Sysinternals Process Explorer

Process explorer is a better alternative to windows task manager.

Add more columns

  • Click “Select columns”

PROCESS EXPLORER 16 COLUMN  SCREENSHOT_19-04-2015_08-25-51

  • Tick “Verified signer” “VirusTotal”, “DEP Status” “ALSR Enabled”

 

PROCESS EXPLORER 16 COLUMN  SCREENSHOT_19-04-2015_08-31-51

 

  • You may tick “CPU cycles”

PROCESS EXPLORER 16 COLUMN  SCREENSHOT_19-04-2015_08-32-12

  • You may tick “GPU usage”  “GPU Dedicated Bytes”

PROCESS EXPLORER 16 COLUMN  SCREENSHOT_19-04-2015_13-27-28

  • Tick “Verified Signer”  “Virus Total” “ASLR Enabled”

PROCESS EXPLORER 16 COLUMN  SCREENSHOT_19-04-2015_13-28-05

 

  • Tick “Receive Bytes”  “Send Bytes”

PROCESS EXPLORER 16 COLUMN  SCREENSHOT_19-04-2015_13-28-36

 

  • Tick “Read Bytes”  “Delta read Bytes” “Write Bytes” “Delta Write Bytes”

PROCESS EXPLORER 16 COLUMN  SCREENSHOT_19-04-2015_13-28-40

  • Tick “Working Set Size”

PROCESS EXPLORER 16 COLUMN  SCREENSHOT_19-04-2015_13-29-03

 

 

  • Tick “Verify Image Signatures”
  • Tick “Check Virustotal.com”

PROCESS EXPLORER 16 SETTINGS  SCREENSHOT_19-04-2015_13-32-55

 

PROCESS EXPLORER 16 SETTINGS  SCREENSHOT_19-04-2015_13-34-35

Update speed

Update speed settings decide the time interval after which process explorer refreshes the data

  • By default update speed is set to 1 second. this affects the data which keeps refreshing. You will notice that after every 1 second some of the data changes. Like CPU usage. It keeps refreshing at set interval of time
  • While other data may be fixed. It does change at all
  • Other me be cumulative which means the data keeps accumulating after you have started the process explorer.

 

PROCESS EXPLORER 16 SETTINGS  SCREENSHOT_19-04-2015_16-06-25

 

Check which application is consuming computer resources

  • Start process explorer as “Administrator” user
  • Let it run for 6 hours or 12 hours and keep it minimized. During this time process explorer will log all the resource usage.
  • Click “Disk read Bytes”. This will arrange it in decending order.
  • Now you can see which application has read files from the hard disk the most.
  • Similarly you may click “Disk Write bytes” to check which application is writing most on hard disk

PROCESS EXPLORER 16 SETTINGS  SCREENSHOT_19-04-2015_14-19-53

  • Clicking on “cycles” tab will show which application has used the CPU most.
  • Ignore the process named “System Idle process”.

PROCESS EXPLORER 16 SETTINGS  SCREENSHOT_19-04-2015_14-20-30

See Properties of process

Right click a process and click “Properties”

Process Actions
You can perform a number of actions on a process by right-clicking on it, or by selecting it
and choosing any of the following options from the Process menu:

Window submenu  : If the process owns a visible window on the desktop, the window submenu lets you bring it to the foreground, or restore, minimize, maximize, or close it. The window submenu is disabled if the process owns no visible windows.

Set Affinity   :  On multi-CPU systems, you can set processor affinity for a process so  that its threads will run only on the CPU or CPUs you specify. This can be useful if you have a runaway CPU-hogging process that must be allowed to keep running but throttled back so that you can troubleshoot it. You can use Set Affinity to restrict the process to a single core temporarily and free up other CPUs so that the system is still usable. (If a particular process should always be restricted to a single CPU and you can’t modify its source code, use the SingleProcAffinity application compatibility shim, or as a last resort, modify the file’s PE header to specify affinity.)

Set Priority : View or set the base scheduling priority for the process.

