Snooping Around

Wednesday Nov 12th 2003 by Mike Gunderloy

Windows applications can be complex, but because they use documented file formats and APIs, they're easy to explore. In this article, Mike Gunderloy presents quick looks at half a dozen tools that you can use to peer inside of any Windows program.

Windows, at this point, is fiendishly complex. But much of this complexity is exposed for you to inspect, if you know how to look for it. Because they depend on well-defined APIs and program structures, Windows applications (and Windows itself, for that matter) are relatively easy to poke around in. Here are half a dozen free tools that you can use to help you find out what's going on, whether in your own code or programs produced by other people.

Process Explorer

Process Explorer is one of the many useful freeware utilities supplied by SysInternals. One way to think of Process Explorer is that it's what Task Manager could have been if Microsoft had spent any time on improving Task Manager over the past few years.

Click here for a larger image.

Process Explorer starts out by presenting a list of all the processes running on your computer. You might well be surprised at how many there are, once you take into account all of the startup applications and hidden windows that keep your system smoothly moving along. You can see the process ID, owning user, amount of CPU being used, and so on. The context menu lets you kill a process, suspend it, or alter its priority. You can also see other details, such as the number of assemblies and classes that a .NET process has loaded; the list of columns here is long and configurable.

The lower pane of Process Explorer toggles between two different views. In DLL view, shown in the figure, you can see what libraries the process has loaded. In handle view, you cand see which Windows resources (such as threads and events) the application is using.

Perhaps the best part of Process Explorer is its ability to search across all running processes. Ever wondered which application is holding a DLL in memory, forcing you to reboot to replace that DLL? Or been frustrated by not being able to delete a file, because some application is hanging on to it, and not knowing what application is the culprit? Process Explorer can answer these questions easily, and let you delete the offending handle as well.


One of the key facts about .NET applications is that you can use reflection to look inside of them and discover details about their code (there's a whole industry of obfuscators springing up in response to make your code more confusing). The .NET SDK includes the ILDASM utility to get you started, but if you're really interested in the internals of .NET applications, you'll want to download Lutz Roeder's Reflector instead.

Click here for a larger image.

Reflector lets you easily drill into the structure of a .NET application. You can see all the assemblies, namespaces, types, and members that it contains. Once you've located something that interests you, you can inspect the lower pane of Reflector to see its declaration (switching between C#, VB .NET, and Delphi syntax as you choose), or use the right pane to disassemble it into MSIL (the low-level language shared by all of .NET) or to decompile it into C# code. You can also get a call tree showing other members called by the current method.

Because the .NET Framework is itself .NET code, one great use of Reflector is to understand what's going on in the Framework. If you want to know what causes a particular Framework method to throw an exception, or to see what other objects and methods it uses, Reflector will show you all the information quickly. This is great when you don't understand why a particular call is failing, or when you want to make sure that your own code is consistent with the .NET way of doing things.

Developer Playground

Developer Playground goes one step beyond showing you the processes running on your computer, and actually lets you see which functions they're running as you execute them.

Click here for a larger image.

To use Developer Playground, you first select the process that you care about in the main window. This will cause Developer Playground to list all of the libraries that the process has loaded. Select a library, and the next window will show all of the exported functions in that library. From there, you can choose one or more functions to hook. As you work with the process, you'll be shown every call to the hooked functions in the lower window. If you like, you can also configure Developer Playground to show you the top of the stack with each call.

There are other little touches here to make exploring a process easier. You can send any module to OLEView or Depends (two utilities from the Platform SDK) to explore its COM properties and its dependencies. You can also search for references to any function name on Google, either across the entire Internet or limited to MSDN.

Developer Playground won't show you every detail of every process (for example, some functions simply don't export human-readable names), but it will go a long way in letting you figure out where some obscure (and potentially useful) bit of functionality is located.


Some programs just do one thing, but do it very well. Such an application is Cobicon, from Luis Cobian.

Click here for a larger image.

Most developers have, at best, limited graphics skills. That poses a problem for us when we need to use icons in our application, whether to represent nodes in a treeview or the minimized application on the Taskbar. What Cobicon does is show you all of the icons in a Windows executable or DLL file, and let you save them individually to .ico files. Of course, you need to be respectful of copyrights when you use this technique to grab icons, but there are many standard ones (like file and folder icons from shell32.dll) that everyone uses.

Cobicon also offers one feature that distinguishes it from other icon extractors that I've seen. You can specify a source folder and a destination folder, and with one click extract all of the icons from files in the source folder and put them in the destination folder. Try this with the System32 folder some time to see a truly staggering variety of Windows icons.

PE Resource Explorer

Of course, Windows PE files (the common format used by applications running on Windows) can contain other resources besides icons. If you want to see them all, try PE Resource Explorer

Click here for a larger image.

PE Resource Explorer understands the portion of the PE file format that stores resources: AVIs, bitmaps, strings, you name it. You can drill into any of these parts of a file to see what's there. I find this particularly useful when trying to get acquainted with a new application while it's still in beta and poorly documented. Inspecting bitmaps and strings can often give you a sense of what functionality is lurking in the application, waiting for you to find it.

In addition to viewing and saving resources, PE Resource Explorer actually lets you edit them. This is useful for doing quick localization on an application that you don't have the source for. For that matter, it can also lead to some interesting practical jokes (imagine Notepad with all of its menu items in Pig Latin, for instance).

CLR Profiler

My final free pick is CLR Profiler, a free tool for optimizing .NET applications available directly from Microsoft.

Click here for a larger image.

CLR Profiler is primarily a tool to use when trying to optimize your own .NET applications (though it can be fun - or appalling - to watch what happens with other .NET applications as well). It works by hooking into the part of the .NET Framework that keeps track of object allocations and garbage collections. To use CLR Profiler, you first open it up and then use it to launch a .NET application. Run the application as you normall would (though it will be much slower due to the amount of information being collected), and then go back to CLR Profiler to see the results.

These results are presented as a series of colorful graphs and histograms. You can see which objects took up the most space, where they were created and destroyed, which routines are heaviest, and so on. The graphs are well designed and can be filtered to let you home in on the problem parts of your program very quickly. There are commercial alternatives that do more, but if you want to get a start with profiling objects, the price is certainly right here.

About the Author

Mike Gunderloy is the author of over 20 books and numerous articles on development topics, and the lead developer for Larkware. Check out his MCAD 70-305, MCAD 70-306, and MCAD 70-310 Training Guides from Que Publishing. When he's not writing code, Mike putters in the garden on his farm in eastern Washington state.

Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved