Process

Explorer Essentials

Antun Peicevic

Process Explorer Essentials
by Antun Peicevic
First edition
Technical editor: Marko Maslac
Copyright© 2016 Geek University Press
Disclaimer
This book is designed to provide information about Process Explorer. Every effort has
been made to make this book as complete and as accurate as possible, but no warranty is
implied. The information is provided on an as is basis. Neither the authors, Geek
University Press, nor its resellers, or distributors will be held liable for any damages
caused or alleged to be caused either directly or indirectly by this book. The opinions
expressed in this book belong to the author and are not necessarily those of Geek
University Press.
Note that this is not an official book. Winternals Software LP, the company behind the
product, is in no way affiliated with this book or its content.
Trademarks
Geek University is a trademark of Signum Soft, LLC, and may not be used without
written permission.
Feedback Information
At Geek University Press, our goal is to create in-depth technical books of the highest
quality and value. Readers’ feedback is a natural continuation of this process. If you have
any comments about how we could improve our books and learning resources for you, you
can contact us through email at books@geek-university.com. Please include the book
title in your message. For more information about our books, visit our website at
http://geek-university.com.

About the author
Antun Peicevic is a systems engineer with more than 10 years of experience in the
internetworking and systems engineering field. His certifications include CCNA Routing
and Switching, CompTIA Network+, CompTIA Security+, and much more. He is the
founder and editor of geek-university.com, an online education portal that offers courses
that cover various aspects of the IT system administration. Antun can be reached at
antun@geek-university.com.
About this book
This book teaches you how to work with Process Explorer, a free task manager and
system monitor application for Windows. The book is written for people with some
experience in the Windows world. You should have a basic understanding of processes,
DLLs, handles, and other Windows internal component to fully understand the content of
this book.
What will you learn
You will learn how to use Process Explorer to view information about processes running
on your system, to monitor process’ resource usage, to find out which the handles and
DLLs each opened by a process, and much more.
Table of Contents
What is Process Explorer? 5
Install Process Explorer 5
Default Procexp tree view 6
Process highlighting 8
Update speed 9
Customizing columns 10
Run as Administrator 11
Process Tree 12
System processes 13
Process actions 14
Kill a process 16
Kill process tree 16
Suspend a process 20
Create dump files 22
Process properties 24
Image tab 25
Performance tab 26
Performance Graph 28
Threads tab 29
TCP/IP tab 30
Security tab 32
Environment tab 34
Strings tab 35
Services tab 37
Disk and Network tab 38
.NET Assemblies tab 40
Identify the process that owns a window 42
System Information window 43
Display options 47
Replace Task Manager with Process Explorer 48
DLL View 49
DLL View tabs 51
Handle View 53
Handle View tabs 54
Use Process Explorer to check locked files 56
View Service details 57
Set process affinity 59
View Integrity Levels 61
View DEP status 64
Restore Process Explorer defaults 66
Run processes from Procexp 67
Keyboard shortcuts 67
Command line switches 68
Save data 68
Shutdown actions 69

What is Process Explorer?

Process Explorer is a free task manager and system monitor application for the Windows
operating system. It is a part of the SysInternals suite of products, which consists of tools
that help you manage, troubleshoot and diagnose your Windows systems and applications.
Some other well known products from this suite are Process Monitor, Autoruns, PsTools,
AdExplorer, and such. You can see the full list of products at
https://technet.microsoft.com/en-us/sysinternals/.

Process Explorer can be thought of as an advanced Task Manager, a program usually used
to get information about computer performance and resource usage. Process Exporer picks
up where Task Manager leaves off: it will show you the detailed information about each
process, provide you the CPU usage tracking for processes, figure out which process has
loaded a DLL file, enable you to to kill or suspend a process, and much more.

Process Explorer can be very helpful in tracking performance problems of a Windows
device. For example, you can use it to list the named resources that are held by a process
or all processes. This can be used to track down what is holding a file open and preventing
its use by another program. Procexp can also be used to show the command lines used to
start a program, allowing otherwise identical processes to be distinguished.

NOTE - Process Explorer is sometimes shortened as Procexp, which is the name of the
program executable. This convention will also be used throughout the book.


Install Process Explorer

Although Procexp is included in the SysInternals suite of products, it can be downloaded
and run as a standalone application. To download it, go to
https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx and click the
Download Process Explorer link on the right:


The downloaded .zip file is really small, about 1,2 MB. It includes three files:

Eula.txt - Sysinternals Software license terms
procexp.chm - the official help file
procexp.exe - the executable

To start the program, simply double-click the procexp.exe file - there is no installation at
all! You just need to accept the license agreement the first time you run the program.

NOTE - Procexp consists only of a single .exe file and it is portable. Simply copy the .exe
file to an USB stick and you are good to go!


Default Procexp tree view

When you run Process Explorer, you are presented with the default Procexp window. This
window consists of a process list, with processes arranged in a tree view:


On the top of the toolbar there are activity graphs showing the CPU, memory, I/O,
network and disk usage. These graphs can be clicked on to be displayed in separate
windows. In the main window, you have a set of columns which includes:

Process - the file name of the executable (along with the icon if one exists).
CPU - the percentage of CPU time (rounded to two decimal places) in the last
second.
Private Bytes - the amount of memory allocated to the program alone.
Working Set - the amount of actual RAM allocated to the program.
PID - the process identifier that uniquely identifies an active process.
Description - the description, if available.
Company Name - the name of the company that created the software behind the
process.

You can customize these columns and add others, or you can click on any of the columns
to sort by that field. The view is updated once per second by default.

On the bottom of the screen is the Status Bar, which displays information about the
system’s resource usage and the number of processes running.


Process highlighting

As you’ve probably noticed, Procexp makes use of color highlighting to distinguish
between different types of processes. The description of each color can be displayed by
selecting Options > Configure Colors:

Green - a new process that was just started.
Red - processes that have just exited.
Light blue - processes running as the same user account as Procexp.
Pink - the processes containing one or more Windows services.
Dark gray - the suspended processes. These are processes in which all threads are
suspended and cannot be scheduled for execution.
Violet - the “packed images”. Procexp uses simple heuristics to identify program
files that might contain executable code in compressed form, encrypted form, or
both.
Yellow - the .NET processes. These are processes that use the Microsoft .NET
Framework.
Brown - the processes that have been associated with a job.




Update speed

You might have noticed that the Procexp view is constantly updating, reflecting the
changes in the resource usage of your system. The default update interval is one second.
You can change the automatic refresh speed using the Update Speed submenu of the
View menu:

As you can see in the picture above, the available intervals range from 0.5 seconds to 10
seconds. If you are using Procexp for troubleshooting, the default value of 1 second is
probably fine, but if you want to use the program as a CPU monitor sitting in the system
tray, you might change the value to 5 or 10 seconds.

It is also possible to pause the updating by pressing the space bar; this will freeze the view
as a snapshot in time, which can be useful if you are trying to identify a process that starts
and quickly dies. To resume the updating, press the space bar again.

Customizing columns

You can customize the columns and add many other options, or you can just click on any
of the columns to sort by that field. If you’ve ever used Windows Task Manager before,
you’ve probably sorted by Memory or CPU, and you can do it in Procexp as well. This is
done by clicking on a column header, which sorts the table by the data in that column in
ascending order. Clicking the same column header again toggles between the ascending
and descending order. For example, you can click on the CPU column to get a descending
sort which shows the processes consuming the most CPU at the top of the list:

You can resize columns by dragging the border lines in the column headers. To autosize a
column to its current content, double-click the border line to the right of the column title.
And you can reorder columns (except for the Process column, which is always on the left)
by dragging the column headers:


NOTE - a neat trick in Procexp is that in both the main window and in the lower pane, you
can press Ctrl + C to copy the content of the selected row to the clipboard as tab-separated
text.


Run as Administrator

You don’t have to run Procexp as Administrator, but without doing so many of the useful
features won’t work, and you won’t be able to see as much information about each
process, particularly for processes not running in the current user’s logon session. Procexp
makes a best effort to display the information that it can, and it leaves fields blank or
displays the Access denied message when it can’t.

