Process Explorer

logo

Process Explorer is like Task Manager on drugs. I have been using it for years, and every time I decide to get to the bottom of it, I get sidetracked because it has so many uses. In this tutorial, we will have a look at some of the different task Process Explorer can be used for.

In Task Manager it is possible to show which process is running, who much memory, CPU they are consuming etc. Process Explorer does the same, but is much more specific in what kind of process or service it is, which process spawned the process, which DLL and handles it uses etc. The main interface shows a tree structure of the different process running on the system. The processes marked with red is services and the blue are “own Process” – process owned by the user you are logged in the system with.

PE1_edited

Hovering over a process like svhost.exe reveals a tooltip showing which services this contains. Since svhost is a shared service processes it contains multiple services sharing that process. I Task manager it can be hard to identify what services in running under a svhost process, which is also why some malware sometimes disguise itself as svhost.exe.

Process Explorer also shows interrupts – which basely is the time the system spend waiting for different hardware. If a computer has a defective piece of hardware or a driver issue this can cause a so called Interrupt storm, using up the systems CPU, and you would have no way of seeing this in Task Manager.

Another feature is that you can drag and drop a bullseye icon to any windows application, and Process Explorer will identify the process running that application. An example where this would be useful would be malware removal, where process is often hidden in order to fool the user.

PE2_edited

The Columns can be highly customized to this a range of information on the different processes, let’s add a few which I found useful.

1. Download and install Process Explorer

2. Start Process Explorer and right click the top bar and click Select Columns…

The Select Columns dialog box opens.

3. In the Process Image tab mark the tow check boxes Command Line and Autostart Location and press OK

PE3_edited

These two options add two columns to the main interface. The first one shows the command line option to start that specific process. This could for example be useful if you wanted to script something and didn’t know which parameters a specific process should run with.

PE4_edited

The other one shows how that process was started, this could be started from a registry key in Windows registry database, from Task Scheduler or just a link in the startup folder.

PE5_edited

Let’s say that you would like to make some changes to a registry key which starts an application on system startup.

4. Double click the process – here skype.exe

The Skype.exe:1720 Properties dialog box opens.

5. On the Image tab under Autostart location press the explore button

PE6_edited

The registry editor opens at the exact location so you will be able to edit the key. We want to edit the key which starts the Skype application and add a parameter so it will start minimized.

6. Double click the register key Skype

The Edit string dialog box opens.

7. Add the parameter /minimized in the in the Value data field and click OK

PE7_edited

8. Close the registry editor

The next time Windows starts up the Skype application should start minimized instead of in a full Window.

PE8

You can also use Process Explorer to find out what process is locking up a file. If you are for example trying to delete a folder and get hit by the Folder in use alert you can identify which program is using this folder.

9. In Process Explorer press Ctrl + F

The Process Explorer search dialog box opens

10. Enter the patch of the folder you trying to delete – Here C:\test and click Search

Process Explorer will tell you which process is holding the folder, so that you can shut it down, and be able to delete it.

PE9_edited

Another feature in process explorer is the possibility to restart or suspend a process. Sometimes if buggy software or even part of Windows itself hangs or crashes, it’s much easier to restart the process than to kill it and start it again manually.

11. Right click the process – here Explorer.exe

12. Click Restart

PE10_edited

I don’t use the suspend option that often, but it is a nice feature which can lock application completely down. Let’s say the system gets some sort of malware which spawns new processes and shifts process to avoid detection. With the suspend feature you will be able to lock down the process and maybe figure out what it’s doing and how to remove it. I recommend this video on would process explorer can be used for malware removal.

13. Right click the process – here calc.exe

14. Click Suspend

The calculator application is now completely down and cannot be accessed in any way, or interact with your system in any way. To resume the application right click the process and click Resume.

PE11_edited

This was a few examples of how Process Explorer can be put to use. You can dig much deeper with this tool, and it’s a must-have for advanced system debugging.

Share Button

Comments

comments

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *