for finding PC-performance bottlenecks

Tools for finding PC-performance bottlenecks

That old saying, “A chain is only as strong as its weakest link,” has its Windows analogue: “A PC is only as fast as its slowest subsystem.”

You can use Windows’ built-in performance-monitoring tools to detect which of your PC’s major subsystems could be causing slowdowns.

Ideally, a PC’s four major hardware subsystems — CPU, drive, memory (RAM), and networking — work together as a seamless whole, handing tasks off from one to another without delay or difficulty.

But if one subsystem can’t keep up with its workload, the entire PC can bog down while the other subsystems wait for it to catch up.

Fortunately, there’s an easy way to tell whether your PC has a hardware-based bottleneck.

All versions of Windows starting with Vista include a graphical performance-monitoring tool (Win7 and Win8 actually offer two) that shows, in near-real-time, how a PC’s major hardware subsystems are being affected by their workload.

These monitoring tools vary somewhat, depending on the Windows version (even the names are different), but they’re all extremely simple to use for basic performance monitoring. Side-by-side graphs display each subsystem’s moment-by-moment level of activity, giving you a visual representation of workload changes, even as you run tasks on the PC.

Figure 1 shows an example clipped from Win8’s Task Manager. Other monitor-tool versions look somewhat different but convey the same type of information.

Figure 1. Task Manager displaying subsystem activity for a healthy Win8 PC under a light workload

If your system has a hardware bottleneck, at least one of the graphs will be seriously out of step with the others. It’ll typically show a sustained, high level of activity, while other subsystems have relatively low activity levels. For example, Figure 2 shows C: drive access pegged at 100 percent.

Figure 2. A serious mismatch in subsystem activity — 100 percent C: drive utilization — might indicate a bottleneck worth investigation.

Keep in mind, however, that every instance of high activity doesn’t necessarily represent a true bottleneck. Sometimes, high subsystem activity is due to totally benign causes, as I’ll show in a moment.

But if the monitors show that a particular hardware subsystem is routinely or frequently maxed out during normal, everyday system operations, the subsystem is likely to be the weak link in your PC’s performance chain. It’s probably the cause of most system slowdowns.

Deciphering Windows’ built-in performance-monitoring tools. The rest of this article will show how to access and use Windows’ performance-monitoring tools. I’ll explain how to interpret what the graphs reveal and what to do if you suspect you’ve found a bottleneck.

Although this article focuses just on troubleshooting hardware-based bottlenecks, Windows’ monitoring tools also provide detailed, fine-grained information about numerous aspects of software performance. Below, you’ll find links to additional information for exploring more advanced monitoring-tool uses.

Accessing Win8’s dual performance monitors

Windows 8 has a pair of performance monitors; the easiest to access and use is the Performance tab built into Win8’s Task Manager. It’s significantly more useful and better-looking than its Windows 7 counterpart.

To access it, open Task Manager by your preferred method — Win8.1 offers several ways. For example, there’s the classic Ctrl + Alt + Del method. But you can also pop up the advanced-user menu by either clicking Windows key + x or right-clicking the Start button on the Desktop. Whichever menu you get to, select Task Manager.

You can open Task Manager directly by clicking Ctrl + Shift + Esc or by right-clicking an empty space on the Taskbar and selecting Task Manager. (If Task Manager opens as a small, relatively simple window, click the More details link at the bottom.)

With Task Manager open, select the Performance tab. You’ll see a window that looks something like that shown in Figure 3 (though, of course, your performance details will differ).

Figure 3. Win8's Task Manager/Performance view is the easiest and best-looking performance-graphing tool Microsoft has ever offered.

Windows 8 also offers a version of the classic Windows Resource Monitor, which provides an extensive list of highly detailed performance-monitoring functions. The Win8 Resource Monitor operates much like the Win7 version, described in the next section.

Win8’s Resource Monitor is available from Task Manager — simply click the Open Resource Monitor link at the bottom of the window. You can, of course, also enter resmon into the Win8 search box and click its name when it appears. Once open, Win8’s Resource Monitor will look similar to Figure 4.

Figure 4. Win8's Resource Monitor still has an old-school look, but it lets you drill deeply into system-performance information.

For more information on Win8’s Performance Monitor and Resource Monitor, see:

• “A visual tour of Win8’s new Task Manager” – June 12, 2014, Best Practices
• “Windows 8 Task Manager in-depth” – Microsoft Windows blog
• “The Windows 8 Task Manager” – MSDN blog
• “Performance management: Monitoring CPU resources” – TechNet blog.

Note: Microsoft offers scant help for Win8’s Resource Monitor. But as mentioned earlier, the Win8 tool operates much like Win7’s. See the Win7 “More information” links below for additional guidance.

Accessing Win7’s performance-monitoring tools

Windows 7’s Task Manager also has a Performance tab. But as noted above, it’s far more limited than its Win8 counterpart. I recommend skipping directly to Win7’s Resource Monitor. Either click the link at the bottom of the Performance tab in Task Manager, or click Start and enter resmon into the search box. Click resmon when it appears. (You might be prompted for admin permission.) Win7’s Resource Monitor will look like what’s shown in Figure 5. (It’s nearly identical to the Win8 version shown in Figure 4.)

Figure 5. Like its Win8 counterpart, Win7's Resource Monitor provides a detailed look at what's going on inside Windows.

For more information on performance monitoring in Win7, see:

• “What’s new in performance and reliability monitoring” – TechNet page
• “Performance monitoring getting started guide” – TechNet page
• “Resource availability troubleshooting getting started guide” – TechNet page.

Vista’s Reliability and Performance Monitor

The Reliability and Performance Monitor tool is located in Vista’s Management Console.

To access it, click Start, right-click Computer, and then click Manage. (Again, you might be asked for admin permission.) When the Computer Management console opens, click Reliability and Performance in the left pane (see Figure 6).