If you are using Windows XP or Windows Server 2003, you need to run Procexp as an
account that has full Administrator rights to use most of the features. To run Procexp with
administrative rights on Windows XP or Server 2003, you must use RunAs to launch
Procexp. On Windows Vista and newer, the Run as administrator option serves the
equivalent purpose:


Process Tree

The Process column showing the list of processes is displayed on the left of the screen. It
can be sorted in three ways: ascending, descending, and Process Tree. Clicking on the
Process header will flip between sorting by the process name, or going back to the Process
Tree view, which is the default.

The Process Tree view shows the processes’ parent/child relationships. Whenever a
process creates another process, Windows puts the process ID of the creating process (the
parent) into the internal data structure of the new process (the child). Procexp uses this
information to build its tree view. Processes that have no existing parent are left-aligned in
the column. You can collapse or expand portions of the tree by clicking the plus and minus
icons to the left of parent processes in the tree, or by selecting these nodes and pressing
the left and right arrow keys.

Clicking the Process header cycles through an ascending sort by process name, a
descending sort, and the tree view. For example, to sort the processes by name in the
alphabetical order, click the Process header once:

NOTE - you can switch to the Process Tree view by pressing Ctrl + T or by selecting
View > Show Process Tree.


System processes

There are certain processes that you can always expect to see in Procexp on a normal
Windows system. Some processes will always appear, as well as some pseudo-processes
that Procexp uses to distinguish categories of kernel-mode activity.

The first three rows in the Process Tree view are usually System Idle Process, System, and
Interrupts:


System Idle Process and Interrupts are not real operating system processes. The System
Idle Process has one thread per CPU which run when no other runnable thread can be
scheduled on a CPU. It should have the PID of 0.

The System process hosts kernel-mode system threads, which run only in kernel mode.
Procexp represents Interrupts as a child process of System because its time is spent
entirely in kernel mode.

The System process also starts an instance of smss.exe, which remains running until
system shutdown. This process is responsible for handling sessions on your system.


Process actions

There are number of actions you can perform on a process by right-clicking on it:


Here is a brief description of the possible actions:

Window - if the process owns a visible window on the desktop, this submenu lets
you bring it to the foreground, restore, minimize, maximize, or close it. If there are
no windows for the process, the option will be grayed out.
Set Affinity - on multi-CPU systems, you can set processor affinity for a process so
that its threads will run only on the CPU(s) you specify.
Set Priority - used to configure the base scheduling priority of a process.
Kill Process - this option allows you to kill the process. Procexp will prompt you
for confirmation before terminating the process.
Kill Process Tree - kills not just the item in the list, but also the children of that
parent process.
Restart - kills the process and then restarts it.
Suspend - you can force a process to become temporarily inactive so that a system
resource becomes available for other processes. To resume a suspended process,
choose the Resume item from the process context menu.
Create Dump - this option lets you capture a minidump or a full memory dump.
Properties - displays a lot of useful information about the process.
Check VirusTotal - allows you to check the process for viruses using
virustotal.com.
 Search Online - this option will just search the web for the name of the process.


Kill a process

One of the commonly used actions in Procexp is Kill Process. As the name suggest, this
action forcibly terminates (“kills”) the selected process. You might want to use this option
if a process is stuck or is taking too much resources. By default, Procexp prompts you for
confirmation before terminating the process:

Note that forcibly terminating a process does not give the process an opportunity to shut
down cleanly, and can cause system instability or data loss. In addition, Procexp does not
provide extra warnings if you try to terminate a system-critical process (such as csrss.exe).
Terminating such process can result in a Windows blue screen crash.

NOTE - you can disable the confirmation prompt by clearing Confirm Kill in the
Options menu.


Kill process tree

The Kill Process Tree action allows you to forcibly terminate a process and all of its
descendants. This is useful when an application launches multiple processes and you want
to terminate them. For example, Google Chrome launches many chrome.exe processes,
one for each browser tab:


To terminate all processes at one, right click the parent chrome.exe process and select Kill
Process Tree:


NOTE - for this action to be available, Procexp must be in the process-tree sorting mode.


Suspend a process

It is possible to use the Suspend action in Procexp to force a process to become
temporarily inactive. This frees a system resource (such as network, CPU, or disk) for
other processes. The Suspend option is also useful when you need to perform diagnostics
on a program or if you need to inspect what a suspected malware program is doing to your
system. To suspend a process, right-click on it and select Suspend:


There is one problem, though - if a suspended processes was running a visible application,
the application window can’t be minimized, resized or moved. To resume a suspended
process, right-click the process again and select the Resume item from the process context
menu.

NOTE - the process that has been suspended is always highlighted in dark gray.


Create dump files

A process dump consists of the recorded state of the working memory of a computer
program at a specific time. A dump is usually captured when the program has crashed or
otherwise terminated abnormally. By examining process dumps, you can make a complete
analysis for why a process crashed.

Procexp allows you to capture a minidump or a full memory dump. You can do this by
right-clicking a process and selecting either the Create Minidump or Create Full Dump
option:

You will be prompted to choose the location of the dump file:

A dump file can be examined in a debugger program such as WinDbg:

NOTE - capturing a dump in Procexp does not terminate the process.


Process properties

To view detailed information about a particular process, double-click on it. This opens up
the Properties window:

A neat thing about the Properties window is that is modeless, which means that you can
open it and still be able to interact with the main Procexp window. You can even have
multiple Properties windows open at the same time and still be able to access other
Procexp features.

On Windows 8.1, the Properties window consists of the following tabs:

Image
Performance
Performance Graph
GPU Graph
Threads
TCP/IP
 Security
Environment
Strings

We will go through each tab in detail in the following sections. Note that many
information shown in the Process Properties dialog box require administrative access. If
you run Procexp as a normal user, Procexp will be able to show detailed information only
for the processes owned by the user.


Image tab

The Image tab of the Process Properties window shows information that mostly remains
static for the lifetime of the process, such as:

information collected from the executable image file’s icon and version resources
the full path to the image file
the command line that launched the process
the current directory of the process
the user account in which the process is running
the name of the process’ parent process
the time at which the process was started
whether DEP and ASLR are enabled


The Image tab also allows you to enter a comment for a process in the Comment field.
Comments are visible in the process view in the Comment column. Comments apply to
all processes with the same path and are remembered from execution to execution.

If the process owns a visible window on the current desktop, clicking the Bring To Front
button brings that window to the foreground.

Clicking the Kill Process button forcibly terminates the process.


Performance tab

As its name implies, the Performance tab displays the memory and CPU performance
data.


Some of the more important values listed on the Performance tab are:

CPU Priority - the priority levels range from zero (lowest priority) to 31 (highest
priority). The processes with higher priority get more CPU time.
Kernel Time, User Time - the execution time of a process spent in the kernel and
user mode.
Private Bytes - the number of bytes allocated and committed by the process for its
own use and not shareable with other processes on the system.
Peak Private Bytes - the largest number of private bytes the process had committed
at any one time since it was started.
Memory Priority - the default memory priority that is assigned to physical memory
pages used by the process.
I/O Priority - the I/O priority of the process.
Handles - the number of handles to kernel objects opened by the process.

NOTE - the data on this tab is updated at the Procexp refresh interval.


Performance Graph

The Performance Graph contains performance graphs similar to the ones found in Task
Manager:

The graph on top displays the recent CPU usage history. Moving the mouse over this
graph displays a tooltip with the percentage of the total CPU time consumed by the
process at that time, along with the time of day that part of the graph represents. Note that
the graph does not distinguish between multiple CPUs.

The Private Bytes graph shows the recent history of the amount of the process’ committed
private bytes (the number of bytes allocated and committed by the process for its own
use).

The third graph represents the process’ file and device I/O throughput history. The blue
line indicates the total I/O traffic, which is the sum of all process I/O reads and writes and
the pink line shows write traffic.


Threads tab

A thread in Windows is an entity within a process that can be scheduled for execution.
Each process is started with a single thread, but can create additional threads from any of
its threads.

The Threads tab of the process’ Properties dialog box displays detailed information
(including current call stacks) for each of the threads in the selected process, and allows
you to kill or suspend individual threads within the process:

The following information are shown in the Threads tab (in our case, only a single thread
is running):

TID (Thread ID) - the system-assigned, unique thread identifier.
CPU - the percentage of total CPU time that the thread was executing during the
previous refresh cycle.
Cycles Delta - the number of processor cycles consumed by the thread since the
previous update.
Start Address - the symbolic name associated with the program-specified location
in the process’ virtual memory where the thread began executing.

The Module button on the Threads tab launches Explorer’s file properties dialog box for
the image file containing the start address of the currently selected thread. The Stack
button shows the current stack of the selected thread. Finally, you can use the Kill button
to terminate a thread or the Suspend button to suspend one.


TCP/IP tab

You can view any active TCP and UDP endpoints owned by the process on the TCP/IP tab
of the Process Properties window:


As you can see in the picture above, the tab lists the protocol (TCP in our case), state
(ESTABLISHED), and local and remote addresses and port numbers for each connection.
By default, the IP addresses will be resolved to their DNS names; clear the check box
Resolve addresses to display the actual IP addresses:


Security tab

The Security tab of the Process Properties window shows the list of groups and privileges
listed in the security token of the selected process on this page:


A group that has the Deny flag set can be considered effectively equivalent to not being
present in the token at all. With User Account Control, powerful groups such as
Administrators are marked Deny-Only (except in elevated processes). The Deny flag
indicates that if an object has an access-allowed access control entry (ACE) for
Administrators in its permissions, that entry is ignored, but if it has an access-denied ACE
for Administrators (not common), the access is denied.

A privilege that is marked Disabled is not at all the same as the privilege not being
present. If a privilege is in the token, the program can enable the privilege and then use it.
If the privilege is not present, the process cannot acquire it.

This tab also shows whether the User Account Control file and registry virtualization is
enabled for the process, the Security Identifier (SID) of the user that started the process,
and the selected group SID.

The permissions button opens a permissions window that shows the access permissions
assigned to the process:

Environment tab

Environment variables are placeholders for data that can change. Each user has its own
environment variables with different values that define his working environment. For
example, each user typically has its own home directory, so the content of the
HOMEPATH environment variable is different for each user on the system.

The environment variables associated with the selected process are listed under the
Environment tab:


Most often, the processes inherit their environment variables from their parent process,
and the environment variables of all processes will be the same. However, there are
exceptions: a parent process can specify a different set of environment variables for a child
process or each process can add, delete, or modify its own environment variables.


Strings tab

In computer programming, strings are data structures used to store a contiguous set of
characters, such as human-readable text. The Strings tab of the Process Properties
window displays all printable strings of at least 3 characters in length. By default, the
Image radio button is selected and the strings are read from the process image file on the
disk. You can select the Memory radio button to read strings from the image’s in-memory
storage. Image and memory strings can differ when an image is decompressed, or they can
be decrypted when loaded into memory.

You can click the Save button to save the strings to a text file. You can also search for
specific text in the strings list by clicking the Find button, which opens the standard Find
dialog box.




Services tab

The Services tab is present in the Process Properties window only if the selected process
hosts one or more services. Process Explorer shows the service’s name and display name,
and, for services hosted within a svchost.exe process, the path to the DLL that implements
the service:

You can stop, restart, pause or resume a service within the Services tab, if the selected
service allows these operations. The permissions button opens a permissions dialog box
that displays the access permissions assigned to the service:



Disk and Network tab

The Disk and Network tab in the Process Properties window displays various statistics
about the disk and network usage of the selected process:


As you can see from the picture above, this tab shows the network and disk I/O usage. The
Network I/O statistics show the numbers of TCP connect, send, receive, and disconnect
operations; the number of bytes in those operations; and the deltas since the previous
refresh. The Disk I/O statistics also shows the total numbers of operations (Reads, Writes,
and Other) since the process started and since the previous refresh, and the number of
bytes since the process started and since the previous refresh.

NOTE - this tab is shown only when you run Procexp with administrative rights.




.NET Assemblies tab

.NET is a general purpose development platform by Microsoft that can be used for any
kind of application type or workload where general purpose solutions are used. One
implementation of .NET is the .NET Framework, which is a runtime execution
environment that manages applications that target the .NET Framework.

The .NET Assemblies tab is shown for process that use the .NET Framework. This tab
displays all the AppDomains in the process, along with the names of the assemblies
loaded in each. The flags and the full path to the assembly’s executable image are also
shown:

NOTE - this tab is present on Windows Vista and higher when you run Process Explorer
with administrative rights.



.NET Performance tab

Just like the .NET Assemblies tab, the .NET Performance tab is shown only on Windows
Vista and higher when Process Explorer runs with administrative rights and the selected
process is using the .NET Framework. This tab lists the AppDomains in the process and
displays data from nine sets of .NET performance counters:

NOTE - an AppDomain (Application domain) in .NET Framework provides an isolation
boundary for security, reliability, and versioning, and for unloading assemblies.

To see the values of the object’s counters, select a .NET performance object. The counters
are updated at the currently selected refresh interval.


Identify the process that owns a window

You can use the crosshair icon in the Procexp toolbar to identify a process that owns a
window. First, click and hold the crosshair icon:

Procexp should move itself behind all other windows. Next, drag the crosshair icon over
the window you are interested in and release it. Procexp will reappear and the process that
owns the window selected should be selected in the main window.


System Information window

The Procexp’s System Information window is similar to Windows Task Manager. This
window can be accessed by choosing View > System Information or using the Ctrl+i
shortcut.

As you can ssee in the picture above, the Summary tab features four pairs of graphs
representing systemwide metrics that are shown in more detail on the CPU, Memory, and
I/O tabs. The left of each pair shows the current level in graphical and numeric form. The
graph to its right shows recent history. Moving the mouse over the history graphs displays
a tooltip containing the time of day represented at that point in the graph. For the CPU
Usage and I/O graphs, the tooltip also indicates which process was consuming the most of
that resource at that point in time:


In the CPU tab of the System Information window, the red area displays the percentage of
time spent executing in kernel mode; the area under the green line represents total CPU
utilization as a percentage:

NOTE - if your computer has multiple logical CPUs, selecting the Show One Graph Per
CPU check box splits the CPU Usage History graph on that tab into separate per-CPU
graphs.

The Memory tab of the System Information window displays the System Commit and
Physical Memory graphs. In the Commit graphs, the area under the yellow line indicates
the commit charge - the total amount of private bytes committed across all processes, plus
the paged pool. The Physical Memory graphs displays the amount of physical RAM in
use by the system. The lower part of the tab shows a number of memory-related metrics:

The I/O tab of the System Information window shows I/O Bytes, Network Bytes and Disk
Bytes. I/O Bytes represents the amount of file and device I/O throughput, Network Bytes
represents network I/O, and Disk Bytes represents the I/O throughput to local disks. The
lower part of this tab shows the number of I/O and Disk Read, Write, and Other operations
and Network Receive, Send, and Other operations since the last data refresh:


On Windows Vista or higher systems, there is also a GPU tab, which features GPU graphs
that show GPU utilization:


Display options

Procexp features a number of display options, available under the Options and View tabs:

Always On Top - Procexp remains above all other windows on the desktop.
Hide When Minimized - Procexp runs in the tray as a small graph reflecting the
current CPU usage and is not shown in the taskbar when you minimize it. Also,
clicking its standard Close icon in the upper right corner of the title bar minimizes
rather than exits Procexp.
Allow Only One Instance - prevents multiple instances of Process Explorer from
running simultaneously.
Font - allows you to choose a different font for Procexp.
Scroll to New Processes - Procexp will scroll the process list when a new process
starts to bring the new process into view.
Show Processes From All Users - the process list includes all processes running
on the computer. When this option is disabled, the process list will show only
processes running under the same user account as Procexp.



Replace Task Manager with Process Explorer

Since Procexp provides more useful information than Task Manager, you might want to
use Procexp exclusively and never use Task Manager again. By enabling the Replace
Task Manager option under the Options tab, you can make Process Explorer replace
Task Manager. This will ensure that using CTRL + SHIFT + ESC or right-clicking on the
Taskbar and selecting Task Manager will both launch Process Explorer rather than Task
Manager:

NOTE - the Replace Task Manager is a global setting and affects all users on the
computer. If Procexp.exe is stored in a location where another user has no access, that
user will not be able to run Procexp or Task Manager.

To restore the ability to run Task Manager, deselect the Replace Task Manager in the
Options menu.




DLL View

DLLs (Dynamic Link Libraries) are shared pieces of compiled code that are stored in a
separate file and can be shared among multiple applications. For instance, instead of
having every application write their own File/Open or File/Save dialogs, all applications
can simply use the common dialog code provided by Windows in the comdlg32.dll file.

The DLL View shows the image file, DLLs, and data files mapped into the address space
of the selected process. You can open it in the lower pane by pressing the Ctrl + d
shortcut (to close it, use Ctrl + l):

The DLL View behaves similar to the Procexp main window - values are updated at the
automatic refresh interval, newly loaded DLLs are highlighted in green and newly
unloaded DLLs are highlighted in red, columns can be reordered, resized, and sorted, etc.

Here is a list of the columns present in the DLL view:

Name - the file name of the DLL or mapped file (e.g. cryptbase.dll).
Description - a short description of the resource (e.g. Base cryptographic API DLL)
Company name - the name of the company (e.g. Microsoft Corporation)
Path - the full path to the DLL or mapped file (e.g.
C:\Windows\System32\cryptbase.dll).

You can right-click the DLL in the DLL view to get three additional options:

Properties - displays a Properties dialog box for the selected DLL
Search Online - launches a search for the selected DLL using your default browser.
Check VirusTotal - submits DLL hashes to http://virustotal.com


DLL View tabs

You can open a DLL Properties by double-clicking the DLL you are interested in:

The Properties window consists of two tabs:

Image - shows information such as Description, Company, Version, Path, Build
Time, base address and size in the process’ memory, whether it is 32-bit or 64-bit,
etc. You can click the Verify button to check if the DLL was digitally signed by a
trusted publisher. This ensures that a DLL that claims to be from a particular source
is actually from that publisher and has not been modified. If the DLL has been
verified, the Company field displays (Verified):


Strings - displays all printable strings of at least 3 characters. Image strings are
read from the process image file on disk, whereas Memory strings are read from
the image’s in-memory storage:



Handle View

A kernel object is a data structure that represents a system resource (e.g. a file, thread, or
image). An application cannot directly access object data or the system resource that an
object represents. Instead, an application must obtain an object handle, which is an
integer value that uniquely identifes a resource in memory.

The Handle View shows all the kernel objects (such as files, folders, registry keys,
window stations, desktops, network endpoints, etc.) opened by the selected process. You
can open it in the lower pane by pressing the Ctrl + h shortcut (to close it, use Ctrl + l):

With the Handle view you can inspect all the kernel objects currently opened by the
selected process. By default. the type and name for all named objects opened by the
selected process are shown (e.g. type Thread and name mysqld.exe).

You can right-click the object to get two additional options:

Close Handle - force closes the selected handle. Using this feature with caution
because it can lead to a crash of the application or data corruption.
Properties - opens up the Properties dialog box with various information about the
handle.


Handle View tabs

The Properties window of the Handle View tab is opened by double-clicking a handle:


As you can see from the picture above, the Properties window consists of two tabs:

Details - displays various information about the selected handle, such as the object
name, the type of the object, its memory address in kernel memory, how many open
handles and references exist for the object. The Quota Charges box shows how
much paged and nonpaged pool is charged to the process’ quota when it creates the
object.
Security - shows a standard security editor dialog box that shows the security that’s
applied to the handle:



Use Process Explorer to check locked files

You’ve probably got the infamous “This action can’t be completed because the folder
or a file in it is open in another program” message while trying to perform an action on
a file. The message indicates that the file is already being used by some application on
your system. You can use Procexp to identify the process that is locking the file. To do
that, go to Find > Find Handle or DLL (or use the Ctrl + f shortcut). This opens up the
Process Explorer Search dialog box where you can type the name of the file in question:


In the example above, you can see that the process that is locking the file is called
soffice.bin. It is a process related to Libre Office. We can now close that program in order
to unlock the file.


View Service details

By default, the processes containing one or more Windows services are highlighted in
pink in the Procexp main view:

You can get more information about the services inside the process by double-clicking on
the service hosting process and selecting the Services tab:


As you can see from the picture above, the Services tab displays the following
information about services registered in the process:

the service name
the display name seen by the administrator
the description text for that service (if present)
(for Svchost services) the path to the DLL that implements the service.


