System Tools and Utilities

A+ Core 2 — 220-1102  |  Domain 1.3
System Tools
& Utilities
Task Manager, Resource Monitor, Event Viewer, Disk Management, MSConfig, and more. The diagnostic and management layer every A+ technician lives in daily.
19 Slides Domain 1.3 Task Manager • Disk Mgmt • Event Viewer • Registry Exam 220-1102
Slide 2 of 19
Task Manager Overview
Ctrl + Shift + Esc. The first tool opened when a system is slow, unresponsive, or behaving unexpectedly.
Launch Methods
Ctrl + Shift + Esc (direct). Ctrl + Alt + Del → Task Manager. Right-click taskbar → Task Manager. taskmgr.exe from Run. In WinPE or limited shell: taskmgr.exe from cmd.exe.
Six Core Tabs
Processes, Performance, App History, Startup, Users, Details, Services. Compact view (first launch) shows only active apps. Click "More details" for full interface. Each tab serves a different diagnostic purpose.
Windows 11 Redesign
Win 11 moved Task Manager to a sidebar navigation layout with Settings gear. Same 6 tabs, different visual organization. Core functionality is identical for A+ purposes. Efficiency Mode added in Win 11 22H2 to throttle background processes.
When to Open Task Manager First
System slow/freezing: check CPU and memory in Performance tab. App not responding: find it in Processes, End Task. Suspected malware: check Processes/Details for unknown entries. Startup slowness: Startup tab.
Slide 3 of 19
Task Manager Tab Structure
Visual breakdown of all six tabs and their primary diagnostic purpose.
Processes All running apps and background processes CPU / RAM / Disk Network per proc. Right-click: End Task Set Priority Open File Location USE: Kill / triage Performance Live graphs for CPU, Memory Disk, Network, GPU Uptime shown here RAM slots / speed Open Resource Monitor link USE: Bottleneck ID App History UWP / Store apps cumulative CPU and network use Since last reset Delete history USE: Data billing Startup Apps that launch at sign-in Impact: Low / Med / High / Not Meas. Enable / Disable Open File Location USE: Boot speed Users Logged-in sessions per user resource usage Disconnect / sign out other sessions USE: Multi-user mgmt Details / Services Details: PID, status CPU, memory per process Services: start/stop Go to services.msc Set affinity Set priority USE: Deep process
Slide 4 of 19
Task Manager: Processes Tab
Real-time per-process CPU, memory, disk, network, and GPU usage.
Three Process Types
Apps: user-launched foreground applications. Background processes: services and daemons running without UI. Windows processes: OS components (System, LSASS, svchost groups). Svchost.exe hosts multiple services — expand it to see which ones.
End Task
Right-click → End Task sends WM_CLOSE (graceful close request). If process ignores it, Windows force-kills after a timeout. "End Process Tree" in Details tab kills the process and all child processes simultaneously.
Resource Columns
CPU: % of total CPU capacity. Memory: working set in MB. Disk: I/O in MB/s. Network: throughput in Mbps. GPU: percentage of GPU engine use. Right-click column header to add more columns (PID, process ID).
Set Priority
Right-click → Go to Details → Set Priority. Levels: Realtime (dangerous), High, Above Normal, Normal (default), Below Normal, Low. Realtime can starve the OS. Use High sparingly. Below Normal or Low for background tasks.
Suspending a Process (Win 11)
Win 11 Efficiency Mode suspends a background process (reduces to Low priority and throttles), reclaiming resources without ending the process. Useful for browser tabs and background apps. Right-click → Efficiency Mode.
Malware Identification
Right-click process → Open File Location to find where the executable lives. Legitimate Windows processes run from C:\Windows\System32. A process named "svchost.exe" running from C:\Users\...\AppData is a red flag.
Slide 5 of 19
Task Manager: Performance Tab
Live graphs and hardware stats for CPU, memory, disk, network, and GPU.
CPU Panel
Real-time utilization graph. Processor name, speed (base and max), sockets, cores, logical processors (threads), L1/L2/L3 cache sizes, virtualization enabled/disabled. Uptime shown here. Right-click graph to change to "Logical Processors" view.