Figure 6. Vista's Reliability and Performance monitor is found within the Computer Management console.

For more information, see:

• “Windows Vista performance and reliability monitoring step-by-step guide” – TechNet page
• “Selected scenarios for monitoring performance with Windows Vista” – TechNet page

Using Windows’ performance-monitoring tools

To save space, I’ll refer to all of Windows’ performance-monitoring tools — Win8’s Task Manager–based Performance monitor, Win7’s and Win8’s Resource Monitor, and Vista’s Reliability and Performance Monitor — by the generic name of performance monitor.

The best way to check your PC for hardware bottlenecks is to open a performance monitor and position its graphs so that they’re visible — or at least easily accessible — while you go about your everyday computing tasks.

While you work, keep an eye on the performance graphs; you want to become familiar with how your PC responds to varying workloads. For example, note drive, CPU, and networking activity as you open applications, copy large and small files from one place to another, and download videos from the Web.

At times, some or all of your hardware subsystems will have relatively short bursts of maximum usage. That’s completely normal; it’s not necessarily a sign of trouble. In fact, it’s what you want: to execute tasks as quickly as it can, a PC should bring all available resources to bear.

Some tasks will give one subsystem a long and heavy workout. For example, the Disk graph should show maximum activity when you’re running a full system backup. If you’re recalculating a giant spreadsheet or editing and rendering a large video file, you’d expect your CPU to be working flat-out for a while.

Such easily explained, high levels of sustained activity are generally not signs of a severe system bottleneck. On the other hand, frequent and/or long, unexplained slowdowns — especially during routine, day-to-day operations that shouldn’t cause trouble — are another matter.

When your PC suddenly slows for no apparent reason, take a look at your performance graphs. If one particular subsystem is frequently registering sustained, maximum activity while the other subsystems are operating at much lower levels, it’s almost assuredly the processing bottleneck.

Balancing performance across all subsystems

Obviously, it makes no sense to have a super-fast CPU and a slow hard drive or to try running memory-intensive applications such as virtual machines or video editing with just 2GB of RAM. If one subsystem is a frequent bottleneck for your computing work, you can improve performance by servicing, upgrading, or replacing that subsystem. Here are some ideas.

Disk bottlenecks: If performance monitoring indicates that a hard drive is causing frequent slowdowns, first try to correct the problem with a full round of disk maintenance and diagnostics. For how-to information, see the Jan. 16, 2014, Top Story, “Keep a healthy PC: A routine-maintenance guide”; skip down to the subsection labeled “Disk health.”

If your hard drive is FAT-formatted (e.g., FAT32), consider converting it to NTFS, which is usually faster. The Windows built-in convert.exe tool can perform this conversion on the fly. See the Microsoft Windows article, “Convert a hard disk or partition to NTFS format.”

Obscure drive alignment problems can also rob performance, especially on traditional, spinning-platter drives. For a discussion of drive alignment and some suggested tools (free and paid), see the Oct. 4, 2012, LangaList Plus column, “Drive alignment and solid-state drives.”

If disk maintenance or software fixes don’t improve things, your only real option is to upgrade to a faster hard drive.

Note: Before you shop for a new drive, measure your current drive’s throughput and access speed with tools such as the Disk Throughput Tester (free; site) or HD Tune (free/paid; site). Then, when shopping for a new drive, you can focus on only those with significantly better/faster specs.

CPU bottlenecks: Visit your system vendor’s website or the mainboard/chip manufacturer’s site to see whether it offers diagnostic software. CPUs and mainboards are often tested as a unit. For example, Intel’s Diagnostic and Performance Tools page offers links and descriptions for dozens of tools used to test CPUs and mainboards.

Other examples include the Dell diagnostic Knowledge Base webpage and HP’s “Testing for hardware failures (Windows 7)” page.

If your CPU/mainboard is healthy, you’re left with upgrading to a processor with more cores (info) and/or a higher clock rate (info). That might be possible, depending on the type of components and age of your system. But it’s far simpler, surer, and — in the long run — usually less expensive to simply replace the entire PC with a newer, faster model — one whose components were designed to work together from the start.

Memory (RAM) bottlenecks: Check the memory subsystem’s health with Microsoft’s free Windows Memory Diagnostics Tool (MS Windows page). You can also try third-party tools such as the free, open-source Memtest86 (site) or Memtest86+ (site).

If your RAM is healthy, and you routinely come close to using all available memory, your best option is to add more RAM. Check your system documentation for the type and speed of memory chip the machine can use. If all memory slots are filled, you might have to replace your current memory modules with higher-capacity versions.

If your system already has all the RAM it can support, your only real option is a new mainboard or — far more simply — a new system.

Network bottlenecks: Networking problems can affect transfer speeds with network-attached storage devices and your ability to work online, but they rarely cause a general PC slowdown. Most networking issues are outside the PC — problems with cables, modems, and routers; Wi-Fi saturation; and so on. Still, for completeness, here’s how to check for bottlenecks in a PC’s networking subsystem.

First, run Windows’ Network Diagnostics tool to see whether there’s an easily correctable software or configuration problem. To do so, right-click the network icon in the Windows desktop’s notification area. (If it’s not visible, click the small “Show hidden icons” triangle icon in the notification area.) Select Troubleshoot problems and then let the automated repair tools do their thing.

If you prefer a more focused, manual approach, see “Network diagnostics & tracing in Windows 7” in a TechNet Magazine page. (Win8’s and Vista’s diagnostics are similar.)

Next, test your PC networking hardware with whatever tools the manufacturer offers. For example, Intel’s “Administrative tools for Intel network adapters” page offers a collection of free diagnostic and management tools. A Realtek page offers a variety of similar tools for its networking hardware, including the simply named “Windows Diagnostic Program.”

You can dig much deeper, if you wish

Although this article focuses on just one high-level task — identifying hardware bottlenecks — keep in mind that Windows’ monitoring tools are actually capable of providing deeply detailed information on both hardware and software performance.