Set process affinity

On multi-CPU systems, you can set processor affinity for a process so that its threads will
run only on the CPU you specify. By default, all processes can be scheduled on any
available processor. You can change the affinity settings using Procexp to optimize
throughput or to partition workloads to a specific set of processors. Simply right-click the
process in the main windows and select the Set Affinity option:

In the window that opens, select the CPUs on which you would like to run the process’
threads and click OK to save the changes:

In the picture above you can see that I’ve restricted the process to CPUs 2 and 3.


View Integrity Levels

The integrity level is a representation of the trustworthiness of the running application
processes and objects. It provides the ability for a file system to use predefined policies
that block processes of lower integrity levels from reading or modifying objects of higher
integrity.

Processes are assigned and run at a certain integrity level. For example, the elevated apps
run at High, normal apps run at Medium, and low-rights processes run at Low.

To display the integrity level of a process on your system, open Procexp and go to View >
Select Columns:

In the Select Columns dialog box, check the Integrity Level check box and click OK:


The Procexp main window should now display a column called Integrity which shows the
integrity level of the processes:

In the picture above you can see that we have two processes called notepad.exe. Notice
how the first process has the integrity level of Medium, and the second has the integrity
level of High. This is because the first process was started as a normal user, while the
second process was started using the Run as Administrator option.


View DEP status

Data Execution Prevention (DEP) is a Windows security feature that can help prevent
damage to your computer from viruses (or just poorly written programs). Harmful
programs can try to attack Windows by attempting to run code from system memory
locations reserved for Windows and other authorized programs. If DEP notices that a
malicious software on your system is using memory incorrectly, it closes that program and
notifies you.

You can use Process Explorer to view the DEP status for the processes on your system.
First, go to View > Select Columns and check the DEP Status checkbox:

Now, the Procexp main window should include the DEP column. Three values can appear
in this column:

DEP (permanent) - the process has DEP enabled because it is a necessary
Windows program or service.
DEP - the process opted in to DEP.
Empty - DEP is disabled.
n/a - Procexp cannot determine the DEP status of the process.

On 64-bit versions of Windows, the execution protection is always applied to all 64-bit
processes. The execution protection for 32-bit programs depends on the system
configuration settings.


Restore Process Explorer defaults

Procexp stores its configuration settings in the registry in
HKEY_CURRENT_USER\Software\Sysinternals\Process Explorer. To restore the
default Procexp configuration settings, close Procexp, delete that Registry key, and start
Procexp again:



Run processes from Procexp

You can start a new process directly from Procexp. Three options are available:

Run - starts the process with the same user Procexp is running.
Run as Administrator - if Procexp is not running elevated, this option requests
elevation to start the new process.
Run as Limited User - starts the new process with reduced rights.


Keyboard shortcuts

Here is a list of Procexp keyboard shortcuts:

Ctrl + A - Save displayed data to a new file.
Ctrl + C - Copy the current row from the main window or lower pane.
Ctrl + D - Display DLL view.
Ctrl + F - Find the handle or DLL.
Ctrl + H - Display the Handle view.
Ctrl + I - Display the System Information dialog box.
Ctrl + L - Display/hide the lower pane.
Ctrl + M - Search online for information about the selected process.
Ctrl + R - Start a new process.
Ctrl + S - Save the displayed data to a file.
Ctrl + T - Show the process list in tree view.
Ctrl + 1, Ctrl + 2, and so on - Load the first column set, second column set, etc.
Space - Pause/resume automatic updating.
Del - Kill the selected process.
Shift + Del - Kill the process tree
F1 - Display Help.
F5 - Refresh.


Command line switches

You can use the following options when starting Procexp from the command line:

/e - on Vista or newer, requests UAC elevation when Procexp is started.
/t - starts Procexp minimized in the tray.
/p:r, /p:h, /p:n, / p:l - sets the process priority for Procexp to: realtime(r), high(h),
normal(n), or low (l). If no priority is specified, the default level is high.
/s:PID - selects the process having the specified process ID after starting.


Save data

You can save the snapshot of current process activity to a text file by clicking the Save
icon on the toolbar or by using the Ctrl + s shortcut. Procexp saves the contents of the
Process and lower pane, if it is showing, as a tab-delimited text file:


Shutdown actions

The File > Shutdown menu items allow you to shutdown, restart, lock or logoff the
system. If your system supports them, this menu also offers the options to hibernate or
suspend your system.