Process Explorer Tutorial Handout
14
Using Process Explorer Process Explorer Tutorial This information was adapted from the help file for the program. Process Explorer is an advanced process management utility that picks up where Task Manager leaves off. It will show you detailed information about a process including its icon, command‐ line, full image path, memory statistics, user account, security attributes, and more. When you zoom in on a particular process you can list the DLLs it has loaded or the operating system resource handles it has open. A search capability enables you to track down a process that has a resource opened, such as a file, directory or Registry key, or to view the list of processes that have a DLL loaded. The Process Explorer display consists of two sub‐windows. The top always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window, which you can close, depends on the mode that Process Explorer is in: if it is in handle mode you will see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you will see the DLLs and memory‐mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded. The unique capabilities of Process Explorer make it useful for tracking down DLL‐version problems or handle leaks, and provide insight into the way Windows and applications work. You can obtain equivalent command‐line tools, Handle and ListDLLs, at the Sysinternals Web site. Process Explorer does not require administrative privileges to run and works on Windows 9x/Me, Windows NT 4.0, Windows 2000, Windows XP, Server 2003, Windows Vista, Windows Server 2008 and on the x64 version of 64‐bit Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008.
Transcript of Process Explorer Tutorial Handout
-
UsingProcessExplorerProcessExplorerTutorialThisinformationwasadaptedfromthehelpfilefortheprogram.
ProcessExplorerisanadvancedprocessmanagementutilitythatpicksupwhereTaskManagerleavesoff.Itwillshowyoudetailedinformationaboutaprocessincludingitsicon,commandline,fullimagepath,memorystatistics,useraccount,securityattributes,andmore.WhenyouzoominonaparticularprocessyoucanlisttheDLLsithasloadedortheoperatingsystemresourcehandlesithasopen.Asearchcapabilityenablesyoutotrackdownaprocessthathasaresourceopened,suchasafile,directoryorRegistrykey,ortoviewthelistofprocessesthathaveaDLLloaded.
TheProcessExplorerdisplayconsistsoftwosubwindows.Thetopalwaysshowsalistofthecurrentlyactiveprocesses,includingthenamesoftheirowningaccounts,whereastheinformationdisplayedinthebottomwindow,whichyoucanclose,dependsonthemodethatProcessExplorerisin:ifitisinhandlemodeyouwillseethehandlesthattheprocessselectedinthetopwindowhasopened;ifProcessExplorerisinDLLmodeyouwillseetheDLLsandmemorymappedfilesthattheprocesshasloaded.ProcessExploreralsohasapowerfulsearchcapabilitythatwillquicklyshowyouwhichprocesseshaveparticularhandlesopenedorDLLsloaded.TheuniquecapabilitiesofProcessExplorermakeitusefulfortrackingdownDLLversionproblemsorhandleleaks,andprovideinsightintothewayWindowsandapplicationswork.Youcanobtainequivalentcommandlinetools,HandleandListDLLs,attheSysinternalsWebsite.ProcessExplorerdoesnotrequireadministrativeprivilegestorunandworksonWindows9x/Me,WindowsNT4.0,Windows2000,WindowsXP,Server2003,WindowsVista,WindowsServer2008andonthex64versionof64bitWindowsXP,WindowsVista,WindowsServer2003,andWindowsServer2008.
-
TheMainWindow
Views
TheProcessExplorerwindowshowsbydefaulttwopanes:theupperpaneisalwaysaprocesslistandthebottomeithershowsthelistofDLLsloadedintotheprocessselectedintheupperpane,orthelistofoperatingsystemresourcehandles(files,Registrykeys,synchronizationobjects)theprocesshasopen;theviewmodedetermineswhichinformationisshowninthebottompane.Toswitchtheview,usetheView|LowerPaneViewmenuitem,thecorrespondingtoolbarbutton(whichtoggles),ortheCtrl+D(DLLview)andCtrlH(handleview)acceleratorkeys.IfyouareonlyinterestedinseeingtheprocessesrunningonyoursystemYoucanhidethelowerpanebyselectingView|HideLowerPane,thecorrespondingtoolbarbutton,theCtrl+Laccelerator,orbydraggingthepanedividertothebottomoftheProcessExplorerwindow.YoucanbringbackthelowerpanebyselectingView|ShowLowerPane,typingCtrl+Lorselectingthetoolbarbuttonagain.