Kill Process : You can forcibly terminate a process by choosing Kill Process or by clicking the Kill Process button in the toolbar. By default, Procexp prompts you for confirmation before terminating the process. You can disable that prompt by clearing Confirm Kill in the Options menu.

Kill Process Tree  : When Procexp is in the process-tree sorting mode, this menu item is available and allows you to forcibly terminate a process and all its descendants. If the Confirm Kill option is enabled, you will be prompted for confirmation first.

 Restart  : When you select this item, Procexp terminates the highlighted process (after optional confirmation) and starts the same image using the same command-line arguments. Note that the new instance might fail to work correctly if the original process depended on other operating characteristics, such as the security context, environment variables, or inherited object handles.

 Suspend :  If you want a process to become temporarily inactive so that a system resource—such as a network, CPU, or disk—becomes available for other processes, you can suspend the process’ threads. To resume a suspended process, choose the Resume item from the process context menu.

Create Dump submenu :  The options on this submenu let you capture a minidump or a full memory dump of the selected process to a file location of your choosing. Capturing a dump does not terminate the process.

Properties  :  This menu item displays the Properties dialog box for the selected process, which displays a wealth of information about the process.

Search Online  :  Procexp will launch a search for the selected executable name using your default browser and search engine. This option can be useful when researching malware or identifying the source of an unrecognized process.

 

PROCESS EXPLORER 16 SETTINGS  SCREENSHOT_19-04-2015_14-21-18

 

  • This window will show the detailed info about the process

PROCESS EXPLORER 16 SETTINGS  SCREENSHOT_19-04-2015_14-21-29

What various columns signifies

PID (Process Identifier)
A number that uniquely identifies a process while it runs.

User Name
The user account under which the process is running.

Session ID
A number that identifies the owner of the process. When multiple users are logged on, each user has a unique session ID.

CPU Usage
The percentage of time that a process used the CPU since the last update (listed as CPU in the column heading).

Process Image Tab
The Process Image tab (shown in Figure 3-7) contains process attributes that, for the most part, are established at process start and do not change over the life of a process.

User Name  : The user account in which the process is running, in DOMAIN\USER format.

Description  :  Extracted from the version resource of the executable image. If this column is not enabled, the information appears in the process name tooltip.

Company Name :  Extracted from the version resource of the executable image. If this column is not enabled, the information appears in the process name tooltip.

Verified Signer :  Indicates whether the executable image has been verified as digitally signed by a certificate that chains to a root authority trusted by the computer. See the “Verifying Image Signatures” section later in this chapter for more information.

Version   :   The file version extracted from the version resource of the executable image.  Image Path :   The path to the executable image. Note that when this column is enabled, the process name tooltip no longer shows the full path.

Image Type (64 vs 32-bit) :   On 64-bit versions of Windows, this field indicates whether the program is running native 64-bit code or 32-bit code running in WOW64 (Windows On Windows64). On 32-bit versions of Windows, this check box is disabled.

Window Title  :    If the process owns any visible windows, shows the text of the title bar of a top-level window, similar to the Applications tab of Task Manager. This attribute is dynamic and changes when the application’s window title changes.

Window Status :  If the process owns any visible windows, indicates whether it responds in a timely fashion to window messages (Running or Not Responding). This is similar to the Status column on the Task Manager Applications tab. This attribute is also
dynamic.

Session  : Identifies  the terminal services session in which the process is running. Services and most system code runs in session 0. User sessions on Windows XP and Windows Server 2003 can be in any session; user sessions on Windows Vista and newer are always in session 1 or higher.

Command Line  :    The command line that was used to start the process.

Comment  :   A user-defined comment that can be entered in the Image tab of the process’ Properties dialog box. See the “Process Details” section for more information.

DEP Status :  Indicates whether Data Execution Prevention (DEP) is enabled for the process. DEP is a security feature that mitigates buffer overflow and other attacks by disallowing code execution from memory that has been marked “no-execute,” such as the stack and heap. The column text can be blank (DEP not enabled), DEP (enabled),
DEP (permanent) (DEP enabled within the executable and cannot be disabled), or <n/a> if Procexp cannot determine the DEP status of the process.