Memory Panel
Total, In Use, Available, Committed, Cached. Slots used (e.g., 2 of 4). RAM speed, form factor, hardware reserved. Composition breakdown: Modified, Standby, Free. High committed vs. total = system needs more RAM or is pagefile-heavy.
Disk Panel
Active time % (100% = disk bottleneck), read/write speed in MB/s, response time in ms. Average response time above 20ms on an SSD indicates a problem. HDD above 15ms during sequential reads is normal.
Network Panel
Throughput in Mbps for each adapter. Link speed (adapter capability). Adapter name and type. Multiple adapters shown separately. Baseline the normal traffic level first before declaring anomalous.
GPU Panel
GPU utilization per engine: 3D (gaming/rendering), Video Decode, Video Encode, Copy. Temperature, dedicated and shared memory in use. Multiple GPUs shown separately. Integrated and discrete both appear if both active.
Open Resource Monitor
Bottom of Performance tab: "Open Resource Monitor" link. Resource Monitor provides deeper I/O breakdown: exact files being read/written, TCP connections per process, CPU wait chains, and disk latency per process.
Slide 6 of 19
Task Manager: Startup Tab
Apps that launch automatically at user sign-in. Impact rating estimates boot time contribution.
Startup Impact Ratings
Not Measured: newly added, not yet analyzed. Low: minimal boot delay (under ~200ms). Medium: moderate impact. High: significant delay (1+ seconds). Impact is measured by CPU usage and disk I/O during startup, averaged over multiple boots.
Disable vs. Remove
Disabling a startup entry here does NOT uninstall the app. It only prevents auto-start. The app can still be launched manually. Re-enable at any time. To permanently stop it, uninstall the app or delete the registry Run key.
Startup Entry Sources
Registry: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (all users), HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (current user). Startup folders: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup (all users), user-specific startup folder.
Publisher Column
Shows digital signature publisher. Unknown = no valid digital signature, not necessarily malicious but warrants inspection. Right-click → Open File Location to verify the executable path. Signed Microsoft processes are always expected.
Exam Scenario
"After a browser extension install, system boots slowly." Startup tab in Task Manager: find the new entry with High impact. Disable it. Restart. If boot time returns to normal, the extension's background process was the cause.
Slide 7 of 19
MSConfig — System Configuration
msconfig.exe — boot options, safe mode, service masking, and startup redirection.
General Tab
Normal Startup: loads all drivers and services. Diagnostic Startup: loads only basic devices and services (closest to clean boot without Safe Mode). Selective Startup: mix and match with manual control of services and startup items.
Boot Tab
Safe Boot options: Minimal (standard safe mode), Alternate Shell (safe mode + command prompt only), Active Directory Repair, Network (safe mode with networking). Boot log (ntbtlog.txt). No GUI boot. OS boot timeout.
Services Tab
List all installed services. Check "Hide all Microsoft services" first, then disable remaining to isolate third-party service conflicts. Used for clean boot troubleshooting. Does NOT uninstall services.
Startup Tab (Redirect)
On Win 10/11, Startup tab shows only a link to Task Manager → Startup tab. On Win 7, startup entries were managed here directly. Know this difference for exam questions that reference msconfig startup management.
Tools Tab
Launcher for 20+ system tools: Change UAC settings, Event Viewer, Programs and Features, System Information (msinfo32), Performance Monitor, Resource Monitor, Task Manager, Registry Editor, Internet Protocol Configuration, Remote Assistance.
Clean Boot Procedure
Services tab → Hide Microsoft services → Disable All. Startup: open Task Manager, disable all. Restart. If issue resolved, re-enable half, restart, test. Binary search until culprit is found. Re-enable everything after diagnosis.
BIOS / UEFI POST + boot device Bootloader bootmgr / winload Windows Kernel ntoskrnl.exe loads msconfig controls here Services Load Startup type determines Startup Programs Task Manager controls User Login Desktop loads Safe Mode: minimal drivers only msconfig: selective disable
Slide 8 of 19
Disk Management Layout
diskmgmt.msc — visual disk topology, partition types, and status indicators.
Disk 0 (MBR) — 500 GB System Reserved 350 MB C:\ Windows (Primary, Active, Boot) 400 GB — NTFS — Status: Healthy (Boot, Page File, Crash Dump, Primary Partition) Right-click: Shrink Volume / Extend Volume / Change Drive Letter D:\ Data (Primary) 90 GB — NTFS — Healthy Unalloc. 10 GB Active = bootable partition MBR: max 4 primary partitions (or 3 primary + 1 extended) Disk 1 (GPT) — 1 TB NVMe EFI System 100 MB MSR 16 MB C:\ Windows (GPT Primary) 900 GB — NTFS — Healthy (EFI System, Boot, Page File) Recovery Healthy ~750 MB GPT: up to 128 primary partitions Required for UEFI boot and drives > 2 TB EFI replaces MBR boot record
Slide 9 of 19
Disk Management Operations
Initialize, partition, format, shrink, extend, and assign drive letters.
Initialize Disk
New disk plugged in: appears as Unknown, Not Initialized. Right-click → Initialize Disk. Choose MBR or GPT. MBR: legacy BIOS compatibility, max 2 TB, max 4 primary partitions. GPT: UEFI only, 128 partitions, supports drives over 2 TB.
Shrink Volume
Reduces an existing partition to free space for a new partition. Shrink query shows maximum shrinkable bytes. Immovable files (hibernation, shadow copies) at the end of the volume limit shrink size. Disable hibernation (powercfg -h off) to maximize shrink space.
Extend Volume
Expands a volume into adjacent unallocated space to the right of the partition. If unallocated space is not adjacent, use diskpart or DiskPart command-line. Cannot extend system/boot volume on a running OS using just Disk Management.
Change Drive Letter
Right-click volume → Change Drive Letter and Paths. Assign a letter (A-Z), add a mount point folder path, or remove the letter. Changing a drive letter can break installed applications that use absolute paths. Never change C: or boot drive.
Volume Status Codes
Healthy: operating normally. Healthy (At Risk): I/O errors detected. Failed: cannot be started, likely hardware failure. Unallocated: free space. Foreign: dynamic disk from another computer. Unknown: no valid MBR or GPT signature.
MBR vs GPT Conversion
Disk Management GUI: can convert empty disk only. Diskpart: convert gpt / convert mbr (destroys all data). Windows 10/11: MBR2GPT.exe /convert /disk:0 /allowFullOS (non-destructive, must meet GPT requirements, requires UEFI mode in firmware).
Slide 10 of 19
Resource Monitor
resmon.exe — deeper than Task Manager, showing per-process file, network, and CPU wait data.
CPU Tab
Services and processes with CPU usage, average CPU, thread count, PID. Right-click → Analyze Wait Chain — shows if a process is waiting on another (deadlock diagnosis). Critical for figuring out why an app hangs without consuming CPU.
Memory Tab
Physical memory bar shows: In Use, Modified, Standby, Free. Per-process: Working Set (physical RAM used), Private (not shared), and Shareable. Commit charge. Identifies which process is consuming the most private memory.
Disk Tab
Exact files being read and written, by which process, with bytes/sec and total I/O. Reveals if antivirus, indexing, or a specific app is hammering the disk. Shows read/write queue length per drive.
Network Tab
Per-process TCP connections (local and remote address, port, state). Network activity (bytes sent/received). Listening ports per process. This is the first stop for "what process is talking to IP X" questions without installing third-party tools.
Analyze Wait Chain
Right-click a non-responsive process in Resource Monitor CPU tab → Analyze Wait Chain. If the chain shows AppA is waiting on AppB, and AppB is suspended: end AppB. AppA resumes. This explains hangs that show 0% CPU but won't close.
Slide 11 of 19
Event Viewer
eventvwr.msc — the audit trail for everything Windows logs about hardware, software, and security.
Windows Logs
Application: errors and warnings from installed applications. Security: logon/logoff, privilege use, object access (if auditing enabled). System: driver, hardware, OS component events. Setup: Windows Update installation events. Forwarded Events: remote log collection.
Event Levels
Critical: failure requiring immediate attention. Error: significant problem, functionality affected. Warning: potential problem, not yet critical. Information: normal operation, status updates. Verbose/Debug: detailed diagnostic data (usually filtered out).
Filtering & Custom Views
Filter Current Log by: level, event sources, event IDs, date range, user, computer. Custom Views save complex filters. "Administrative Events" is a built-in Custom View showing all Critical, Error, and Warning across all logs.
Event IDLogMeaning
4624SecuritySuccessful logon
4625SecurityFailed logon attempt
4648SecurityExplicit credential logon (RunAs)
4663SecurityFile/object access (requires auditing)
41SystemSystem rebooted without clean shutdown (BSOD/power)
6008SystemUnexpected shutdown logged at next boot
7045SystemNew service installed
BSOD Investigation
After a BSOD: System Log → filter for Critical. Event ID 41 (Kernel-Power) confirms unexpected power loss or stop error. Event ID 1001 (Windows Error Reporting) contains the bug check code (stop code) and module that caused the crash.
Slide 12 of 19
Performance Monitor
perfmon.msc — graphed counters, data collector sets, and system stability report.
Performance Monitor View
Real-time or historical graph of performance counters. Default counter: % Processor Time. Add counters: Processor, Memory, Physical Disk, Network Interface, Process. Compare workloads over time with logged data rather than live snapshots.
Data Collector Sets
Define a set of counters to log over time. System Performance (built-in): 60-second capture with report. System Diagnostics: hardware, OS health, and driver checks. Create custom sets for long-term baseline collection.
System Stability Index
Reliability Monitor (different from Performance Monitor) shows a 1-10 stability score over time. Reports application crashes, Windows failures, hardware failures, miscellaneous failures with timestamps. Shows correlation between installs and crashes.
Key Counters to Know
Processor → % Processor Time. Memory → Available MBytes (should stay above 20% total). Physical Disk → % Disk Time (above 90% = bottleneck). Physical Disk → Avg. Disk Queue Length (above 2 = problem). Network Interface → Bytes Total/sec.
Reliability Monitor
Control Panel → System and Security → Security and Maintenance → Maintenance → View Reliability History. Or: perfmon /rel. Shows timeline of events. Useful for correlating "system started crashing after date X" with software installs or Windows updates from that date.
Slide 13 of 19
Registry Editor
regedit.exe — the Windows configuration database. Hive structure, key types, and exam-critical paths.
HKEY_LOCAL_MACHINE (HKLM)
Hardware and software settings for all users on this machine. Subkeys: HARDWARE (device config), SAM (local accounts), SECURITY, SOFTWARE (installed programs, OS settings), SYSTEM (services, device drivers, boot configuration).
HKEY_CURRENT_USER (HKCU)
Settings for the currently logged-in user only. Maps to HKLM\SOFTWARE\Classes. Subkeys: Software (per-user app settings), Control Panel (desktop, keyboard, mouse preferences), Environment (user-specific PATH and environment variables).
Other Hives
HKEY_CLASSES_ROOT (HKCR): file type associations and COM/OLE registrations. HKEY_USERS (HKU): all loaded user profiles. HKEY_CURRENT_CONFIG (HKCC): current hardware profile (display and printer settings at boot).
Windows Registry HKLM SOFTWARE SYSTEM SAM Apps / Run keys Services / drivers Local accounts HKCU Software Ctrl Panel Environment Per-user Run keys Display / mouse User PATH var HKCR · HKU · HKCC
Registry PathPurpose
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunStartup entries for all users
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunStartup entries for current user
HKLM\SYSTEM\CurrentControlSet\ServicesService configuration and startup type
HKLM\SYSTEM\CurrentControlSet\Control\ComputerNameComputer name and DNS hostname
Slide 14 of 19
System Information
msinfo32.exe — complete hardware and software inventory in one read-only tool.
System Summary
OS name and version, build number, OS manufacturer, system manufacturer (Dell, HP), model, type (x64-based PC), processor, BIOS version and date, SMBIOS version, firmware type (BIOS or UEFI), Secure Boot state, installed RAM, virtual memory.
Hardware Resources
IRQ assignments, I/O addresses, DMA channels, memory addresses. Conflicts/Sharing section shows any resource conflicts. Useful for legacy hardware troubleshooting. Less relevant on modern plug-and-play systems but still tested.
Components
Detailed info for: Display (adapter, resolution, VRAM), Sound Device, Modem, Network (adapter, MAC, DHCP server, IP), Ports (COM, LPT), Storage (drives, SMART status via WMI), USB, Camera, Print. Full hardware inventory without opening Device Manager.
Software Environment
Running tasks, loaded modules, startup programs (same as registry Run keys), Windows Error Reporting, network connections (like netstat), services. The Software Environment → Startup Programs section lists startup entries from all sources, not just Task Manager visible ones.
Export Report
File → Export → saves as .txt for documentation or remote support. msinfo32 /report C:\report.txt from command line generates the same file non-interactively. Useful for remote support tickets where screen sharing is unavailable.
Find Command
Ctrl+F within msinfo32 to search across all categories. Find "BIOS version," "Network Adapter," or any hardware component instantly without navigating the tree manually.
Slide 15 of 19
Task Scheduler
taskschd.msc — create, view, and manage automated tasks with granular triggers and actions.
Triggers
On a Schedule (daily, weekly, monthly, one time), At log on, At startup, On idle, On an event (Event Log trigger by ID), At task creation, On connection/disconnect to user session or workstation lock/unlock. Multiple triggers per task.
Actions
Start a program (primary use): specify executable, arguments, and start-in directory. Send an email (deprecated Win 8+). Display a message (deprecated). Scripts: batch, PowerShell, VBScript. Can chain multiple actions in sequence.
Conditions & Settings
Conditions: start only if on AC power, only if idle for X minutes, wake computer to run task. Settings: allow task to run on demand, stop task if running longer than X hours, restart on failure, delete task if not scheduled to run again.
Security Context
Run as: specific user (prompt for credentials), SYSTEM (highest privilege, no interactive session), LOCAL SERVICE, NETWORK SERVICE. "Run whether user is logged on or not": task runs headlessly. "Run with highest privileges": enables UAC elevation for the task.
A tech needs to run a cleanup script at 3 AM every Tuesday. Task Scheduler → Create Task → Triggers → Weekly, Tuesday, 3:00 AM. Actions → Start a program → powershell.exe, arguments: -File C:\scripts\cleanup.ps1. Security: SYSTEM, Run whether user logged on or not.
Slide 16 of 19
Local Users & Groups
lusrmgr.msc — manage local accounts and group membership without Active Directory.
Local Users
Create, rename, delete local accounts. Set/reset passwords. Account properties: Full Name, Description, Password Never Expires, User Cannot Change Password, Account Is Disabled, Account Lockout status. Disable built-in Administrator and Guest accounts.
Built-In Groups
Administrators: full control. Standard Users: limited. Power Users: legacy, limited in Win 10/11. Remote Desktop Users: can connect via RDP. Backup Operators: backup/restore rights. Network Configuration Operators: change IP settings without full admin.
Group Membership
Right-click a group → Add to Group → type user account name. Or right-click a user → Properties → Member Of → Add. Adding a user to Administrators gives them elevated rights after next logon (token refresh). Changes take effect at next login.
Pro vs. Home
lusrmgr.msc is not available on Windows Home editions. On Home, use Settings → Accounts or net user and net localgroup commands from an elevated command prompt. For exam purposes, lusrmgr.msc is the Pro/Enterprise tool.
Enable Hidden Admin Account
net user administrator /active:yes (elevated cmd). The built-in Administrator has no password by default. Use immediately to recover a locked-out system. Disable it again after: net user administrator /active:no. Never leave it enabled in production.
Slide 17 of 19
Services Management
services.msc — control the background service layer that powers Windows features.
