Scribd
Upload
4 views73 pages

Lab 2

This document outlines a lab exercise focused on monitoring and managing system resources in Windows using Process Explorer and PowerShell. Participants will explore processes, threads, handles, and the Windows Registry, as well as execute various PowerShell commands and cmdlets. The lab requires a Windows PC with internet access and aims to enhance understanding of system resource management and automation tools.

Uploaded by

duybuidang123
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
4 views73 pages

Lab 2

This document outlines a lab exercise focused on monitoring and managing system resources in Windows using Process Explorer and PowerShell. Participants will explore processes, threads, handles, and the Windows Registry, as well as execute various PowerShell commands and cmdlets. The lab requires a Windows PC with internet access and aims to enhance understanding of system resource management and automation tools.

Uploaded by

duybuidang123
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 73

Lab - Monitor and Manage System Resources in W

Objectives
In this lab, you will explore the processes, threads, and handles using Process Explorer in the SysInternals
Suite. You will also use the Windows Registry to change a setting.
Part 1: Exploring Processes
Part 2: Exploring Threads and Handles
Part 3: Exploring Windows Registry

Required Resources
 1 Windows PC with internet access

Instructions
Exploring Processes
In this part, you will explore processes. Processes are programs or applications in execution. You will explore
the processes using Process Explorer in the Windows SysInternals Suite. You will also start and observe a
new process.

Download Windows SysInternals Suite.


a. Navigate to the following link to download Windows SysInternals Suite:
https://technet.microsoft.com/en-us/sysinternals/bb842062.aspx
b. After the download is completed, extract the files from the folder.
c. Leave the web browser open for the following steps.

Explore an active process.


a. Navigate to the SysinternalsSuite folder with all the extracted files.
b. Open procexp.exe. Accept the Process Explorer License Agreement when prompted.
c. The Process Explorer displays a list of currently active processes.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 73
www.netacad.com
d. To locate the web browser process, drag the Find Window's Process icon into the opened web browser
window. Microsoft Edge was used in this example.

e. The Microsoft Edge process can be terminated in the Process Explorer. Right-click the selected process
and select Kill Process. Click OK to continue.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 73
www.netacad.com
Question:
What happened to the web browser window when the process is killed?

The web browser window closes.


Start another process.
a. Open a Command Prompt. (Start > search Command Prompt > select Command Prompt)
b. Drag the Find Window's Process icon into the Command Prompt window and locate the highlighted
Command Prompt process in Process Explorer.
c. The process for the Command Prompt is cmd.exe. Its parent process is explorer.exe process. The
cmd.exe has a child process, conhost.exe.
d. Navigate to the Command Prompt window. Start a ping at the prompt and observe the changes under the
cmd.exe process.
Question:
What happened during the ping process?

The web browser window closes.


e. As you review the list of active processes, you find that the child process conhost.exe may be suspicious.
To check for malicious content, right-click conhost.exe and select Check VirusTotal. When prompted,
click Yes to agree to VirusTotal Terms of Service. Then click OK for the next prompt.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 73
www.netacad.com
f. Expand the Process Explorer window or scroll to the right until you see the VirusTotal column. Click the
link under the VirusTotal column. The default web browser opens with the results regarding the malicious
content of conhost.exe.

g. Right-click the cmd.exe process and select Kill Process.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 73
www.netacad.com
Question:
What happened to the child process conhost.exe?

The child process depends on the parent process. So when the parent process stops,
the child process also stops.
Exploring Threads and Handles
In this part, you will explore threads and handles. Processes have one or more threads. A thread is a unit of
execution in a process. A handle is an abstract reference to memory blocks or objects managed by an
operating system. You will use Process Explorer (procexp.exe) in Windows SysInternals Suite to explore the
threads and handles.

Explore threads.
a. Open a command prompt.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 73
www.netacad.com
b. In Process Explorer window, right-click conhost.exe and Select Properties….. Click the Threads tab to
view the active threads for the conhost.exe process. Click OK to continue if prompted by a warning dialog
box.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 73
www.netacad.com
c. Examine the details of the thread.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 7 of 73
www.netacad.com
Question:
What type of information is available in the Properties window?

Information available includes environment variable, security information,


performance information, and printable strings.

d. Click OK to continue.

Explore handles.
a. In the Process Explorer, click View > select Lower Pane View > Handles to view the handles associated
with the conhost.exe process.
Question:
Examine the handles. What are the handles pointing to?

