.NET - Deep Troubleshooting using Process Explorer

Owned by Saar Avishai (Unlicensed)
Last updated: Mar 07, 2021 by Marc Amouyal

Process Explorer is a debugging tool included in the Sysinternals suite. It can be used to diagnose and troubleshoot errors in coverage collection for processes.

Downloading Process Explorer

The Process Explorer can be downloaded directly from the Microsoft website.

Installing & Running the Process Explorer

  1. Extract the ProcessExplorer.zip file into a folder to which you have permissions.

  2. Right click on procexp64.exe and select “Run as Administrator”

     

If you are running on a 32bit machine, perform step 2 for procexp.exe

Process Explorer - Main UI

Once Process Explorer has started, you will see a list of all the processes currently running on the machine, along with basic diagnostic information.

For easier navigation, it is recommended to sort by Process name. This is done by clicking on the “Process” column.

Process Explorer - Identifying an IIS application

In this step-by-step walkthrough, we will examine an IIS application.

The same steps will apply for any process coverage should be captured from.

The process running IIS in most cases is called w3wp.exe. We will look for it in the list of processes, normally it will be spawned under a “svchost.exe” process:

For .NET Core applications, the process name is usually “dotnet”

Once we’ve found the process, we will right click and select “Properties” to get a deeper look in its configuration.

The “Image” Tab

In the default tab, we can see basic information about the process:

It is important to note the following:

  • -ap from the Command line field (IIS Application Pool name) - DefaultAppPool

  • Parent process - svchost.exe with PID 6764

  • Image - 64 bit

  • Start time - 8:41:35

The “Environment” Tab

This tab shows all environment variables the process started with.

The variables relevant to SeaLights have been marked in the following screenshot:

Ensuring the above environment variables are correctly configured, should spawn the Profiler component which actually does the coverage collection.

Identifying a Windows Service

Windows Services are diagnosed the same way as described before with IIS, except they are spawned by the services.exe process.

In the following example, Demo.exe is the service being monitored:

 

Viewing DLLs currently in use by a process

By using this functionality we can ensure the SeaLights profiler library is actually being used by the process we wish to monitor.

First, we highlight the process from which coverage should be collected.

In this case, we are referring to the same w3wp.exe in the previous steps.

Then, we click on the “View DLLs” icon, like below (you can also use Ctrl+D, like prompted):

This will open a toolbar at the bottom of the UI:

Sorting this list by “Path” will help us identify the SeaLights profiler DLL more easily.

This validates the SeaLights profiler is hooked into the IIS process, enabling coverage collection.

Searching for SeaLights components currently running on the machine

Using the “Find Handle or DLL” feature allows us to search for SeaLights components across all processes currently running.

Simply open the prompt and type SeaLights in the search bar.

The displayed results represent all instances of SeaLights binaries currently in use by processes running on the machine:

In this case, there are the SeaLights DLLs currently in use by IIS, like we saw in the previous step (red).

There are additional binaries currently in use by the Coverage Collection service (orange).