Startup Types
Automatic: starts at boot. Automatic (Delayed Start): starts a short time after boot — reduces boot competition. Manual: starts only when called by another process or user. Disabled: cannot start at all. Trigger Start: starts based on an event (common for newer services).
Service Account Types
Local System (SYSTEM): highest privilege, full local access. Network Service: lower privilege, authenticates to network as computer. Local Service: minimal privilege, no network authentication. Domain account: for services needing AD resources.
Recovery Tab
What to do on first, second, and subsequent failure: Take No Action, Restart the Service, Run a Program, Restart the Computer. Restart delay setting. "Reset fail count after X days." Critical services (DNS Client, DHCP Client) typically configured to restart automatically.
ServicePurposeDefault Startup
DHCP Client (Dhcp)Registers and renews IP addressesAutomatic
DNS Client (Dnscache)Caches DNS lookupsAutomatic
Windows Update (wuauserv)Detects and installs Windows updatesAutomatic (delayed)
Print Spooler (Spooler)Manages print jobs in queueAutomatic
Windows Search (WSearch)Content indexing for SearchAutomatic (delayed)
Slide 18 of 19
Command-Line System Tools
sfc, dism, chkdsk, diskpart, bcdedit — the CLI layer beneath the GUI tools.
CommandPurposeKey Usage
sfc /scannowScan and repair protected system filesRun from elevated cmd; fix corrupted OS files
DISM /Online /Cleanup-Image /RestoreHealthRepair Windows component store (WinSxS)Run before or after failed sfc
chkdsk C: /f /rCheck and repair filesystem errors, bad sectors/f fixes errors, /r locates bad sectors; needs reboot
diskpartCLI disk partitioninglist disk, select disk, clean, convert gpt
CommandPurposeKey Usage
bcdeditBoot Configuration Data editorView boot entries, set default OS, disable Hyper-V
net start / stopStart or stop a servicenet stop spooler; net start spooler
sc queryQuery service statussc query wuauserv
tasklist / taskkillList or kill processes by PIDtaskkill /PID 1234 /F
DISM /ScanHealth Check store Store corrupt? YES DISM /RestoreHealth Repair from WU sfc /scannow Repair system files from store Restart + Verify Run sfc again NO: skip to sfc directly
SFC / DISM Order of Operations
1. DISM /Online /Cleanup-Image /ScanHealth (check for corruption). 2. DISM /Online /Cleanup-Image /RestoreHealth (repair from Windows Update). 3. sfc /scannow (scan and repair system files using the repaired component store). Restart. Run sfc again to verify all repairs succeeded.
Slide 19 of 19 — Summary
System Tools Key Takeaways
01
Task Manager (Ctrl+Shift+Esc): Processes tab to kill/triage. Performance for bottleneck ID. Startup tab for boot speed. Details for PID and priority.
02
Resource Monitor goes deeper: per-process file I/O, TCP connections, and Analyze Wait Chain for hung processes.
03
MSConfig clean boot: hide Microsoft services, disable all third-party, restart, binary search the culprit. Startup tab redirects to Task Manager in Win 10/11.
04
Disk Management: MBR = max 4 partitions, max 2 TB. GPT = max 128 partitions, required for UEFI and disks over 2 TB. Shrink before extending.
05
Event Viewer IDs to know: 4624 (logon success), 4625 (logon fail), 41 (kernel power/BSOD), 7045 (new service installed).
06
SFC/DISM repair order: DISM /RestoreHealth first to fix the component store, then sfc /scannow to repair system files, then verify.
07
Registry Run keys: HKLM = all-user startup, HKCU = current-user startup. Used by malware persistence and legitimate startup apps alike.
08
Services recovery tab: set critical services to restart automatically on failure. Know startup types: Automatic, Delayed, Manual, Disabled, Trigger Start.
Exam Domain Coverage
This presentation covers CompTIA A+ 220-1102 Domain 1.3 (Microsoft Windows OS) with emphasis on system diagnostic utilities, disk management, process management, and the command-line repair toolchain.