The handles are pointing to files, registry keys, and threads.


Close the Process Explorer when finished.

Exploring Windows Registry


The Windows Registry is a hierarchical database that stores most of the operating systems and desktop
environment configuration settings.
a. To access the Windows Registry, click Start > Search for regedit and select Registry Editor. Click Yes
when asked to allow this app to make changes.
 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 8 of 73
www.netacad.com
The Registry Editor has five hives. These hives are at the top level of the registry.
o HKEY_CLASSES_ROOT is actually the Classes subkey of HKEY_LOCAL_MACHINE\Software\. It
stores information used by registered applications like file extension association, as well as a
programmatic identifier (ProgID), Class ID (CLSID), and Interface ID (IID) data.
o HKEY_CURRENT_USER contains the settings and configurations for the users who are currently
logged in.
o HKEY_LOCAL_MACHINE stores configuration information specific to the local computer.
o HKEY_USERS contains the settings and configurations for all the users on the local computer.
HKEY_CURRENT_USER is a subkey of HKEY_USERS.
o HKEY_CURRENT_CONFIG stores the hardware information that is used at bootup by the local
computer.

b. In a previous step, you had accepted the EULA for Process Explorer. Navigate to the EulaAccepted
registry key for Process Explorer.
Click to select Process Explorer in HKEY_CURRENT_USER > Software > Sysinternals > Process
Explorer. Scroll down to locate the key EulaAccepted. Currently, the value for the registry key
EulaAccepted is 0x00000001(1).

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 9 of 73
www.netacad.com
c. Double-click EulaAccepted registry key. Currently the value data is set to 1. The value of 1 indicates that
the EULA has been accepted by the user.
d. Change the 1 to 0 for Value data. The value of 0 indicates that the EULA was not accepted. Click OK to
continue.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 10 of 73
www.netacad.com
Question:
What is value for this registry key in the Data column?

0x00000000(0)
e. Open the Process Explorer. Navigate to the folder where you have downloaded SysInternals. Open the
folder SysInternalsSuite > Open procexp.exe.
Question:
When you open the Process Explorer, what did you see?

The Process Explorer License Agreement dialog box

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 11 of 73
www.netacad.com
 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 12 of 73
www.netacad.com
Lab - Monitor and Manage System Resources in Windows

Objectives
The objective of the lab is to explore some of the functions of PowerShell.
Part 1: Access PowerShell console.
Part 2: Explore Command Prompt and PowerShell commands.
Part 3: Explore cmdlets.
Part 4: Explore the netstat command using PowerShell.
Part 5: Empty recycle bin using PowerShell.

Background / Scenario
PowerShell is a powerful automation tool. It is both a command console and a scripting language. In this lab,
you will use the console to execute some of the commands that are available in both the command prompt
and PowerShell. PowerShell also has functions that can create scripts to automate tasks and work together
with the Windows Operating System.

Required Resources
 1 Windows PC with PowerShell installed and internet access

Instructions
Part 1: Access PowerShell console.
Step 1: Click Start. Search and select powershell.
Step 2: Click Start. Search and select command prompt.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 13 of 73
www.netacad.com
Part 2: Explore Command Prompt and PowerShell commands.

Step 1: Enter dir at the prompt in both windows.

Question:
What are the outputs to the dir command?

Both windows provide a list of subdirectories and files, and associated information
like type, file size, date and time of last write. In PowerShell, the attributes/modes
are also shown.
Step 2: Try another command that you have used in the command prompt, such as ping, cd, and ipconfig.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 14 of 73
www.netacad.com
Question:
What are the results?

The output in both windows is similar.

Part 3: Explore cmdlets.


Step 1: PowerShell commands, cmdlets, are constructed in the form of verb-noun string. To identify the
PowerShell command to list the subdirectories and files in a directory, enter Get-Alias dir at the
PowerShell prompt.
PS C:\Users\CyberOpsUser> Get-Alias dir

CommandTypeNameVersionSource
----------------------------
Aliasdir -> Get-ChildItem

Question:
What is the PowerShell command for dir?