MiniGraphs
ProcessExplorerincludesatoolbarandminigraphsforCPU,memory,andifonWindows2000orhigher,I/Ohistory,atthetopofthemainwindow.Theycanberesizedwithrespecttooneanotherordraggedsuchthateachisonaseparaterow.Theminigraphsshowhistoryof
-
systemactivityandhoveringthemouseoverapointonagraphdisplaysinatooltiptheassociatedtimeandtheprocessinformationforpointintime.Forexample,thetooltipfortheminiCPUgraphshowstheprocessthatwasthelargestconsumerofCPU.ClickingonanyoftheminigraphsopenstheSystemInformationdialog.
RefreshRateandDifferenceHighlighting
ConfiguretherateatwhichProcessExplorerrefreshesitswindowbyusingtheView|UpdateSpeedmenuitem.YoucanrefreshtheviewmanuallyatanytimewithView|Refresh,therefreshtoolbarbutton,orbypressingF5.Somechecks,suchaswhetheraprocessispartofaJobobjectorusesthe.NETruntime,onlyoccurduringprocessstartup.PressF5tohaveProcessExplorerrecheckthestatusofallprocesses.ProcessExplorerusesdifferencehighlightingtohelpyouseewhatitemschangebetweenrefreshes.Items,includingprocesses,DLLs,andhandles,thatexitorareclosedshowinredandnewitemsshowingreen.IftherefreshrateisnotpausedthehighlightingremainsineffectfortheintervalspecifiedbytheOptions|DifferenceHighlightDurationdialog,whichhasadefaultvalueof1second.Ifyoupausethedisplaythedifferencehighlightingisineffectonlyuntilthenexttimeyoumanuallyrefresh.
Opacity
YoucanmaketheProcessExplorerwindowpartiallytransparentsothatwindowsbeneathitshowthroughonsystemsthatsupportitbymakingaselectionundertheView|Opacitymenuitem.
Saving
WhenyouchooseFile|SaveProcessExplorersavesthecontentsoftheProcessandlowerpane,ifitisshowing,asatabdelimitedtextfile.ShuttingDownorLoggingOffUsetheFile|Shutdownmenuitemstoshutdown,reboot,lockorlogoffthesystem.Whenavailable,themenualsooffersoptionsforhibernatingandsuspendingthesystem.
RunUsethisoptiontorunotherapplicationsfromProcessExplorerusingthestandardWindowsRundialog.RunasThisvariantontheRuncommandallowsyoutoenteralternatecredentialsforthelaunchingapplication.ProcessExplorerleveragesthesameWindowsfunctionalityastheRunasWindowscommandtoprovidethissupport.TheRunasmenuitemisnotpresentonWindows9x.
-
RunasLimitedUserThisvariantontheRuncommandrunstheapplicationyouspecifyinthesameaccountasthatofProcessExplorer,butwithoutadministrativeprivilegesormembershipinthelocaladministratorsgroup.Thisoptionrestrictstheexposureofyoursystemfromapplications,suchasInternetExplorer,thatmightbecompromisedthroughaccessofuntrusteddata.
ColumnsandColumnSets
ColumnSelection
TheinformationProcessExplorerdisplaysinitsmainwindowisfullyconfigurable.Youcanreordercolumnsbydraggingthemtotheirnewposition.Toselectwhichcolumnsofdatayouwantvisibleineachoftheviewsandthestatusbar,chooseView|SelectColumnsorrightclickonacolumnheaderanduseSelectColumnsfromtheresultingcontextmenu.AcolumnselectioneditoropensthatletsyoupickthecolumnsyouwanttoenablefortheProcess,DLL,handlepanes,andstatusbar.ColumnSetsYoucansaveacolumnconfigurationanditsassociatedsortsettingsbychoosingView|SaveColumnSet.ProcessExplorerwillpromptyoutonamethecolumnset.YoucanloadasavedcolumnsetbyselectingitintheView|LoadColumnSetmenuorbyenteringitsassociatedacceleratorkeys.ToreorderorrenameexistingcolumnsetsgotoView|OrganizeColumnSetstoopenthecolumnsetorganizer.
GeneralOptions
CommandLineUsage:ProcessExplorertakestwooptionsthatmodifyitsbehavior: /e PromptforUACelevationtorestartwithadministrativerightsiflaunched
withoutadministrativerights. /s: SelecttheprocesshavingthespecifiedprocessIDafterstarting. /t StartProcessExplorerminimizedinthetray. /p:[r|h|n|l] SetProcessExplorer'sprioritytorealtime(r),high(h),normal(n),orlow(l).