If the information in this article doesn’t resolve your performance problem, use the performance-monitoring links provided above for your Windows version. In either case, you’ll likely find that current versions of Windows have all the tools needed to track down exactly what’s causing PC slowdowns.

February brings a shower of nonsecurity updates

After a light January, this month’s Patch Tuesday brings a full complement of security and nonsecurity updates.

Staying true to current form, Microsoft had to recall one of its patches almost immediately — but not soon enough for some Windows users.

3001652

Starting off with another flawed patch

A Visual Studio update is further proof that enabling automatic updates in Windows Update can be hazardous. KB 3001652 was a rollup patch for Visual Studio 2010 Tools for Office Runtime. According to the update’s info page, it’s “required to run Microsoft Office–based solutions that are built by using Microsoft Visual Studio 2010, Visual Studio 2012, and Visual Studio 2013.” In my opinion, this patch should never have been released pre-checked for automatic updating.

Soon after KB 3001652 was released, there were widespread reports — including posts in the Windows Secrets Lounge — that it was causing system hangs during installation. To regain access to their machines, the affected users had to do a hard reboot or manually stop the Windows Update service.

Not surprisingly, Microsoft quickly recalled the patch but then reissued it the next day.

What to do: If you have Windows Update set to automatic, I hope you were able to regain control of your computer quickly. But given Microsoft’s recent spate of bad patches, I suggest you set Windows Update to “Download updates but let me choose whether to install them.” If KB 3001652 shows up in Windows Update, I suggest putting it on hold for a couple of weeks.

MS15-009 (3021952)

Back to our regular routine of browser patching

One of the surprises in January’s Patch Tuesday was the absence of a monthly Internet Explorer cumulative update. (There was, however, an Adobe Flash Player update for IE 10 and 11.)

February’s cumulative IE update includes fixes for 41 reported vulnerabilities — one public and 40 private. Even with that, there’s a cross-script vulnerability that’s still unresolved, as detailed in a recent blog post that’s still outstanding. The update is rated critical for all supported Windows workstations.

This round of IE updates is a bit more complicated than usual for those who manually download and install patches. If you’re running IE 9 or higher, you must first install KB 3021952; KB 3034196 will then show up in Windows update and you’ll be fully patched. (See MS15-009 for the appropriate link to the Microsoft Download Center page.)

On Windows 8.1 systems, you might also see KB 3023607 and KB 3036197 — possibly not in Windows Update but later in Control Panel/View installed updates. The patches add enhancements to IE 11 that prevent insecure fallbacks to SSL 3.0 for Protected Mode sites — essentially protection from POODLE attacks (more info).

IE 11 users should have also received KB 3021953, an update for IE’s built-in Flash Player, released Feb. 5.

And while you’re at it, ensure your Chrome browser is up to date; as noted in the Feb. 10 Chrome Releases post, Version 40.0.2214.114 includes 11 security fixes.

What to do: Whether you use IE as your primary browser or don’t, it’s vital that you stay current with IE’s cumulative updates. Install KB 3021952 (MS15-009) when offered. Add any of the related patches noted above if they show up in Windows Update.

MS15-010 (3013455, 3023562)

Attacking the kernel via TrueType fonts

The two patches in MS15-010 fix six vulnerabilities in the Windows kernel. Rated critical, KB 3013455 patches a vulnerability that could allow remote attacks on Windows systems. The patch fixes the way the kernel validates or error-checks objects such as TrueType fonts. A related patch, KB 3023562, fixes a Windows security feature and is rated important.

Unfortunately, after installing KB 3013455, some Vista, Windows Server 2003, and Server 2008 systems showed degraded font quality, as reported in a Windows IT Pro story and Microsoft Community posts. Microsoft is researching the issue and will reportedly follow up when — or if — it finds a solution.

What to do: I’m sticking with my usual kernel-update policy: put KB 3013455 and KB 3023562 (MS15-010) on hold for a couple of weeks. Microsoft might reissue the former.

MS15-012

A slew of security updates for Office

A bunch of security updates for Office address just three privately reported vulnerabilities. Opening a malicious Office file could give a remote hacker the same rights as the user. All of the following updates are rated important.

You won’t see all of these patches; what shows up in Window Update will depend on the version of Office you have installed. Nevertheless, you might see updates for both Office 2007 and 2010; install them both, if offered.

The February Office security updates in MS15-012 include:

• KB 2920753 – Excel 2013
• KB 2920788 – Excel 2007
• KB 2920791 – Excel Viewer 2007
• KB 2920810 – SharePoint Server 2010
• KB 2956058 – Office 2010
• KB 2956066 – Word 2010
• KB 2956070 – MS Web Applications
• KB 2956073 – Office 2010
• KB 2956081 – Excel 2010
• KB 2956092 – Word Viewer
• KB 2956097 – Office Compatibility Pack SP3
• KB 2956098 – Office Compatibility Pack SP3
• KB 2956099 – Word 2007

What to do: Install any of the above Office updates offered (see MS15-012 for more info).

MS15-013 (2910941, 2920748, 2920795)

Office protection needs some protection

By itself, the Office vulnerability patched by the three updates in MS15-013 isn’t much of a threat. If a user opens a malicious Office file, an attacker might be able to trick Office into bypassing Windows’ ASLR security feature (more info). But the flaw could be used with other exploits to do some serious damage.

The updates are rated important and include:

• KB 2910941 – Office 2013
• KB 2920748 – Office 2010
• KB 2920795 – Office 2007

EMET 5.1 will help prevent this type of attack.

What to do: Install KB 2910941, KB 2920748, or KB 2920795 (MS15-013) when offered — even if you have EMET running.

