• Facebook
  • RSS Feed
  • Instagram
  • LinkedIn
  • Twitter
Jun 152010
 

There are many uses for Process Monitor, the former Sysinternals tool, now developed at Microsoft.  One such use is to see which process or executable loaded a particular DLL – and what version it is.

First of all you can get Process Monitor from this link :

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

You can run the binary on either an x86 or x64 system.  When you run it on an x64 system, an x64 .exe is actually spawned from inside the x86 version – which is quite neat.

The main interface looks like this :

process-explorer-1

You’ll see all sorts of useful information such as who the binaries belongs to, process ID’s, memory usage (private byes), CPU usage and so on.

You can get more information too, by enabling the lower pane, and choosing handles or DLL’s.  This is what DLL’s looks like :

process-explorer-2

 process-explorer-3

You can also find who loaded a particular DLL.  For example, looking for EVRT.DLL gives you :

process-explorer-4

And if you look for EVSTGAPI.DLL you will see this :

process-explorer-5

Note: I clicked on the entry listed, and the lower pane gives some version information – more is available, if you right click the entry in the lower pane after closing the search, and bringing up the properties page.

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)