AlwaysonTop:ChoosethisoptiontohaveProcessExplorer'swindowremainaboveotherwindows.ReplaceTaskManager:SelecttheReplaceTaskManagerentryundertheOptionsmenutohaveProcessExplorerexecuteinsteadofTaskManagerwhenyoulaunchTaskManager.NotethatthisisaglobalsettingthataffectsallusersregardlessofhowtheystartTaskManager.AfterreplacingTaskManagerthemenuitemrenamestoRestoreTaskManagerandselectingitremovesProcessExplorer'sassociation.
-
HideWhenMinimized:checkthisitemintheOptionsmenutohaveProcessExplorerruninthetrayasasmallgraphreflectingcurrentCPUusagewhenyouminimizeit.IfCPUusageisunder70%themetershowsingreen;ifitsbetween70%and90%itshowsinyellow;ifitsabove90%itshowsinred.TheCPUusagegraphupdatesatthecurrentlydefinedrefreshinterval.IfyouwantProcessExplorertostartinthetraythenspecifythe/toptionasitscommandlineargument.SingleclickingonProcessExplorer'strayiconrestoresthewindowandbringsittotheforeground,regardlessofwhetheritsminimizedinthetrayornot.
AllowOnlyOneInstance:checkthistopreventmultipleinstancesofProcessExplorertorunsimultaneously.ConfirmKill:uncheckthisifyoudonotwantProcessExplorertopromptyouforconfirmationbeforeterminatingaprocessyou'vedirectedittokill.CPUHistoryinTray:thisoptiontogglesProcessExplorer'strayiconbetweenastandardchartrepresentationofthecurrentCPUusageandaminiatureversionoftheCPUhistorygraph.
VerifyImageSignatures:ifthisischeckedthenimagescorrespondingtoprocessesarecheckedfortrustedsignaturesautomaticallywhenyouviewaprocesspropertiesandtheresultisshownnexttothecompanyfieldintheprocesspropertiesdialog."(Verified)"nextacompanynamemeansthefileissignedbyatrustedrootcertificateauthorityand"(UnabletoVerify)"meansthefileiseitherunsignedorsignedbyanuntrustedauthority.Uncheckthisoptiontospeedperformancewhenviewingprocessimageproperties.
ConfigureSymbols:onWindowsNTandhigher,ifyouwantProcessExplorertoresolveaddressesforthreadstartaddressesinthethreadstaboftheprocesspropertiesdialogandthethreadstackwindowthenconfiguresymbolsbyfirstdownloadingtheDebuggingToolsforWindowspackagefromMicrosoft'swebsiteandinstallingitinitsdefaultdirectory.OpentheConfigureSymbolsdialogandspecifythepathtothedbghelp.dllthat'sintheDebuggingToolsdirectoryandhavethesymbolenginedownloadsymbolsondemandfromMicrosofttoadirectoryonyourdiskbyenteringasymbolserverstringforthesymbolpath.Forexample,tohavesymbolsdownloadtothec:\symbolsdirectoryyouwouldenterthisstring:
srv*c:\symbols*http://msdl.microsoft.com/download/symbols
DifferenceHighlightDuration:thisdialogallowsyoutoconfigurethedurationoftimethatnewprocessesshowingreenandonesthathaveexitedshowinred.Thedefaultisonesecond.YoucanchangethehighlightingcolorsbyeditingthemintheConfigureHighlightingdialogthatyouopenintheOptionsmenu.