MS15-015 (3004375, 3031432)

Taking on admin rights via an obscure process

Attackers love to find novel ways to wiggle into systems. Using a privately reported flaw in Windows, an attacker could acquire administrator credentials if a Windows process is using “SeAssignPrimaryTokenPrivilege,” a system privilege value (more info).

Rated important, KB 3031432 applies to all current Windows machines except Vista and Server 2003. The update changes the way Windows validates impersonation events.

PCs running Win7, Server 2008R2, Windows 8, and Server 2012 should also see KB 3004375, an update to the Audit Process Creation policy that can help monitor and troubleshoot security problems. (If you manually install updates from the MS Download Center, be sure to install both KB3004375 and KB 3031432.)

What to do: Install KBs 3004375 and 3031432 (MB15-015) when offered.

MS15-016 (3029944)

Windows vulnerable to malicious TIFF images

Image files have always been a popular avenue of attack. KB 3029944 patches potential exploits using malicious TIFF files embedded on websites. The patch is rated important and applies to all current versions of Windows.

This vulnerability will not let an attacker execute malicious software or gain more rights. But it could be used to obtain information that might help further compromise a system via blended attacks.

What to do: Install KB 3029944 (MS15-016) when offered.

MS15-011 (3000483), MS15-014 (3004361)

Hardening Group Policy in domain settings

Two updates are primarily for systems connected to domains — typically business machines on large networks. In fact, only PCs connected to domains or active directory networks should see critical update KB 3000483. All supported Windows systems should receive KB 3004361, rated important.

KB 3000483 patches a Windows vulnerability that could allow remote attacks if a hacker tricks a user into connecting to a malicious network. For admins, the patch should require testing and manually setting SMB policies. I recommend reviewing a Feb. 10 Security Research and Defense Blog post for more details.

PCs on peer-to-peer networks typically don’t use Group Policy, so they’re not at risk.

What to do: Install KB 3000483 (MS15-011) and/or KB 3004361 (MS15-014) if offered.

MS15-017 (3035898)

Microsoft’s Virtual Machines Manager at risk

The last February security update applies only to machines using Virtual Machine Manager. If you do, look for KB 3035898, which fixes a flaw that could give an attacker elevated rights. Because the attacker would have to use a valid sign-in, the patch is rated important.

What to do: Click over to MS15-017 for more information on KB 3035898.

February’s bulky list of nonsecurity updates

Making up for an extremely light January, Microsoft pumped out a long list of Office updates — as usual, mostly for Office 2013. (Office 2013 must be the most-patched suite Microsoft has ever released.) For the official list of Office updates, see the Feb. 10 TechNet blog post. February’s nonsecurity fixes for workstation applications include:

Windows 7

• 2952664 – Compatibility update for upgrading Win7
• 2977759 – Compatibility update for Win7 RTM
• 3004394 – Reissued root-cert update (last seen in December)
• 3005788 – Printing preferences hidden
• 3021917 – Windows 7 SP1 performance review

Windows 8 and 8.1

• 2955808 – VPN connection failure
• 2976978 – Compatibility update
• 3008273 – Automatic update of Win8 to Win8.1
• 3016074 – Windows activation issue
• 3019868 – APN database update for Velcom (Belarus)
• 3020338 – Line-of-business app failure after installing KB 3006226

Office 2007/2010

• 2589387 – Project; task status change
• 2880522 – PowerPoint Viewer; “Align Selected Objects” and “Align to Slide” command issues
• 2899588 – Excel Web App; hidden cells unhide
• 2956054 – Office; OnChange event issue
• 2956075 – OneNote; improved localization
• 2956079 – Outlook 2010; junk-mail filter
• 2956096 – Outlook 2007; junk-mail filter
• 2956128 – Outlook 2010; MAPI over HTTP
• 2956129 – PowerPoint; “Align Selected Objects” and “Align to Slide” command issues

Office 2013

• 2827223 – Access; “INSERT INTO” VBA command issue
• 2880977 – OneDrive; various fixes
• 2889846 – PowerPoint; various fixes
• 2910921 – Office App Store; various fixes
• 2910930 – Access; printing doesn’t start
• 2920732 – PowerPoint; various fixes
• 2920735 – OneDrive; various fixes
• 2920739 – OneNote; improved localization
• 2920740 – Office; improved Catalan proofing tools
• 2920742 – Office; various fixes
• 2920745 – Office; various fixes
• 2920746 – OneDrive for Business; various fixes
• 2920752 – Outlook; junk-mail filter
• 2920769 – Office; improved text clipping in RichEdit field
• 2920798 – Office; various fixes
• 2956085 – Word; improved localization and various other fixes
• 2956087 – Outlook; various fixes
• 2956102 – Office; Power Viewer report issues

Other updates

• 2883048 – Publisher 2013; improved localization
• 2920744 – Lync 2013; various fixes
• 2920800 – Visio 2013; improved localization and performance
• 2956091 – Project 2013; various fixes

What to do: Put all nonsecurity updates on hold until the next Patch Watch. I’ll report back on any problems that pop up.

Regularly updated problem-patch chart

This table provides the status of recent Windows and Microsoft application security updates. Patches listed below as safe to install will typically be removed from the table about a month after they appear. Status changes are highlighted in bold.

For Microsoft’s list of recently released patches, go to the MS Security TechCenter page.

Status recommendations: Skip — patch not needed; Hold — do not install until its problems are resolved; Wait — hold off temporarily while the patch is tested; Optional — not critical, use if wanted; Install — OK to apply.

How to avoid Win7/Win8 dual-boot hassles

There are several ways to run both Windows 7 and Windows 8 on the same PC, but some methods are significantly easier — and safer — to set up.

Plus: A disappointing Secunia PSI failure and free, pro-quality tutorials for PowerShell, the apparent successor to the classic command window.

Why is my dual-boot, Win7/8 setup failing?

A dual-boot — or more accurately, multi-boot — configuration lets you install two or more operating systems on the same PC, though you can run only one at a time. Although Windows supports dual-booting, the technique has severe restrictions and limitations — as reader Viraf Chinoy discovered.

• “I have a 64-bit Win 8.1 Pro system with a 256GB solid-state drive (SSD). Everything’s been working fine.

  “Recently, I purchased a second SSD (128GB), and I want to install 64-bit Win7 Ultimate on it.

  “Changing the SSD in BIOS, I was able to install Win7 in the 128GB SSD. But now I’m getting all types of errors during boot. Win7 never completely boots — it just hangs. (Win 8.1 Pro is still working.)

  “Can you please help me configure my system so I can boot either OS without problems or clashes?”

Sure, Viraf. But I’m also going to try to talk you out of using a dual-boot setup. There’s a much better way.

First, here’s help for solving dual-boot problems.

Windows has a built-in boot manager that determines how and when Windows takes control of a PC’s hardware during startup. All Windows boot managers support dual-booting.

There are also many third-party boot managers/boot loaders; a Web search will show you dozens. But for simplicity, I’ll limit this discussion to Windows’ own.

As you might suspect, the boot manager must reside on the primary drive (usually C:). From there, it controls the boot process for the entire PC. To select the OS you want to load, it’s not necessary to change BIOS settings or do anything weird. The boot manager handles all of that for you. You can easily select an OS, even if it’s installed on another drive.

But here’s the catch. When you’re using Windows’ boot manager, the oldest operating system must be the first OS installed on the primary drive. The newer OS can then be installed on another partition or drive.

The reason for this procedure is backward compatibility. Starting with Win7, when Windows is installed for the first time, the setup process creates hidden partitions such as System Reserved or Recovery. These special partitions contain the boot manager and other needed system startup and/or recovery files. (The hidden partitions don’t get a drive letter — you won’t find them by using Windows/File Explorer. You will, however, see them in Windows’ Disk Management applet. You should normally never delete these hidden partitions.)

Windows 8 has numerous advanced system-boot functions such as Secure Boot, Fast Boot, Trusted Boot, Early Launch Anti-Malware (ELAM), and so on. These functions didn’t exist when Windows 7 was created. So Win7 is unable to recognize the files and partitions that enable these Win8 features. (For more information on Win8-specific boot features, see the Dec. 11, 2014, Top Story, “How to solve UEFI boot and startup problems.”)

In short, if you add Win7 to a Win8 dual-boot setup, there’s a good chance it won’t work — it might even make a mess of your system as Win7 overwrites, alters, disables, or otherwise mucks up the Win8 startup files.

On the other hand, Windows 8 knows how to coexist with Win7. It knows all about Win7’s boot methods, so if you add Win8 to a Win7 setup, it’ll recognize the Win7 startup files and leave them alone.

So that’s your answer, Viraf. If you’re going to dual-boot Win7 and Win8, you have to start with Win7.

That’s not going to be an easy or quick process. You’ll have to reformat both drives and then install Win7 from scratch on the system’s boot SSD, so you have a clean System Reserved partition. Only when Win7 is operating properly can you add Win8 to your second SSD and set up dual-booting. The instructions on the Microsoft page, “Install more than one operating system (multiboot),” tell you how.

If you’d like more detailed help, see Lincoln Spector’s “Setting up a Win7/Win8 dual-boot system” (April 11, 2013, Best Practices). For a third-party disk-management alternative, see the EaseUS free, step-by-step instructions in “How to dual boot Windows 7 and Windows 8.”

With that said, let me talk you out of a dual-boot setup.

That reinstallation process is especially problematic on a new system that comes with Windows 8. Along with the C: partition, your Win8 PC probably contains several hidden partitions. There’s likely an EFI partition that contains the low-level code that drives the advanced boot features mentioned earlier (i.e., Secure Boot, Fast Boot, Trusted Boot, Early Launch Anti-Malware, and so forth).

It’s also likely that your original SSD includes a separate Win8 recovery partition plus possibly an additional OEM (factory) recovery partition.

Reformatting the C: drive will probably destroy all these partitions. You might lose access to Win8’s UEFI boot functions; you might also lose your Windows or factory-level system-recovery files — unless you’ve made a full set of recovery disks or otherwise backed up the complete system configuration, including the hidden partitions. (Deleting an OEM Recovery partition could void your warranty.)

Given those and other dual-boot issues, what’s the better alternative? In short, a virtual PC.

Setting up a virtual PC (VPC) completely avoids the “oldest OS first” dual-boot limitation. You also don’t have to possibly forego any of Win8’s advanced boot-time features just to run an older OS.

A virtual PC (or virtual machine — VM) is a desktop computer that’s fully emulated in software. An operating system installed on a VPC will assume it’s running on a normal, physical system — but it’s not; it’s running inside protected-memory space on the physical (host) system. (VPCs are also referred to as guest systems.)

Simply put, the VPC runs as an application inside the host PC. Both the VPC’s operating system and the host system’s OS can run at the same time. You can quickly move from one OS to the other — there’s no time-consuming shutdown-and-reboot process required to switch operating systems. (Remember: A dual-boot setup allows only one running OS at a time.)

A VPC’s emulation software masquerades as the BIOS, motherboard, hard drive, CD drive, display adapter, network card, and other essential hardware components of a physical machine. That effectively isolates quest-system problems from the host machine. If something goes wrong with the VPC’s operation, the host PC generally won’t even notice.

For these and other reasons, I believe a VPC is the simplest, easiest, and safest way to run one or more additional operating systems on a Windows PC.

In your case, Viraf, I suggest you leave your Win8 system alone — don’t change how it boots at all. Instead, read the VPC-related stories listed below and then install the virtual-machine software of your choice. (I’m assuming your PC meets the requirements for running VPCs — most new systems do.) Like most Windows Secrets contributors, I use Oracle’s free VirtualBox (site).

Launch your VPC software and set up Win7 as a guest OS. (A VPC is also a safe way to try Windows 10 or experiment with Linux.) Assign its virtual-hard-drive space to your secondary SSD. That’ll keep Win8 on your C: drive and put Win7 on the second drive — just as you requested. Your system will always boot to Win8; and when you want to run Win7, just launch the Win7 VPC.

Although Windows Secrets hasn’t specifically covered setting up a Win7 VPC, the process is much the same across Windows versions, so these articles should point the way:

• “How to safely test-drive Win10 — step by step” – Oct. 16, 2014, Top Story
• “Step by step: How to safely test-drive Win8” – March 14, 2012, Top Story

If you run into trouble, see the Oct. 23, 2014, LangaList Plus column, “Solving problems with VirtualBox virtual PCs.”

And if you have Win8 Pro or Enterprise, you might want to check out their built-in VPC client — Hyper-V. See the following Microsoft resources:

• “Run virtual machines on Windows 8.1 with Client Hyper-V” – help page
• “Client Hyper-V” – TechNet page

Whichever VPC you use, the end result will almost surely be simpler, safer, and far more convenient that anything you could do with dual-booting!

App updater Secunia PSI not working properly

Keeping your applications current is an important part of safe computing. It reduces vulnerabilities and helps protect you from relatively new exploits. (Software updating typically won’t help block zero-day threats.)

Secunia PSI (free; site) is an application and service that periodically scans your PC for outmoded software versions. If a program containing known vulnerabilities is found, PSI alerts you — in some cases, it’ll even offer to download and install a newer version of the program.

Secunia PSI usually works reliably; but like all software, it can have trouble with some PC configurations and system changes, as Wayne Wert discovered.

• “For many years, I’ve subscribed to Secunia PSI. But several months ago, it stopped working for me.

  “Secunia acknowledged the problem in a blog but offered no cure. It simply stated it was looking for a fix.

  “Here’s my problem: When I click the Secunia icon, either in the file folder or on the taskbar, a message instantly pops up — saying that the computer can’t connect to the Secunia HTTPS webpage. When I try the given HTTPS address, the computer immediately drops to an HTTP (no S) address.

  “I’ve not tried removing any Windows Updates, to see if the problem goes away. I want the updates, and I’ve never had trouble with them.

  “Is there a fix for this? Or is there another company’s program that serves the same general purpose as Secunia PSI?”

Have you tried connecting to other https sites? If you have the same problem elsewhere, then it’s not a Secunia issue. More likely, it’s a problem with your browser or networking setup.

But if the problem is indeed restricted only to Secunia PSI connections, then I agree: PSI simply is unable to work properly on your system. Unfortunately, I don’t know of any fixes.

However, there are alternatives.

The two best options I recommend are CNET’s free Download App (formerly called TechTracker; site) and FileHippo’s free App Manager (site).

Note, however, that Secunia PSI is a safety-oriented app; it flags only software with known security issues. On the other hand, CNET and FileHippo are in the general download business — their tools look for almost any excuse to suggest software upgrades. They typically flag software as “out of date” based on version number, not on whether there’s a newer version that includes security improvements.

In fact, this chasing-version-number approach can lead to the unnecessary churning of your software and drivers. Newer software isn’t always better!

So if you switch to something other than Secunia PSI, use caution. Make a backup before running any update tool, and carefully read each tool’s dialog boxes before you agree to proposed changes.

For more information about updating software and services, see the July 26, 2012, Top Story, “Software that updates your other software.”

Also, the Feb. 21, 2013, LangaList Plus column, “How and when to update your system’s drivers,” might help.

Freebie of the week: Windows PowerShell tutorial

Windows PowerShell is a scripting environment that combines the immediacy and convenience of traditional command-line tools with the flexibility and adaptability of a higher-level programming language.

PowerShell’s been around since 2006, but it seems that Microsoft is just now getting serious about the tool. For example, Windows 8.1 systems might default to PowerShell instead of the classic Command window or “DOS Box.”

To its credit, Microsoft is being gentle about the transition. If PowerShell is the default option (for example, when you open the advanced Windows key + X menu), the classic Command Prompt can be restored by ticking a simple checkbox. Right-click an empty spot on the taskbar, click Properties, and then select the Navigation tab. Uncheck Replace Command Prompt, as shown in Figure 1.

Figure 1. In Win8, it's easy to select either the classic Command Prompt or Windows PowerShell as your default command-window tool.

It seems fairly clear that the classic command prompts, batch files, and other system tools of yore are on the way out. PowerShell and its successors are the future. Consequently, I’ve been taking a belated dive into PowerShell, learning how it works and how to use it.

If you’re interested in learning along with me, these are the best free PowerShell learning resources I’ve found so far:

• “Getting started with PowerShell 3.0 Jump Start” – a free Microsoft Virtual Academy course
• “Windows PowerShell scripting” – a free TechNet library of PowerShell-related webcasts, articles, guides, sample scripts, and so forth
• “PowerShell Tutorial Online” – a free site aimed mainly at scripting beginners
• “A beginner’s introduction to Windows PowerShell” – site; free, but registration requested
• “PowerShell Pro!” – site; free, though it’s best if you already know a bit of VBScript.

If you open command windows from time to time, or you write batch files to control PC operations, you’re probably going to need to know PowerShell at some point. Why not learn now — for free?

Getting informed about cloud storage

Lounge member georgelee needs more storage for photos and is looking for information on cloud storage — info mostly about OneDrive.

Like almost all software and technical services, cloud-storage capacities and costs are evolving rapidly. It’s a topic ripe for discussion.

Join the session in the Windows 8 forum to see what fellow Loungers think about OneDrive — and what storage strategies they use instead of or in addition to filing cabinets in the cloud.