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 15 of 73
www.netacad.com
Get-ChildItem
Step 2: For more detailed information about cmdlets, perform an internet search for Microsoft powershell
cmdlets.
Step 3: Close the Command Prompt window when done.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 16 of 73
www.netacad.com
Part 4: Explore the netstat command using PowerShell.
Step 1: At the PowerShell prompt, enter netstat -h to see the options available for the netstat command.
PS C:\Users\CyberOpsUser> netstat -h

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p proto] [-r] [-s] [-x] [-t] [interval]
-a Displays all connections and listening ports.
-b Displays the executable involved in creating each connection or listening port.
In some cases well-known executables host multiple independent components, and in
these cases the sequence of components involved in creating the connection or
listening port is displayed. In this case the executable name is in [] at the bottom,
on top is the component it called, and so forth until TCP/IP was reached. Note that
this option can be time-consuming and will fail unless you have sufficient
permissions.
<some output omitted>

Step 2: To display the routing table with the active routes, enter netstat -r at the prompt.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 17 of 73
www.netacad.com
PS C:\Users\CyberOpsUser> netstat -r
===========================================================================
Interface List
3...08 00 27 a0 c3 53 ......Intel(R) PRO/1000 MT Desktop Adapter
10...08 00 27 26 c1 78 ......Intel(R) PRO/1000 MT Desktop Adapter #2
1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table


===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.5 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
169.254.0.0 255.255.0.0 On-link 169.254.181.151 281
169.254.181.151 255.255.255.255 On-link 169.254.181.151 281
169.254.255.255 255.255.255.255 On-link 169.254.181.151 281
192.168.1.0 255.255.255.0 On-link 192.168.1.5 281
192.168.1.5 255.255.255.255 On-link 192.168.1.5 281
192.168.1.255 255.255.255.255 On-link 192.168.1.5 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.1.5 281
224.0.0.0 240.0.0.0 On-link 169.254.181.151 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.1.5 281
255.255.255.255 255.255.255.255 On-link 169.254.181.151 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table


===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
3 281 fe80::/64 On-link
10 281 fe80::/64 On-link
10 281 fe80::408b:14a4:7b64:b597/128
On-link
3 281 fe80::dd67:9e98:9ce0:51e/128
On-link
1 331 ff00::/8 On-link
3 281 ff00::/8 On-link
10 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 18 of 73
www.netacad.com
Question:
What is the IPv4 gateway?

192.168.204.2

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 19 of 73
www.netacad.com
Step 3: Open and run a second PowerShell with elevated privileges. Click Start. Search for PowerShell and
right-click Windows PowerShell and select Run as administrator. Click Yes to allow this app to make
changes to your device.

Step 4: The netstat command can also display the processes associated with the active TCP connections.
Enter the netstat -abno at the prompt.
PS C:\Windows\system32> netstat -abno

Active Connections

Proto Local Address Foreign Address State PID


TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 756
RpcSs
[svchost.exe]
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
Can not obtain ownership information
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 444
Can not obtain ownership information
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 440
Schedule
[svchost.exe]
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 304
EventLog
[svchost.exe]
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 1856
[spoolsv.exe]
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 544
<some output omitted>

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 20 of 73
www.netacad.com
Step 5: Open the Task Manager. Navigate to the Details tab. Click the PID heading so the PID are in order.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 21 of 73
www.netacad.com
Step 6: Select one of the PIDs from the results of netstat -abno. PID 756 is used in this example.
Step 7: Locate the selected PID in the Task Manager. Right-click the selected PID in the Task Manager to
open the Properties dialog box for more information.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 22 of 73
www.netacad.com
Question:
What information can you get from the Details tab and the Properties dialog box for your selected PID?

PID 956 is associated with svchost.exe process. The user for this process is
NETWORK SERVICE and it is using 7528K of memory.

Part 5: Empty recycle bin using PowerShell.


PowerShell commands can simplify management of a large computer network. For example, if you wanted to
implement a new security solution on all servers in the network you could use a PowerShell command or
script to implement and verify that the services are running. You can also run PowerShell commands to
simplify actions that would take multiple steps to execute using Windows graphical desktop tools.
Step 1: Open the Recycle Bin. Verify that there are items that can be deleted permanently from your PC. If
not, restore those files.
Step 2: If there are no files in the Recycle Bin, create a few files, such as text file using Notepad, and place
them into the Recycle Bin.
Step 3: In a PowerShell console, enter clear-recyclebin at the prompt.
PS C:\Users\CyberOpsUser> clear-recyclebin

Confirm
Are you sure you want to perform this action?
Performing the operation "Clear-RecycleBin" on target "All of the contents of the
Recycle Bin".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is
"Y"): y

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 23 of 73
www.netacad.com
Question:
What happened to the files in the Recycle Bin?

The files in the Recycle Bin are deleted permanently.

Reflection Question
PowerShell was developed for task automation and configuration management. Using the internet, research
commands that you could use to simplify your tasks as a security analyst. Record your findings.

I know some command to find the information about TCP connections, ports on
which is listening to Ethernet statistics, the IP routing table, IPv4 statistics (for the IP,
ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP
over IPv6, and UDP over IPv6 protocols). I also know some commands to work faster
like clear-RecycleBin,…

Introduction
In this lab, you will create and modify user accounts in Windows.
Part 1: Creating a New Local User Account
Part 2: Reviewing User Account Properties

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 24 of 73
www.netacad.com
Part 3: Modifying Local User Accounts

Required Resources
 A Windows PC

Instructions
Part 1: Creating a New Local User Account
Step 1: Open the User Account Tool.
a. Log on to the Windows PC with an Administrator account. The account CyberOpsUser is used in this
example.
b. Click Start > search Control Panel. Select User Accounts in the Small icons view. To change the view,
select Small icons in the View by drop down list.

Step 2: Create a user account.


a. In the User Accounts window, click Manage another account.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 25 of 73
www.netacad.com
b. In the Manage Accounts window, click Add a new user in PC settings.
c. In the Settings window, click Add someone else to this PC.
d. In the How will this person sign in? window, click I don't have this person's sign-in information.
e. In the Let's create your account window opens, click Add a user without a Microsoft account.
f. In the Create an account for this PC window, provide the necessary information to create the new user
account named User1. Click Next to create the new user account.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 26 of 73
www.netacad.com
g.

Question:
What type of user account did you just create?

A local account with no administrative rights


h. Attempt to log into the newly created user account. It should be successful.
i. Navigate to C:\Users folder. Right-click the User1 folder and select Properties, and then the Security
tab.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 27 of 73
www.netacad.com
j.

Question:
Which groups or users have full control of this folder?

Groups: SYSTEM;
Administrators Users: duy-chan
k. Open the folder that belongs to CyberOpsUser. Right-click the folder and click the Properties tab.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 28 of 73
www.netacad.com
Question:

Were you able to access the folder? Explain.

No. You do not have permission to access this folder.


l. Log out of User1 account. Log back in as CyberOpsUser.
m. Navigate to C:\Users folder. Right-click the folder and select Properties. Click the Security tab.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 29 of 73
www.netacad.com
Question:
Which groups or users have full control of this folder?

Groups: SYSTEM, Administrators Users: Bui Dang Duy

Part 2: Reviewing User Account Properties


a. Click Start > Search for Control Panel > Select Administrative Tools > Select Computer
Management.
b. Select Local Users and Groups. Click the Users folder.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 30 of 73
www.netacad.com
c. Right-click User1 and select Properties.
d. Click the Member Of tab.
Question:
Which group is User1 is a member of?

Users
e. Right-click the account CyberOpsUser and select Properties.
Question:
Which group is this user a member of?

Administrators

Part 3: Modifying Local User Accounts


Step 1: Change the account type.
a. Navigate to the Control Panel and select User Accounts. Click Manage another account. Select
User1.
b.

c. In the Change an Account window, click the User1 account. Click Change the account type.
d. Select the Administrator radio button. Click Change Account Type.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 31 of 73
www.netacad.com
e. Now the account User1 has administrative rights.
f. Navigate to Control Panel > Administrative Tools > Computer Management. Click Local Users and
Groups> Users.
g. Right-click User1 and select Properties. Click Member Of tab.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 32 of 73
www.netacad.com
Question:
Which groups does User1 belong to?

Users and administrators


h. Select Administrators and click Remove to remove User1 from the Administrative group. Click OK to
continue.

Step 2: Delete the account.


a. To delete the account, right-click User1and select Delete.

b. Click OK to confirm the deletion.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 33 of 73
www.netacad.com
Question:
What is another way to delete a user account?

Control Panel > User Accounts > Manage another account > Select duy-chan >
Delete the account

Reflection Questions
1. Why is it important to protect all accounts with strong passwords?

No password or a weak password can allow access from almost anyone to steal data,
or use the computer for unauthorized purposes.
2. Why would you create a user with Standard privileges?

The Standard User cannot compromise the security of the computer or the privacy of
other users.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 34 of 73
www.netacad.com
Lab - Monitor and Manage System Resources in Windows

Objectives
In this lab, you will explore Task Manager and manage processes from within Task Manager.
Part 1: Working in the Processes tab
Part 2: Working in the Services tab
Part 3: Working in the Performance tab

Background / Scenario
The Task Manager is a system monitor program that provides information about the processes and programs
running on a computer. It also allows the termination of processes and programs and modification of process
priority.

Required Resources
 A Windows PC with internet access

Instructions
Part 1: Working in the Processes tab
Step 1: Open a command prompt and a web browser.
Microsoft Edge is used in this lab; however, any web browser will work. Just substitute your browser
name whenever you see Microsoft Edge.
Step 2: Right-click the Task bar to open Task Manager. Another way to open the Task Manager is to press
Ctrl-Alt-Delete to access the Windows Security screen and select Task Manager.
Step 3: Click More details to see all the processes that are listed in the Processes tab.
Step 4: Expand the Windows Command Processor heading.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 35 of 73
www.netacad.com
Question:
What is listed under this heading?

Command Prompt
Step 5: There are three categories of processes listed in the Processes tab: Apps, Background processes,
and Windows processes.
o The Apps are the applications that you have opened, such as Microsoft Edge, Task Manager, and
Windows Command Processor, as shown in the figure above. Other applications that are opened by
the users, such as web browsers and email clients, will also be listed here.
o The Background processes are executed in the background by applications that are currently open.
o The Windows processes are not shown in the figure. Scroll down to view them on your Windows PC.
Windows processes are Microsoft Windows services that run in the background.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 36 of 73
www.netacad.com
Some of the background processes or Windows processes may be associated with foreground
processes. For example, if you open a command prompt window, the Console Window Host process will
be started in the Windows process section, as shown below.

Step 6: Right-click Console Window Host and select Properties.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 37 of 73
www.netacad.com
Question:
What is the location of this filename and location of this process?

The location of this filename is conhost.exe and location of this process is C:\
Windows\System32
Step 7: Close the command prompt window.

Question:
What happens to Windows Command Processor and Console Window Host when the command prompt
window is closed?

The associated processes have ended and are no longer listed in the Task Manager.
Step 8: Click the Memory heading. Click the Memory heading a second time.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 38 of 73
www.netacad.com
Question:
What effect does this have on the columns?

Clicking the Memory heading causes the processes to be sorted by the amount of
memory each process is using. Each time you click the Memory heading, it
reverses the order (largest to smallest, then smallest to largest).
Step 9: Right-click on the Memory heading, and then select Resource values > Memory > Percents.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 39 of 73
www.netacad.com
 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 40 of 73
www.netacad.com
Questions:
What affect does this have on the Memory column?

The column now displays memory usage in percentage values.


How could this be useful?

Displaying processes in this way can assist an administrator in determining what


services may be causing memory issues by showing how much available memory
is being used by each service.
Step 10: In the Task Manager, click the Name heading.

Step 11: Double-click the Microsoft Edge.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 41 of 73
www.netacad.com
Question:
What happens?

A new web browser window becomes activated and the Task Manager is
minimized.
Step 12: Return to the Task Manager and right-click Microsoft Edge. Select End task.

Question:
What happens to the web browser windows?

All Microsoft Edge windows are closed.

Part 2: Working in the Services tab


In the Task Manager window, click the Services tab. Use the scroll bar on the right side of the Services
window to view all the services listed.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 42 of 73
www.netacad.com
All Microsoft Edge windows are closed.
Question:
What statuses are listed?

Stopped and running.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 43 of 73
www.netacad.com
Working in the Performance tab
Step 1: In the Task Manager window, click the Performance tab.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 44 of 73
www.netacad.com
Questions:
How many threads are running?

There are 1324 threads that are running


How many processes are running?

There are 148 processed


Step 2: Click the Memory in the left panel of the Performance tab.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 45 of 73
www.netacad.com
What is the total physical memory (MB)?

What is the available physical memory (MB)?

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 46 of 73
www.netacad.com
How much physical memory (MB) is being used by the computer?Click the Ethernet Chart in the left
panel of the Performance tab.

