Mark Russinovich at www.sysinternals.com has released freeware utility PMon which logs and displays all process activity on an NT 4.0 system. Useful to Windows NT admin.

The GUI dynamically loads the driver (based on code from the instdrv sample in the Windows NT DDK), which installs hooks for process and thread creation and deletion. The menus can be used to disable event capturing, control the scrolling of the listview, and to save the listview contents to an ASCII file. Where possible, PMon displays the name of the process that owns a thread that is part of a thread creation or deletion, or a context swap. The thread ID immediately follows the process name. In some cases the owning process does not exist anymore, in which case PMon displays "???" for the name. The "Elapsed" column indicates the time in seconds between successive events in the display. Note that many times this will be 0, which simply means that the events happened inside of one system timer clock tick. Clock ticks are normally 10 milliseconds apart, so alot can happen (for more information on the NT system timer, see Inside NT High Resolution Timers). The context-swap hook is only present in multiprocessor builds of NT, and is by default not enabled. To turn on context-switch monitoring when it is present, select the "Context Swap" menu entry under the "Events" menu. Note that monitoring context swaps generates many records rapidly. In order to try and minimize the amount of non-interesting context-swap noise, PMon ignores swaps between system threads 0 and 1, which occur frequently as system work items are dispatched.

New Riders has good NT texts.

Gives an in-depth look at the NT/Windows 95/98 system policies. Step-by-step walkthroughs.