Process Explorer is like Task Manager on drugs. I have been using it for years, and every time I decide to get to the bottom of it, I get sidetracked because it has so many uses. In this tutorial, we will have a look at some of the different task Process Explorer can be used for.
In Task Manager it is possible to show which process is running, who much memory, CPU they are consuming etc. Process Explorer does the same, but is much more specific in what kind of process or service it is, which process spawned the process, which DLL and handles it uses etc. The main interface shows a tree structure of the different process running on the system. The processes marked with red is services and the blue are “own Process” – process owned by the user you are logged in the system with.
Hovering over a process like svhost.exe reveals a tooltip showing which services this contains. Since svhost is a shared service processes it contains multiple services sharing that process. I Task manager it can be hard to identify what services in running under a svhost process, which is also why some malware sometimes disguise itself as svhost.exe.
Process Explorer also shows interrupts – which basely is the time the system spend waiting for different hardware. If a computer has a defective piece of hardware or a driver issue this can cause a so called Interrupt storm, using up the systems CPU, and you would have no way of seeing this in Task Manager.
Another feature is that you can drag and drop a bullseye icon to any windows application, and Process Explorer will identify the process running that application. An example where this would be useful would be malware removal, where process is often hidden in order to fool the user.
The Columns can be highly customized to this a range of information on the different processes, let’s add a few which I found useful.
1. Download and install Process Explorer
2. Start Process Explorer and right click the top bar and click Select Columns…
The Select Columns dialog box opens.
3. In the Process Image tab mark the tow check boxes Command Line and Autostart Location and press OK
These two options add two columns to the main interface. The first one shows the command line option to start that specific process. This could for example be useful if you wanted to script something and didn’t know which parameters a specific process should run with.
The other one shows how that process was started, this could be started from a registry key in Windows registry database, from Task Scheduler or just a link in the startup folder.
Let’s say that you would like to make some changes to a registry key which starts an application on system startup.
4. Double click the process – here skype.exe
The Skype.exe:1720 Properties dialog box opens.
5. On the Image tab under Autostart location press the explore button
The registry editor opens at the exact location so you will be able to edit the key. We want to edit the key which starts the Skype application and add a parameter so it will start minimized.
6. Double click the register key Skype
The Edit string dialog box opens.
7. Add the parameter /minimized in the in the Value data field and click OK
8. Close the registry editor
The next time Windows starts up the Skype application should start minimized instead of in a full Window.
You can also use Process Explorer to find out what process is locking up a file. If you are for example trying to delete a folder and get hit by the Folder in use alert you can identify which program is using this folder.
9. In Process Explorer press Ctrl + F
The Process Explorer search dialog box opens
10. Enter the patch of the folder you trying to delete – Here C:\test and click Search
Process Explorer will tell you which process is holding the folder, so that you can shut it down, and be able to delete it.
Another feature in process explorer is the possibility to restart or suspend a process. Sometimes if buggy software or even part of Windows itself hangs or crashes, it’s much easier to restart the process than to kill it and start it again manually.
11. Right click the process – here Explorer.exe
12. Click Restart
I don’t use the suspend option that often, but it is a nice feature which can lock application completely down. Let’s say the system gets some sort of malware which spawns new processes and shifts process to avoid detection. With the suspend feature you will be able to lock down the process and maybe figure out what it’s doing and how to remove it. I recommend this video on would process explorer can be used for malware removal.
13. Right click the process – here calc.exe
14. Click Suspend
The calculator application is now completely down and cannot be accessed in any way, or interact with your system in any way. To resume the application right click the process and click Resume.
This was a few examples of how Process Explorer can be put to use. You can dig much deeper with this tool, and it’s a must-have for advanced system debugging.