The following links are this week’s most interesting Lounge threads, including several new questions for which you might have answers:

Office Applications
General Productivity	Office 2013 Click-to-Run automatic updates
Word Processing	Word template problems
Spreadsheets	The road to infinity
Databases	Merge to Word hyperlink format
Presentation Apps	VBA code to change all boxes in SmartArt hierarchy-chart graphic
Visual Basic for Apps	Tips in Word Hacks not working
Microsoft Outlook	Send email using Excel
Non-Outlook E-mail	Thunderbird opens some messages in new window, not in message pane
Windows
General Windows	How to lock numeric keypad on in Windows 7 and 8?
Windows 10	Can’t install Win10 Preview on original Surface Pro
Windows 8	Opinions on OneDrive for photo storage
Windows 7	Question about host file
Windows Vista	How to enable Vista SP2 Windows error reporting?
Windows XP	XP Home reinstall
Internet/Connectivity
Internet Explorer	Is FromDocToPDF Internet Explorer toolbar useful?
Third-Party Browsers	Firefox waffles
Networking	Extend Wi-Fi using second router
Social Media	Facebook birthdays
Software Development
Web Design & Development	JavaScript to send System Exclusive File to synthesizer
Other Technologies
Security & Scams	Opinions about Symantec Norton Security?
Maintenance	Backups
Hardware	Power options
Other Applications	How to fix Google Talk problem?

starred posts: particularly useful

If you’re not already a Lounge member, use the quick registration form to sign up for free. The ability to post comments and take advantage of other Lounge features is available only to registered members.

If you’re already registered, you can jump right into today’s discussions in the Lounge.

Work fun: No place like a farm in Kansas

“We have happy cows in Kansas,” says Farmer Derek Klingenberg. Maybe so. After you see his Cow Art video, you might believe Klingenberg contributes a measurable boost to elevated bovine mood — or at least to the banishment of cow boredom on his section of the Great Plains. With the help of his tools — a feed truck, a drone, a computer, and his herd of cows — he’s clearly entertaining himself, too. Click below or go to the original YouTube video.

A tour through Windows Process Explorer: Part 2

One of Microsoft’s excellent Windows Sysinternals tools, Process Explorer, lets you dig deep into the code running in Windows.

Process Explorer was designed for IT pros, but anyone with relatively advanced Windows skills can use it to diagnose software issues.

Part 1 of this two-part series gave a general overview of what’s in Process Explorer. In Part 2, I show how to use the utility to troubleshoot Windows and even help hunt down malware.

Understanding what Process Explorer reports

As noted in Part 1, Process Explorer (site) provides an extraordinary amount of information about what Windows is doing and which software is currently running. It goes well beyond what Task Manager reports, showing not just which applications are running but also how they’re linked to one another.

But as I also stated in Part 1, deciphering Process Explorer’s data can be a daunting process. If you’re not already familiar with what’s under the Windows hood, you’ll need some time to learn how to use this powerful utility.

For the individual PC user, Process Explorer is perhaps most useful for finding software that should not be running. This could be background applications that are taking up system resources or malware that tries to stay mostly out of sight.

For example, I noticed two Bluetooth programs running, yet I don’t have any Bluetooth devices attached to my machine. I also used Process Explorer to hunt down an app called Driver Booster — an unwanted program that was inadvertently loaded onto my machine and that kept installing itself.

There’s a reason for Process Explorer’s name. All running applications are built of processes and threads. As a Microsoft MSDN page states:

“An application consists of one or more processes. A process, in the simplest terms, is an executing program. One or more threads run in the context of the process. A thread is the basic unit to which the operating system allocates processor time. A thread can execute any part of the process code, including parts currently being executed by another thread.” (For a more detailed explanation, see the MSDN page, “About processes and threads.”)

Keep in mind that an application might appear to be closed or even uninstalled. But its processes are still running in the background. Process Explorer gives you the tools to find those processes and the location of their code on the hard drive; it can tell who created the code and much more. With that information, you can then decide whether to kill the app’s processes and thoroughly clean the software off your system.

The aforementioned Driver Booster was an example of software that I thought I’d removed but that seemed to still be running. I was surprised when I checked my notification area and discovered that Driver Booster was still present, even though a search of my hard drive indicated it had been removed from the system. After a restart, it was still there. (If you have Driver Booster on your system, and you’re having trouble getting rid of it, check out a Blogspot tutorial.)

A sometimes long process of discovery

As noted in Part 1, Process Explorer opens with a long list of running processes (see Figure 1). The key to using the utility is finding the correct process and determining what it’s for.

Figure 1. Process Explorer opens with a long list of running processes (programs).

The utility has a feature — Process/Search Online (Ctrl + m) — that seems to be a good starting point for Web information about a particular application such as Drive Booster and its associated processes. But Process Explorer loaded a blank webpage. For a colleague of mine, the same command opened a Google search with the name of the application.

Wanting to know more about Drive Booster, I launched Google and entered the query: “block driver booster download advanced system care.” That turned up several items, including an article titled “IOBit sucks at ethics” that contained a link to a Techdows article about IObit installing software without user consent. It also named several unwanted programs that were installed on my system when I bought IObit’s Advanced System Care 7 PRO.

Finding and killing a particular application can take some time and requires drilling down into process information. For example, many of the processes listed are the somewhat obscure srvhost.exe, a process that hosts other processes. Hovering your cursor over these will pop up a box with additional information.

Many processes also have subprocesses, which you may have to look through. Process Explorer’s hierarchical tree structure makes this easier.

Process Explorer lets you see the entire directory path of a program’s processes. For example, when Camtasia Studio is running, I have two ways to see its full path. Clicking Process/Properties pops up the dialog box shown in Figure 2. Other property tabs provide a wealth of additional information about the process.

Figure 2. Process Explorer's detailed information on Camtasia Studio's properties

The other method is to click View/Select Columns, which brings up the dialog box shown in Figure 3. Select the Command Line option and click OK.

Figure 3. Use the Select Columns dialog box to filter process information.