Integrity Level   :   On Windows Vista and newer, indicates the integrity level (IL) of the process. Services run at System level, elevated processes at High, normal user processes at Medium, and low-rights processes such as Protected Mode Internet Explorer at Low.

Virtualized   :   On Windows Vista and newer, indicates whether UAC file and registry virtualization is enabled. File and registry virtualization is an application=compatibility technology that intercepts attempts by legacy Medium IL processes to write to protected areas and transparently redirects them to areas owned by the user.

ASLR Enabled :   On Windows Vista and newer, indicates whether Address Space Layout Randomization (ASLR) is enabled for the process. ASLR is a defense-in-depth security feature that can mitigate remote attacks that assume that function entry points are at predictable memory addresses.

 

Process Performance Tab

The Process Performance tab (shown in Figure 3-8) contains attributes relating to CPU usage as well as the number of threads and open handles in the process. Some of the attributes report cumulative data, while others show the delta (the difference) since the previous update.

CPU History : A graphical representation of the recent CPU usage charged to each process. Kernel-mode time is shown in red and user-mode time in green.

 CPU Time :  The total amount of kernel-mode and user-mode CPU time charged to the process (or pseudo-process), shown as hours:minutes:seconds.milliseconds.

Start Time : The time and date that the process was started.

Base Priority :  The scheduling priority for the process. A value of 8 is normal priority; numbers above 8 indicate a higher priority, and those below 8 indicate a lower priority.

Threads : The number of threads in the process.

 Handle Count  : The number of handles to kernel objects currently opened by the process.

 CPU Cycles  :  On Windows Vista and newer, the total number of kernel-mode and user-mode CPU cycles consumed by the process since it started. (On Windows Vista, this number is not tracked for the Interrupts pseudo-process.)

 CPU Cycles Delta  : On Windows Vista and newer, the number of CPU cycles consumed by the process since the previous update. (On Windows Vista, this number is not tracked for the Interrupts pseudo-process.)

Process Memory Tab

The Process Memory tab (shown in Figure 3-9) contains attributes relating to memory usage, including virtual memory management metrics around working set and page faults, as well as counts of the windowing system’s GDI and USER objects.

Page Faults : The total number of times that the process accessed an invalid memory page, causing the memory manager fault handler to be invoked. Some reasons for pages being invalid are these: the page is on disk in a page file or a mapped file, first access requires copying or zeroing, and there was illegal access resulting in an access violation. Note that this total includes soft page faults (that is, faults resolved by referencing information not in the working set but already in physical memory).

Page Fault Delta : The number of page faults that occurred since the previous display  refresh. Note that the column header is labeled “PF Delta.”

Private Bytes : The number of bytes allocated and committed by the process for its own use and not shareable with other processes. Per-process private bytes include heap and stack memory. A continual rise in this value can indicate a memory leak.

Private Delta Bytes : The amount of change—positive or negative—in the number of private bytes since the previous refresh.

Peak Private Bytes : The largest number of private bytes the process had committed at any one time since the process started.

Private Bytes History : A graphical representation of the process’ private byte commit history. The wider you make this column, the longer the timeframe it shows. Note that the graph scale is the same for all processes and is based on the maximum number of private bytes currently committed by any process.

Virtual Size : The amount of the process’ virtual memory that has been reserved or committed.

Memory Priority : In Windows Vista and newer, the default memory priority that is assigned to physical memory pages used by the process. Pages that are cached in RAM and not part of any working set get repurposed starting with the lowest priority.

Minimum Working Set : The amount of physical memory reserved for the process; the operating system guarantees that the process’ working set can always be assigned at least this amount. The process can also lock pages in the working set up to that amount minus eight pages. This minimum does not guarantee that the process’ working set will always be at least that large, unless a hard limit has been set by a resource management application.

Maximum Working Set :  Indicates the maximum amount of working set assigned to the process. However, this number is ignored by Windows unless a hard limit has been configured for the process by a resource management application.

Working Set Size  :  The amount of physical memory assigned to the process by the
memory manager.

Peak Working Set Size  :  The largest working set size the process has had since its start.

