I have a Windows system that exposes some weird activity at regular timer interval and suspect this originates in a running process.
Is there a tool to list all process timers? No matter it is CLI or GUI, just listing will be enough to discover a source. Expected information for each timer: process id, explode timestamp, repeat interval (if repeatable).
(Of course I have started with ProcessExplorer from Sysinternals but it seems there is no timer handle type at all in its notion.)
Running wmic process where name="process.exe" get /format:list will display all process details from process.exe. You can include property name after get for filtering. As far as I know there's no tool for getting the timer handles from outside. Possibly Sysinternals' Process Monitor can display more information about process activity.
The closest to that would be the !timer command in WinDBG. You'd need to attach a live debugger to the machine (or use livekd from sysinternals), or obtain a complete memory dump and open it on WinDBG.
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/-timer
You can use perfmon to log the executed process on your server. You can add a new collector and select all the counters for your process. When your process with weird activity starts it will be logged and you will be able to see the time when it starts and ends and which is his parent process. Moreover, you will be able to see all infos for this process.
Be carefull, to select in yours counters the option to save the process which will be created after your perfmon.