The process’s path now displays in the process’s row in the main Process Explorer window (see Figure 4).

Figure 4. Process Explorer displaying company name and file location for a process

Knowing the location of the root file for a particular process can help determine whether it’s legitimate. For more information on what a particular process does, your best bet is to simply search its name with your preferred search engine. But several sites — such as tasklist.org and Neuber Software’s “Common Windows processes” list — can also give you a jumpstart.

Finding and killing malware hiding in Windows

Some older malware programs are relatively easy to identify and remove from your computer. But newer malware can be adept at evading removal. For example, let’s say you have two processes which you’ve identified as malware by using Process Explorer. You kill one (using Process/Kill Process) and then scroll down the list, find the other process, and kill it. But when you return to the top of the list, the first process is now running again. What happened?

Working together, each process checks many times per second to ensure the other one is still running. If one or the other isn’t, it’s brought back to life. The solution is to use the Suspend (Process/Suspend) option. With both processes paused and no long able to check the other, you can now kill them both.

If you have annoying popups active on your computer, Process Explorer can help you find out how they’re being launched. On the Process Explorer toolbar, locate the Find Windows Process icon (highlighted in Figure 5). Click and hold your mouse button, then drag the tool over the popup window. Process Explorer will immediately highlight that executable in a turquoise color so it’s easy to find.

Figure 5. Use the Find icon to locate specific processes.

The sheer number of running processes — well over 100 on a typical Win7 system — can also make it hard to locate malware. Knowing what’s legitimate and what’s suspicious requires knowing what the various processes are doing.

Process Explorer’s color coding, in conjunction with the company-name field, helps with that discovery task. The color purple, for example, denotes a packed, or compressed, executable. This could be a virus; compression makes it difficult if not impossible for antivirus heuristics to detect malicious code. The company field is something that typically appears when software is digitally signed; it isn’t something that randomly appears. Malware is not likely to sign a company name.

If you want to dig really deep into a particular process, the Properties dialog box will probably tell you more than you want to know. For example, Figure 6 shows just one tab for the Winword.exe process.

Figure 6. The Properties option offers an extraordinary amount of information about any process.

To open the properties dialog box, go to Process/Properties. I recommend starting with the Strings tab. Unless you’re a true Windows expert, much of the information listed will look like gibberish. But you can find information such as related Web links (highlighted in Figure 6) that can help identify malware. You might find out more about listed URLs with an online search.

Process Explorer can also be helpful when you’ve deleted a virus — or thought you had. You might find a DLL file used by the virus that you can’t remove because the DLL is in use. Process Explorer will give you the process ID and the executables associated with the DLL. (A DLL contains a library of code; it’s not something you can launch.)

For example, the DLL might point to Internet Explorer, which is open. You’d then know that the malware had infected Internet Explorer. At that point you’d kill Internet Explorer and then delete the DLL.

You can also search for any DLLs that are in memory. To do so, click Ctrl + f; then enter the handle or DLL substring and click Search.

Catching (and killing) a pernicious virus

Making use of the Strings tab can be really useful for catching malware as it infects your system. Take, for example, the Crypto#*locker (intentionally misspelled) malware. You can set up process alarms that will, for instance, alert you to sudden, sustained disk activity.

Crypto… is smart; it doesn’t tell you you’re infected until it has finished encrypting everything. Most people won’t realize what’s happening until it’s far too late. But if you have intimate knowledge of what’s going on with your machine, you have a better chance of noticing the unusual activity — that your hard drive is suddenly working extremely hard. It would be especially noticeable if you had only a couple of programs open and no virus scan running.

With Process Explorer open, you’ll quickly be able to see that an unknown executable is running. It’s not likely to be digitally signed, and — again — there’ll be a lot of hard-drive activity. You should be able to put two and two together and start looking for the running virus. The next step is to suspend the executable. That stops it from encrypting, and the process is all in memory. (However, if a file has already been encrypted, you won’t be able to open it.)

To access any encrypted files, click Process/Properties and select the Strings tab. Next, comb carefully through the Strings window, looking for the encryption/decryption key — which obviously you’ll want to copy and save. As soon as Crypto… is finished doing its dirty work, it sends the key to the Crypto… server and then drops it out of memory. So you have to catch the key quickly. If you miss it, the key will no longer be present on your computer and you’ll be locked out. (Expect a ransom demand soon after.)

Originally, this was all unnecessary if you had recent backups of your files. Unfortunately, Crypto… has changed the way it works. It encrypts and decrypts your files as you use them over some number of days. When Crypto… finally reveals itself, even your recent backup files might be encrypted. It gets worse: there are now Crypto… clones in the wild.

(A tip of the hat to Tektegrity’s Joshua Erdman, who took the time to explain how this particularly pernicious malware works and provided guidance on using Process Explorer.)

A product never meant for mainstream use

Process Explorer is a powerful tool, but it’s not without flaws. One is the aforementioned Ctrl + m option for getting online information about specific processes. In my research, it didn’t work on one machine, but it did on another — running a Google search as it should. As noted in Part 1, the help tool would not provide information on the color coding–selections options.

Those are admittedly rather minor issues. When searching for malware, one of the challenges — which Process Explorer does not address well — is identifying programs that quickly launch and then switch off. That’s typical behavior for viruses. A process of this type could be used to reinfect your computer with the malware that has, in theory, been deleted. (As noted in Part 1, the Options/Difference Highlighting Duration option can give you a bit of time to access a process that’s switching off.)

However, using Process Explorer in conjunction with other tools such as Windows Autoruns — a sort of sysconfig on steroids — can give you a better chance of identifying malware that opens and closes rapidly. I’ll discuss Autoruns in an upcoming article.

(Another tool for hunting malware is Windows Process Monitor, which monitors a process and shows you every file it accesses on the hard drive.)

If you’d like to share your Process Explorer tips, use the Windows Secrets Lounge link below.