Questions:
What is the link speed?
It’’s connect to Ethernet Connection
What is the IPv4 address of the PC?

192.168.204.132

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 47 of 73
www.netacad.com
 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 48 of 73
www.netacad.com
Step 3: Click Open Resource Monitor to open the Resource Monitor utility from the Performance tab in
Task Manager.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 49 of 73
www.netacad.com
Reflection Question
Why is it important for an administrator to understand how to work within the Task Manager?

The Task Manager can be a valuable tool for an administrator when troubleshooting
problems with a Windows PC. It provides information about CPU, memory, disk, and
network usage. It also provides a way to end tasks or cancel processes.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 50 of 73
www.netacad.com
Lab - Monitor and Manage System Resources in W
Objectives
In this lab, you will use administrative tools to monitor and manage Windows system resources.
Part 1: Starting and Stopping the Routing and Remote Access service
Part 2: Working in the Computer Management Utility
Part 3: Configuring Administrative Tools

Recommened Resource
 A Windows PC with internet access

Instructions
Part 1: Starting and Stopping the Routing and Remote Access
service
You will explore what happens when a service is stopped and then started. In this part, you will use routing
and remote access service as the example service. This service allows the local device to become a router or
a remote access server.
Step 1: Navigate to the Control Panel > Click Network and Sharing Center.
Note: If your Control Panel is set to View by: Category, change it to View by: Large icons or View by:
Small icons. This lab assumes that you are using one of these settings.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 51 of 73
www.netacad.com
Step 2: Click Change adapter settings in the left pane. Reduce the size of the Network Connections
window and leave it open.
Step 3: Navigate to the Administrative Tools. (Navigate to the Control Panel > Click Administrative Tools)
Step 4: In the Administrative Tools window, double-click the Performance Monitor icon.
Step 5: In the Performance Monitor window, make sure Performance Monitor under Monitoring Tool
heading in the left pane is highlighted. Click the Freeze Display icon (pause button) to stop the recording.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 52 of 73
www.netacad.com
Step 6: Right-click the graph and select Clear to clear the graph. Leave this window open.

Step 7: Navigate to the Administrative Tools and select Services.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 53 of 73
www.netacad.com
Step 8: Expand the width of the Services window so you have a clear view of the content. Scroll down in the
right pane until you see the service Routing and Remote Access. Double-click Routing and Remote
Access.

Step 9: In the Routing and Remote Access Properties (Local Computer) window opens. In the Startup
type drop-down field, select Manual and then click Apply.
The Start button is now active. Do NOT click the Start button yet. Leave this window open.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 54 of 73
www.netacad.com
Step 10: Navigate to Performance Monitor window. Click the Unfreeze Display icon to start the recording.
Step 11: Click the Routing and Remote Access Properties (Local Computer) window. To start the service,
click Start. A window with a progress bar opens.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 55 of 73
www.netacad.com
Step 12: The Routing and Remote Access Properties (Local Computer) window now shows the Stop and
Pause button active. Leave this window open.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 56 of 73
www.netacad.com
Step 13: Navigate to Network Connections window. Press the function key F5 to refresh the content.

Question:
What changes appear in the window after starting the Routing and Remote Access service?

An Incoming Connections icon is now displayed.


Step 14: Navigate to Routing and Remote Access Properties (Local Computer) window and click Stop.
Note: If Stop is greyed out, click Apply and change the service status.
Step 15: Navigate to Network Connections window.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 57 of 73
www.netacad.com
Question:
What changes appear in the right pane after stopping the Routing and Remote Access service?
The Incoming Connections icon is no longer displayed.
Step 16: Navigate to Performance Monitor window and click the Freeze Display icon to stop the recording.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 58 of 73
www.netacad.com
Question:
Which Counter is being recorded the most in the graph (hint: look at the graph color and Counter color)?

%Processor Time.
Step 17: Click the Change graph type drop-down menu, select Report.

Step 18: The display changes to report view.

Question:
What values are displayed by the counter?

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 59 of 73
www.netacad.com
19.521
Step 19: Click the Routing and Remote Access Properties (Local Computer) window. In the Startup type
field, select Disabled and click OK.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 60 of 73
www.netacad.com
Step 20: Click the Services window.