-
SystemInformation
OnWindowsNTandhighertheSystemInformationentryintheViewmenuandtypingCtrl+IopensadialogboxthatshowsglobalsystemperformancemetricslikethoseshowninTaskManager.Theinformationincludestheamountofcommittedandavailablevirtualandphysicalmemoryaswellaspagedandnonpagedkernelbufferusage.GraphsshowtheCPUusagehistoryofthesystemaswellasthecommittedvirtualmemoryusage,andonWindows2000orhighersystemsanI/OgraphshowsI/Othroughputhistory.RedintheCPUusagegraphindicatesCPUusageinkernelmodewhereasgreenisthesumofkernelmodeandusermodeexecution.Whencommittedvirtualmemory,whichTaskManagerlabelsinitsgraphsonWindows2000andhigheras"PFUsage"andonNT4as"MemUsage",reachesthesystemCommitLimit,applicationsandthesystembecomeunstable.TheCommitLimitisthesumofmostofphysicalmemoryandthesizesofanypagingfiles.IntheI/OgraphthebluelineindicatestotalI/Otraffic,whichisthesumofallprocessI/Oreadsandwrites,betweenrefreshesandthepinklineshowswritetraffic.WhenyoumovethemouseovertheCPUgraphapopupdisplayseitheronthefarleftorrightofthegraphthatshowstheCPUusageandnameoftheprocessthathadthelargestcontributiontoCPUusageatthecorrespondingpointintime,aswellasthetimeofthepoint.Similarly,timestampinformationforapointisshownintheCommitgraph.Finally,ontheI/OgraphthetooltipshowstheprocessperformingthemostI/Oatthetimeofthepoint,including
-
theamountofdataitreadandwrote.Thepopupsupdateasdatamovesunderthemouse,butyoucanfreezeapopupbyrightclickingandthemovethemousetounfreezethepopup.OnsystemswithmultipleCPUstheSystemInformationdialogincludesaShowonegraphperCPUcheckbox.Checkingitswitchesthedisplayintoaperprocessorview.Hyperthreaded(SMT)processorssharingthesamecoreandNUMAprocessorssharingthesamenodearegroupedtogetherandthemousetooltipshownwhenhoveringoveragraphdisplaystheprocessorandcoreornodenumbers.NotethatthemousetooltipsforaprocessorgraphshowthenameoftheprocessthatconsumedthemostCPUontheentiresystemattheassociatedtime,nottheprocessthatconsumedthemostCPUontheparticularCPU.
TheProcessView
SortingandtheProcessTree
BydefaultProcessExplorersortsprocessesintothesystemprocesstree.Theprocesstreereflectstheparentchildrelationshipbetweenprocesseswherechildprocessesareshowndirectlybeneaththeirparentandrightindented.Processesthatareleftjustifiedareorphans;theirparenthasexited.Tochangethesortordersimplyclickonathecolumnbywhichyouwishtosort.ToreturnthesorttotheprocesstreeselectView|ShowProcessTree,clicktheprocesstreetoolbarbutton,ortypeCtrl+T.
InterruptsandDPCs
OnWindowsNTbasedsystemsProcessExplorershowstwoartificialprocesses:InterruptsandDPCs.TheseprocessesreflecttheamountoftimethesystemspendsservicinghardwareinterruptsandDeferredProcedureCalls(DPCs),respectively.HighCPUconsumptionbytheseactivitiescanindicateahardwareproblemordevicedriverbug.ToseethetotalnumberofinterruptsandDPCsexecutedsincethesystembootedaddtheContextSwitchcolumn.AnothersometimesusefulmetricisthenumberofinterruptsandDPCsgeneratedperrefreshinterval,whichyouseewhenyouaddtheCSwitchesDeltacolumn.
FindWindow'sProcess
Youcanhighlighttheprocessthatownsawindowvisibleonthedesktopbydraggingthetargetliketoolbarbuttonoverthewindowinquestion.ProcessExplorerwillselecttheowningprocessentryintheprocessview.
ProcessViewOptions
SeveralitemsintheOptionsandViewmenusaffectthewayprocessesdisplay:ConfigureHighlighting:selectthismenuitemundertheOptionsmenutoopenadialogboxthatallowsyoutoconfigurehighlightcolorsusedintheProcessViewandtheDLLview.
-
HighlightServices:onWindowsNTandhigherthisoptionhasProcessExplorershowprocessesthatarerunningWin32servicesintheserviceprocesshighlightcolor.TheServicestaboftheprocesspropertiesdialogshowsthelistofservicesrunningwithinaprocess.HighlightJobs:onWindows2000andhigherchoosethisoptiontohaveProcessExplorershowprocessesthatarepartofaWin32JobintheJobobjecthighlightcolor.JobsgroupprocessestogethersothattheycanbemanagedasasingleitemandareusedbytheRunascommand,forexample.UsetheJobtaboftheprocesspropertiesdialogtoseethelistofprocessesrunninginthesamejobastheselectedprocessandtoseejoblimitsthathavebeenappliedtothejob.Highlight.NETProcesses:thisoptionappearsonWindowsNTbasedsystemsthathavethe.NETFrameworkinstalled.Whentheoptionischeckedmanagedapplications(thosethatusethe.NETFramework)arehighlightedinthe.NETprocesshighlightcolor.HighlightOwnProcesses:onWindowsNTandhighercheckingthisoptionresultsinProcessExplorershowingintheownprocesshighlightcolortheprocessesthatarerunninginthesameuseraccountasProcessExplorer.HighlightPackedImages:malware,includingviruses,spyware,andadwareisoftenstoredinapackedencryptedformondiskinordertoattempttohidethecodeitcontainsfromantispywareandantivirus.
