How to use Process Explorer like a Pro

If the Windows Task Manager is a late model Nissan Altima then Process Explorer is a 2015 Nissan GTR Black Edition.

If the Windows Task Manager is your ex-girlfriend in middle school with the crater face, braces and fisher-price glasses then Process Explorer is that same girl 20 years later with the voluptuous curves, mesmerizing perfume and captivating eyes.

If the Windows Task Manager is a burger and fries from White Castle then Process Explorer is a savory slab of prime rib from Peter Luger’s steak house.

If the Windows Task Manager is … wait a second… hold up – you get the point right? In this guide I’m going to show you how to drive your processes like a Nissan GTR.  Let’s start the engines.

Process Explorer is kick ass.

Period.

For one, it’s 100% free.  And by free I mean that in the most comprehensive sense of the word.  It’s not only free in terms of cost but also as in free from malware. There are no tricks, no specious offers to decline, no smuggleware lurking to debilitate your computer.

Nope, Process Explorer does just one thing: it helps you explore the processes on your computer.

Now that might not seem like a noble purpose until you consider that it does a heck of a better job than the built in Task Manager and can really help you hunt down aberrant processes.  You can use it to lasso in junkware, potential unwanted programs and other unsavory apps.

That’s why I need to show you how to own this program.  I guarantee you after reading this article you’ll be in a better position to tame all those rogue processes into submission.  It’s time to enter the wild-west of Windows processes.

Getting dirty with Process Explorer

Before we can get dirty with Process Explorer we need to get Process Explorer.

There are two ways to Process Explorer excellence: we can grab it directly from the Sysinternals windows file share or yank it from Microsoft.

One way is a little lame.  I’ll show you the mundane but sure way first then I’ll top off your coolometer with more obscure way of getting it.

You can download Process Explorer directly from Microsoft.  The file is a little over a MB and installs faster than an experienced plumber plunging a clogged toilet.

This is the fastest way to get going with Process Explorer.  It’s conventional but it’s reliable and my preferred way of getting the application.

There’s also a slightly more esoteric  way to get it: through the sysinternals file share.  The smart guys behind Process Explorer created a live share (basically a public Windows file share off the sysinternal domain) which lets you run the product directly from the source.

Press Windows Key + r and paste in the following path:

\\live.sysinternals.com\tools\procexp.exe

Running live.sysinternals.com

It may seem like nothing is happening for a few moments but eventually you’ll see a security warning box complaining about the identity of the source.  This is good because it means Windows is cognizant of unsigned publishers and doesn’t mindless run software from unidentified locations.

Windows 8.1 Security Warning Box

Since the application comes directly from sysinternals.com it’s safe to run.

Incidentally, if you just type in \\live.sysinternals.com in the run box you can browse all the sysinternal tools.

Anyway you get there you’ll eventually see something about as easy to understand as the vertical green text in The Matrix.

Process Explorer in your face!

The first thing we need to do is take a deep breath and acknowledge there’s a lot of stuff going on here and it looks crazy.  But it’s not as bad as it looks… let me walk you through the big points:

You’ll notice there are seven major column categories.  From left to right:

  • Process
  • CPU
  • Private Bytes
  • Working Set
  • PID
  • Description
  • Company Name

The first is evident so I’ll skip the explanation.

The second, CPU, shows you the percentage of time allocated to the CPU for the given process.  You can click any column header to change the sort order so you can see which process is consuming an inordinate amount of resources.


 

Here’s a quick tip: if the jumping, constantly refreshing values, are making you nervous, just press the spacebar at anytime.  This let’s you instantly pause the changing values. It will make reading the output less onerous.


 

Next you’ll see the middle two columns: Private Bytes and Working Set.  This formidable duo looks scary I know but it’s actually not that hard to understand.

Think of Private Bytes as “Asked For” bytes.  In other words, it’s the amount of memory that the given process has requested but isn’t necessarily using.  It”s just the memory reserved for the specific process.

Conversely, the Working Set casts a wider net.  It comprises the sum of physical RAM consumed by the process.  It includes more information from various resources so it’s a larger less accurate value than Private Bytes.

Next, the PID is just the numerical name of the process and the last two columns, Description and Company Name are pretty straightforward.

That completes our tour of the Process Explorer main window.  But I still need to explain what the colors mean.  The panoply of colors isn’t just for aesthetics, each color has a distinct value than can help you immediately identify the kind of process you’re looking at.

Let’s get colorful.

Oh, look at the pretty colors!

Let’s talk about the most salient colors…

Color selection in Process Explorer

Lime Green – New Object

If you see a lime green row flash into the Process Explorer window it’s a new process.  It’ll manifest itself as an ephemeral flicker of lime before turning into one of the other nine colors.

Blood red – Dead Object

Think: red = dead. Enough said.

Lily Lavender – Personal Object

The teletubby purple processes denote processes owned by you.  Or more precisely, processes running as the current logged in user.  These processes are running with the same privileges as the user account that is actively viewing Process Explorer.

Salmon – Windows Services Object

The Salmon color stuff is for services.  These processes indicate your Windows services processes.

Graphite – Inert Objects

These are your lazy processes.  The indolent files that can’t do anything because some event knocked them out of operation.  For example a crashing app may flash the color graphite before turning blood red.

Purple – Image Objects

If you see a lot of these your ears should perk up.  Malware often manifests itself as packed image objects; however, not all packed image objects are malware.  

By “packed” I mean the file is compressed or minified in a way that obfuscates the contents of the file.  This makes the file smaller and easier to use.  When Windows attempts to use a Packed Image objects it decompresses it in memory.  Just keep in mind that every packed image isn’t necessarily bad. For example, the super popular, super safe open-sourced Photoshop clone GIMP legitimately uses Packed Images.  But can you promise me you’ll investigate any Packed Images before you dismiss them? Thanks!

If you suspect something weird, you can always right-click the row and choose scan with VirusTotal.  I’ll talk about that in detail later in this article.

Cyan – Immersive Objects

Cyan is the color of the sea; therefore, these objects are appropriately named Immersive haha- just kidding.

Actually Immersive processes are a recondite topic that won’t concern you unless you’re a developer.  It’s related to the application program interface for the Windows Store app in Windows 8.0 and 8.1.

Making Process Explorer work for you

Alright so that’s the background stuff you need to know but now I need to show you how to make this colorful program work for you.

First up, you can glean oodles of information about almost any process by simply double clicking it.

Information junkies rejoice

For example, double clicking OUTLOOK.EXE produces a prodigious amount of facts about this process.  You’ll see:

  • Performance Numerical Data
  • Performance Graphical Data
  • GPU Graphs
  • Image details
  • Threads
  • TCP/IP stuff concerning this process
  • Security
  • Environment Variables
  • Strings

Outlook properties

I encourage you to click through a few of your favorite processes in the left pane and then click through each of the tabs for those processes.  This is really the best way to get comfortable with everything here.  Admittedly, there’s a lot of stuff that’s abstruse and difficult to understand but don’t let that stop you from exploring.  If you have a question throw it in the  comments below or just email or tweet me and I’ll help ya.

Cure your malware phobias

One of the best and most exciting features in Process Explorer is the seamless VirusTotal integration.

Go to the top and click Options, VirusTotal.com and pick Check VirusTotal.com.  Once you agree to the VirusTotal Terms of Service thingy you’ll be on your way to total virus identification nirvana.

VirusTotal Terms of Service

After a few seconds you’ll see a new column in the far right called VirusTotal.  It’ll take a few seconds to verify the hash but soon a score will materialize.

Virus Total Hash in ProcessExplorer

That number which looks like a fraction is known as the detection ratio.

In my case, OUTLOOK.EXE came back with a detection ratio of 0/54.  This means it was scanned by 54 disparate malware vendors but zero of them returned any alerts.  I now have good reason to believe this particular process is benign.

Clicking the VirusTotal link in ProcessExplorer whisks you away to the VirusTotal.com results page which will give you:

  • Malware scan analysis
  • File details
  • User comments
  • and Community Votes on the file.

Helpful stuff. And it’s all free.  Hard to beat that.

Here are my top three bonus goodies:

1. Find Window Process

If you want to find the process name of an application in the foreground, go to ProcessExplorer and drag the little target icon between the binocular icon and CPU graph (just below the Help menu item) over the window in question.  When you release the mouse it’ll highlight itself in the Process Explorer list.

2. Enable the mini dashboard

Click Options, mouse down to Tray Icons and put a check next to each option. Now look in the system tray and you’ll see a quintet of performance graphs singing the silent music of metrics.

Simply mouse over each square for details.

Notification area icons in tray

If you don’t see if down here, click the up arrow in the bottom right corner of the desktop (where all your tray icons are), choose Customize and make sure the Process Explorer behavior is set to Show icon and notifications.

Notification Area Icons

Become a Ghost

You can make ProcessExplorer “see-through” so that all your file facts float over your desktop like some apparition from an H.P Lovecraft poem.

To go ghost check out View, Opacity and set the value to 40%

Make process explorer transparent

Ghoulish isn’t it?

The Bottom Line

When it comes to diagnosing rogue processes and exploring your system, Process Explorer is your guy.

I have yet to find a better way to view almost anything you could ever want to know about your processes.

What do you use ProcessExplorer for?  I’m curious.  Let me know in the comments!

About

Connect with Vonnie on Twitter

Posted in Windows, Windows 8, Windows 8.1 Tagged with: ,
  • Pingback: WSCC is the bomb - fixedByVonnie()

  • Harry M

    Hi Vonnie,

    How about all the instances of the svchost.exe process? Can I assume the were all invoked by some Windows internals, or can a malware exploit invoked svchost and be invisible in process explorer?

    Harry