Question:
What is the Status and Startup Type for Routing and Remote Access?
Status is “ ” and Startup Type is “Disabled”.
Step 21: Click the Performance Monitor window. Click the Unfreeze Display icon to start the recording.
Step 22: Close all open windows you opened during Step 1 of this lab.

Part 2: Working in the Computer Management Utility


The Computer Management is used to manage a local or remote computer. The tools in this utility are
grouped into three categories: system tools, storage, and services and applications.
Step 1: Click Control Panel > Administrative Tools. Select Computer Management.
Step 2: In the Computer Management window, expand the three categories by clicking on the arrow next to
System Tools.
Step 3: Click the arrow next to Event Viewer then click the arrow next to Windows Logs. Select System.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 61 of 73
www.netacad.com
 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 62 of 73
www.netacad.com
Step 4: The Event Properties window opens for the first event. Click the down arrow key to locate an event
for Routing and Remote Access. You should find four events that describe the order for starting and
stopping the Routing and Remote Access service.

Question:
What are the descriptions for each of the four events?

Close all open windows.

Part 3: Configuring Administrative Tools


For the rest of this lab, you will configure Advanced Administrative Tool features and monitor how this affects
the computer.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 63 of 73
www.netacad.com
Step 1: Click Control Panel > Administrative Tools > Performance Monitor. The Performance Monitor
window opens. Expand Data Collector Sets. Right-click User Defined, and select New > Data Collector
Set.

Step 2: The Create new Data Collector Set window opens. In the Name field, type Memory Logs. Select
the Create manually (Advanced) radio button, and click Next.
Step 3: In the What type of data do you want to include? window, check the Performance counter box
then click Next.
Step 4: In the Which performance counters would you like to log? window, click Add.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 64 of 73
www.netacad.com
Step 5: From the list of available counters, locate and expand Memory. Select Available MBytes and click
Add>>.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 65 of 73
www.netacad.com
Step 6: You should see the Available MBytes counter added in the right pane. Click OK.
Step 7: Set the Sample interval field to 4 seconds. Click Next.

Step 8: In the Where would you like the data to be saved? screen, click Browse.
Step 9: In the Browse For Folder window , select your (C:) drive which is Local Disk (C:). Select PerfLogs
and click OK.
Step 10: The Where would you like the data to be saved? window opens with the directory information that
you selected in the previous step. Click Next.
Step 11: In the Create the data collector set? screen, click Finish.
Step 12: Expand User Defined and select Memory Logs. Right-click Data Collector01and select
Properties.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 66 of 73
www.netacad.com
Step 13: In the DataCollector01 Properties window, change the Log format: field to Comma Separated.

Step 14: Click the File tab.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 67 of 73
www.netacad.com
Question:
What is the full path name to the example file?

Step 15: Click OK.


Step 16: Select the Memory Logs icon in the left pane of the Performance Monitor window. Click the green
arrow icon to start the data collection set. Notice a green arrow is placed on top of the Memory Logs
icon.

Step 17: To force the computer to use some of the available memory, open and close a browser.
Step 18: Click the black square icon to stop the data collection set.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 68 of 73
www.netacad.com
 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 69 of 73
www.netacad.com
Question:
What change do you notice for the Memory Logs icon?

The green arrow has been removed from the icon.


Step 19: Click Start > Computer,and click drive C: > PerfLogs. Locate the folder that starts with your PC’s
name followed by a timestamp, DESKTOP-NDFE14H_20170514-000001 in the example. Double-click
the folder to open it, and then double-click the DataCollector01.csv file. If prompted, click Continue to
permit access to the folder.

Note: If the Windows cannot open the file: message is displayed, select the radio button Select a
program from a list of installed programs > OK > Notepad > OK.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 70 of 73
www.netacad.com
Question:
What does the column farthest to the right show?

Available memory in MBytes.


Step 20: Close the DataCollector01.csv file and the window with the PerfLogs folder.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 71 of 73
www.netacad.com
Step 21: Select the Performance Monitor window. Right-click Memory Logs > Delete.

Step 22: The Performance Monitor > Confirm Delete window opens. Click Yes.
Step 23: Open drive C: > PerfLogs folder. Right-click on the folder that was created to hold the Memory log
file, then click Delete.
Step 24: The Delete Folder window opens. Click Yes.

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 72 of 73
www.netacad.com
Step 25: Close all open windows.
End of document

 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 73 of 73
www.netacad.com

You might also like