Table Of Contents
 
Top
Overview
Processes
  Memory
 
  Memory Map
  Viewing Memory Contents
  Tracking Memory Changes
Services
System-Level
  Locked File Finder
  Monitor File Access
  Check For DLLs
 
System Requirements
  Buy Take Control!
  Compare Product Features
  Advanced Edition Features

Take Control!™ Personal Edition

For Windows® XP, Windows® 2000, and Windows NT®

Feature Guide

Version 1.03

 

1. Overview

Take Control! unlocks a world of previously hidden and inaccessible system activity. The Take Control! user commands an integrated suite of advanced tools for viewing and manipulating active processes, threads, services, and in the Advanced Edition, users. Anyone who has ever agonized over finding an out of date or missing executable file, wondered which files a remote user or process was accessing, or wished to identify and definitively kill a problem-causing process will find Take Control! irreplaceable.

The Personal Edition contains numerous process and services tools; it does not include functions and features related to network and advanced monitoring and control. The Advanced Edition includes tools for networking (TCP/UDP communications and port activity) and Windows API monitoring, along with control over network Users. See the Product Features comparison for a list of Personal Edition features.

Through Take Control!, you get complete, real-time view and control over:

    • View a real-time list of all running processes and their instantaneous memory usage
    • Watch file access
    • Watch threads executing under any process
    • See why threads are blocking
    • Kill or suspend individual threads
    • See the files a process has open
    • View which executable modules a process has loaded
    • List DLL imports and exports
    • Get a hierarchical list of all executables required to run a processes
    • View related (parent and child) processes
    • Use "Sure Kill" to terminate a process, overriding authorization restrictions
    • Use "Active Kill" to terminate a process and prevent any other processes of that type from running
    • View a memory map that shows how a process is using memory
    • Search, edit, and track changes a process is making to memory
    • Flash the top level windows associated with a process
    • Reclaim physical memory
    • View a real-time list of services and their status
    • See dependent services
    • See and control the process associated with a service
    • View a verified hierarchical list of all modules required to start a service
    • Multi-select start or stop any services
    • See all installed device drivers and their status
    • Uncontrollable service? Use "Sure Kill" to kill the associated process
    • Search for processes that have a file or directory locked
    • Monitor access to all files
    • Verify and view modules required to run an executable. Any errors, such as an out-of-date DLL, are flagged.

 

2. Processes

The Processes window lists all active processes under the local host node. (In the Enterprise Edition, you can add remote hosts, from which you can view and manipulate its processes - remotely!)

Expanding any process node gives the user access to Memory, Modules, Open Files, and Threads under that process. By simply right clicking on a process, the user can access any of the following features:

    • Sure Kill – Kills the selected process, overriding any authorization restrictions and Windows preventive measures
    • Active Kill – Kills the selected process and prevents any other processes of that type from running until the user turns off the active kill
    • File Locks – Launches a view of all files the selected process has open. This view gives the user access to information also shown under the "open files" node. Through this view, however, the information can be saved or printed
    • Loaded Modules – Launches a view of all modules opened by the current process
    • Monitor File Access – Launches a view of all file access by the selected process
    • Global Find – Opens a dialog that allows the user to search the memory of the selected process
    • Get Dependent DLLs – Launches a hierarchical view of all modules required to load the selected process. Any out of date dll files are indicated with an exclamation point. This list may not include all modules in the "Loaded Modules" view since modules can be loaded dynamically after the process loads initially
    • Flash Window - Flashes the top-level windows associated with a process, if any.
    • Reclaim Memory - Takes unused memory from a process and makes it available to the system. This can be used to quickly free up memory being held by a process that no longer needs it.

 

Active Kill

Active Kill uses the Windows normal kill process. A process will be killed only if Windows lets it. (To force-kill any process, use "Sure Kill".) When a process is killed actively, the active kill is indicated in the process tree by a folder outlined in red. As long as processes are actively killed, it is impossible to launch them until the user chooses to end the kill.

 

Monitor File Access

Select "Monitor File Access" from the right-click menu or from the toolbar to launch the file access monitor. This function logs every file creation, read, write, or deletion that the selected process makes. The following screenshot shows a sample report. Note that additional columns can be seen by scrolling to the right. Also, columns can be reordered based on user preference.

The report indicates the call time, calling thread, referenced file, buffer contents, whether the access was successful, additional attributes, and call duration. Note that the thread ID maps back to the thread list shown under the process.

Monitoring can be paused or restarted, the view can be cleared, and the number of items collected can be controlled with the monitor toolbar .

 

Global Find (Search Memory)

Using the "Global Find" dialog, the user can search for occurrences of a string, number, or reference anywhere in the process’s memory. The Search Results pane shows address locations where the pattern was found. Selecting a search result updates the Preview pane to display the contents of that memory address and neighboring addresses. Double clicking on a search result dismisses the Global Find dialog and opens a Memory View window that allows the user to manipulate that address. Deep Search allows the user to search beyond the memory required to run the process, known as the ‘working set,’ extending the search into the process’s entire allocation space.

 

Memory

Take Control! has extensive facilities to expose exactly how a process is making use of memory. These facilities include:

    • Memory map – An analysis of the process working set showing the size of all contiguous blocks of memory and the type of access the process has to it (e.g., RO – Read Only, R/W – Read/Write, etc.) including whether it is mapped to a file or used for a call stack.
    • From the memory map, the user can view details, select any number of blocks, and drill into them for further analysis.
    • From the memory drill-in, the user can graphically watch memory change
    • Using Global Find, the user can search the entire working set or beyond for a particular string, integer, or memory reference.

Memory Map

By expanding the "Memory" node under any process, the Take Control! user can view a memory map for that process. The memory map shows allocated memory ranges and how they are being used (read/write, stack, whether it’s mapped to a file, etc.). Any range of memory nodes can be selected and viewed.


Viewing Memory Contents

When viewing memory, the memory tool bar allows the user to search, edit, or track changes . The following screen shot shows the report that results from drilling into memory. Each page of memory is delineated with a line indicated the page starting address. After the page break each line shown represents 16 bytes of memory with the first column used to indicate the memory address at the start of the line. The columns after the address are the hexadecimal values of the bytes followed by the ASCII representation of the bytes.


Tracking Memory Changes

From any memory drill in, the user can refresh the view by pushing the refresh toolbar button . This refresh results in a comparison between the view shown and the new snapshot of memory. The following screenshot shows that any differences found are highlighted in red. The changes can be easily traversed using the next and previous change toolbar buttons. Additionally, the user can view the previous values to see exactly how memory changed.

 

Modules

Expanding the "Modules" node under a process lists all modules (DLLs, etc.) used by the process.

 

Open Files

Expanding the "Open Files" node under a process lists all files the process currently has open. The following screenshot is an example. Double-clicking on a file will launch the associated editor based on the file extension. If the file has no extension, the notepad editor is assumed. If there is no current association, the system "Open With" dialog will be displayed.

 

Threads

By expanding the "Thread" node for a process, the user can view all threads under a given process with the thread identifier (TID) and its status. Right clicking allows the user to kill, suspend, or resume the individual threads. The thread list is constantly updated as the thread statuses change.

 

 

3. Services

The Services window lists all devices and services. Expanding a service shows its associated executable and its command line arguments. If the selected service is running, the executable folder will be highlighted with a blue border and the process identifier (PID) will be displayed. Also listed under a service are any other services that are required for it to run.

The user can select to start or stop one or more services, as well as perform normal service-related actions. If a process hangs when a user attempts to stop a service, the process can be selected and killed. If a user attempts unsuccessfully to start a process, the executable file can be selected to display and validate the process’s dependent dlls as shown in the following figure. Out of date DLLs are indicated with an exclamation point.

 

 

4. System-Level Features

In addition to monitoring the activities of a specific process, service, or user, Take Control! also provides the following system-level features:


File Lock Search (Lock Finder)

If you ever find that you cannot delete or rename a directory or update a particular file, the file is probably locked. To find locked files, simply select "Lock Finder…" from the File pull-down menu or from the toolbar button . Just a portion of the filename is required to perform the search and it is not case sensitive. When "OK" is pressed all loaded modules and open files are searched for a match.

The following report is the result of searching for "system". The first column shows the full path of the process and the second column shows the full path of the actual file locked. Right-clicking on a single or multiple lines allows you to kill the process or processes.

 

System File Monitor

To activate the file monitor, select "Monitor File Access" from the File pull-down menu or from the toolbar button . This function logs every file creation, read, write, or deletion that all processes including system processes make. The following screenshot shows a sample report. Note that additional columns can be seen by scrolling to the right. Also, columns can be reordered based on user preference.

The report indicates the call time, calling process and thread, referenced file, buffer contents, whether the access was successful, additional attributes, and call duration. The process ID of the calling process is indicated after the colon ":". Note that the thread ID maps back to the thread list shown under the process.

 

Get/Verify Dependent Modules (Check For DLLs)

Selecting "Check for DLLs…" from the File pull-down menu of from the toolbar button allows you to select an executable module (exe, dll, or ocx file). The selected executable will be scanned for other module references, as well as, the actual function calls imported. The referenced modules are then scanned in turn until no additional references are found. The result is a hierarchical report that will indicate any missing modules or missing or incorrect function calls with a red exclamation. The following screen shot is a sample report:

 

 

5. System Requirements

Take Control! requires the following hardware and software:

  • Windows® XP, Windows® 2000, or Windows NT® with SP 5 or later
  • CPU speed of 500 MHZ or faster is recommended; 160 MHZ minimum
  • 64 MB system RAM; 128 MB recommended for servers
  • Color Monitor, 800 x 600 resolution or higher; 64K colors recommended
  • Requires approximately 6 MB of hard drive space for product files

Take Control! (TM) is a trademark of Computers In Motion, Inc.
Microsoft®, Windows®, Windows® 2000, and Windows® XP are registered trademarks of Microsoft Corporation in the United States and/or other countries. Windows NT® is a registered trademark of Microsoft Corporation.