Windows 10 process (application) backup/comparison in place has a great trick

In case of system abnormalities, we often have to check the recently installed applications or new processes on the local machine, but it is difficult to find out these new elements when problems occur because the list of processes has not been backed up before. In fact, Windows 10 has taken this problem into account and comes with a program to make backups of processes (applications), which makes it easy to compare and find them when problems occur on the system. Let’s introduce this command – Tasklist.

We first start the command prompt as administrator and enter the following code to complete the initial backup by backing up the current process list to E:process.csv (Figure 1).

echo %date:~0,10%,%time%(备份)>e:process.csv

TASKLIST /FI “STATUS eq RUNNING” /FO CSV >>e:process.csv


Figure 1 Input command

Code explanation.

“%date:~0,10%” means display the current date on the screen and intercept only the first 10 characters of the date (the default format is “2020/06/05 Friday”, after intercepting the characters displayed as “2020/06/05” for subsequent filtering), “%time%(backup)” means display the current time + backup, then use the Echo command to display and output to “e: process.csv” to save.

“TASKLIST /FI “STATUS eq RUNNING” /FO CSV >>e:process.csv” means to use the parameter /FI (Filter) to filter the process, “STATUS eq RUNNING” is to delete the running process, /FO (Fomat) is the specified output format parameter, followed by CSV, which is the specified output format, so that all the currently running processes will be displayed, and the contents will be appended to “e:process.csv”.

After executing the above code, use Excel to open “e:process.csv”, in the list we can see all the currently running processes, and will also show the date and time of the backup (Figure 2).


Figure 2 View exported files

Other data can be automatically backed up in combination with the system’s “Task Scheduler”. First we start “Notepad” and type the above code (the first line of code should be changed to “echo %date:~0,10%,%time%(backup)>>e:process.csv”), then save it as “E:bf.bat” for backup. Start the “Task Scheduler” and create a new task named “Backup Boot Process”, switch to “Triggers → New Trigger” in order to create a new trigger for every Monday to Friday. Create a task with a start time of 9:05 (corresponding to the time when you turn on your computer at work on weekdays) (Figure 3).


Figure 3 Activation settings


You can also set the trigger according to your actual needs, such as choosing “at login”. This will automatically backup the process every day after logging into Windows 10, but it is not easy to compare the files afterwards because there are too many backups.

Then switch to “Operation→New Operation→Start Program” and enter “E:bf.bat” at “Program or Script”, so that the backup process will be automatic when the set time comes during the working day (Figure 4). This will automatically backup the process at the set time during the working day (Figure 4).


Figure 4 Operation settings

Well, now if there is an abnormality in the system, we can find out the added process by comparing the data. For example, on June 9, we felt that the boot speed had become significantly slower, and we found that the system was using a lot of resources through Task Manager. At this point we can use Excel to open the “e:process.csv”, select column A, click “Start → Conditional Format → Date of occurrence”, select the last 7 days of data filled with light red, so that in the list can be eye-catching This way, the last 7 days of backup data can be displayed prominently in the list (Figure 5).


Figure 5 Setting conditions

We can first compare the data of the closest date to the exception, such as June 8. Create a new worksheet, copy the June 8 process data in column A to the new table in column A, and click “Start → Data → Delete Duplicate Values → OK” in order to keep only the non-duplicate processes. As above, copy the June 9 process data to the new table of column B also perform the operation of deleting duplicate values. After the operation is complete, select the A, B data, click on the “conditional format → repeat value → unique value”, so you can quickly find the June 9 than June 8 added two processes “qq.exe” and ” svch0st.exe” (Figure 6).


Figure 6 Comparison data

Open Task Manager, switch to “Details”, find the new “svch0st.exe” process and right-click to select “Open file location” (Figure 7) .


Figure 7 Find process location

In the window that opens, you can see that the process is located in “C:UsersCurrent UserAppDataLocal{6A896522-C181-40E4-A1C6-CCE7795E10D3}”, the location of the save is extremely suspicious, follow the prompts to end the process and After deleting the process, the system returned to normal (Figure 8).


Figure 8 View process location

By backing up the process, we can quickly find out the suspicious process when the system is abnormal, which is very efficient. Similarly, we can also use the command “wmic /output:C:InstallList.txt product get name,version >1.csv” to backup the software currently installed on the system, and then find out the new software recently installed by comparing the data, so as to to determine if the newly installed software is the cause of the system abnormality.

Leave a Comment