WS Shareable Bytes  :  The portion of the process’ working set that contains memory that can be shared with other processes, such as mapped executable images.

WS Shared Bytes  :  The portion of the process’ working set that contains memory that is currently shared with other processes.

WS Private Bytes  :  The portion of the process’ working set that contains private bytes
that cannot be shared with other processes.

GDI Objects  :  The number of Graphics Device Interface (GDI) objects—such as brushes,
fonts, and bitmaps—owned by the process.

USER Objects  : The number of USER objects—such as windows and menus—owned by
the process.

.NET Tab

The .NET tab  contains performance counters that measure behaviors of processes that use the .NET framework version 1.1 or higher.

These numbers are all dynamic. Administrative rights are required to observe them in a process running in a different security context:

Methods Jitted : Displays the total number of methods just-in-time (JIT) compiled since the application started.

% Time in JIT : Displays the percentage of elapsed time spent in JIT compilation since the last JIT compilation phase.

AppDomains  : Displays the current number of application domains loaded in this application.

Total AppDomains :  Displays the peak number of application domains loaded since the application started.

Classes Loaded : Displays the current number of classes loaded in all assemblies.

Total Classes : Loaded Displays the cumulative number of classes loaded in all assemblies since the application started.

 Assemblies : Displays the current number of assemblies loaded across all application domains in the currently running application. If this keeps increasing, it could indicate an assembly leak.

Total Assemblies : Displays the total number of assemblies loaded since the application started.

Gen 0, 1, 2 Collections : Displays the number of times that generation 0, 1, or 2 objects have been garbage collected since the application began. Generation 0 objects are the newest, most recently allocated objects, while Gen 2 collections are also called full garbage collections. Higher generation garbage collections include all lower generation collections.

% Time in GC : Displays the percentage of elapsed time that was spent performing a garbage collection since the last garbage collection cycle.

Allocated Bytes/s  : Displays the number of bytes per second allocated on the garbage collection heap.

Heap Bytes  : Displays the number of bytes allocated in all heaps in the process.

Runtime Checks  : Displays the total number of runtime code access security checks performed since the application started.

Contentions Displays  : the total number of times that threads in the runtime have attempted to acquire a managed lock unsuccessfully.

Process I/O Tab

The Process I/O tab  contains attributes relating to file and device I/O, including file I/O

I/O operations : There are four metrics each for I/O Read, Write, and Other operations: the total number of operations performed by the process since it started (Reads), the total number of bytes involved in those operations (Read Bytes), the number of operations performed since the last update (Delta Reads), and the number of bytes since the last update (Delta Read Bytes).

Delta Total Bytes :  Represents the number of bytes involved in I/O operations since the previous update.

I/O History :  A graphical representation of the process’ recent I/O throughput. The blue line represents the total throughput, while the pink line shows write traffic.

I/O Priority :  On Windows Vista and newer, shows the I/O priority for the process. I/O prioritization allows the I/O subsystem to distinguish between foreground processes and lower-priority background processes. Most processes have a priority of Normal, while others can be Low or Very Low. Only the memory manager has Critical I/O priority. A fifth level, High, is not used in current versions of Windows.

Process Network Tab
The Process Network tab  lets you configure Procexp to show the numbers of TCP connect, send, receive, and disconnect operations; the number of bytes in those operations; and the deltas since the previous refresh.

Receive Bytes :  Number of data bytes received by the process from network adapter

Delta Receive Bytes : Represents the Number of bytes received by the process from network adapter since
the previous refresh .

Send Bytes :  Number of data bytes sent by the process from network adapter

Delta Send Bytes :  Represents the Number of bytes sent by the process from network adapter since
the previous refresh.

Process Disk Tab
Enabling column displays of the attributes on the Process Disk tab shows I/O to local disks (not including CD/DVD drives).

Read Bytes : The number of bytes read from the storage device (hard disk) by the process

Delta read bytes :  The number of bytes read from the storage device (hard disk) by the process since
the previous refresh .

Write bytes :  The number of bytes written on the storage device (hard disk)  by the process

Delta write bytes : The number of bytes read from the storage device (hard disk) by the process since
the previous refresh .