ShowFractionalCPU:whenthisoptionisselectedProcessExplorershowsCPUusagetotwodecimalplaces.Thiscanbeusefultoidentifyprocessesthatwouldotherwiseappearidle,butthatareperformingbackgroundprocessing.ShowNewProcesses:whenenabledProcessExplorerscrollstheProcessviewtobringintoviewnewprocesses.
TheProcessContextMenu
WhenyouhaveaprocessselectedtheitemsintheProcessmenubecomeactive.Youcanaccessthesamemenuitemsbyrightclickingonaprocess.Theitemsenableyoutodothefollowing:
BringtoFront:selectthisoptiontobringanywindowsownedbytheselectedprocesstotheforeground.
SetPriority:youcanchangethebasepriorityofaprocesswiththissubmenu.Whenyouchangethebasepriorityofaprocessthesystemadjuststheprioritiesofthreadswithintheprocesssothattheyremainatthesamerelativeprioritywithrespecttothenewbasepriority.
-
SetAffinity:onsystemswithmultipleCPUsthismenuitemletsyoubindthethreadsofaprocesstoparticularCPUs.Debug:choosingthismenuitemlaunchesthedebuggerregisteredinHKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\AeDebugwiththeselectedprocessasthecommandlineargument.LaunchDepends:ifProcessExplorerfindstheDependencyWalkertool(seehttp://www.dependencywalker.com)withtheselectedprocessastheargument.TheDependencyWalkertoolshowsstaticDLLdependencies.Kill:thisitemterminatesaprocesswiththeTerminateProcessAPI.Notethataprocessterminatedinthiswayisnotwarnedofitsterminationandthereforedoesnotwriteunsaveddataitmayhave.KillProcessTree:iftheprocesspaneisintheprocesstreesortingmodethismenuitemisavailableandallowsyoutokillaprocessandallofitsdescendants.Suspend:ifyouwantaprocesstobecometemporarilyinactive,sothatasystemresourcesuchasnetwork,CPUordisk,becomesavailableforotherprocesses,youcansuspendtheprocess.Suspendedprocessesshowinadarkgreycolor.ToresumeasuspendedprocesschosetheResumeitemfromtheprocesscontextmenu.Restart:whenyouselectthisitemProcessExplorerterminatesthehighlightedprocessandstartsthesameimageusingthesamecommandlinearguments.Notethatthenewinstancemayfailtorunorbehavedifferentlyiftheoriginalprocessraninadifferentuseraccountorhadadifferentenvironment.Properties:thisselectionopensapropertydialogthatshowsyoumoreinformationaboutaprocess.SearchOnline:selectingthisentrywillresultinProcessExplorerlaunchingthesystem'sconfiguredInternetbrowserandinitiatinganInternetsearchfortheselectedprocess'name.
ProcessProperties
Youcanviewadditionaldetailsforaprocessbydoubleclickingonit,orbyselectingitandusingtheProcess|Propertiesmenuitemorthepropertiestoolbarbutton.OnWindows9xsystemsthedialogshowsversioninformationfortheprocessimage,thefullpathoftheprocessimagefile,andthecommandlineusedtolaunchtheprocess.OnWindowsNTandhigherthereareseveraltabsinthedialog,describedbelow.Anydynamicdata,suchasperformanceinformation,updatesattherefreshdatecurrentlyselectedforProcessExplorer.YoucanmanuallyrefreshdynamicinformationbytypingF5inapage.
-
Image:
Thispageshowsversioninformationextractedfromtheprocess'imagefile,thefullpathoftheimagefileandthecommandlinethatlaunchedtheprocess.Italsoshowsthecurrentdirectoryoftheprocess,theuseraccountinwhichtheprocessisrunning,thenameoftheprocess'parentprocess,andthetimeatwhichtheprocessstartedexecution.ProcessExplorerchecksforwhetherornotanimagehasbeendigitallysignedbyacertificaterootauthoritytrustedbythecomputeranddisplaysthestatusofthecheck,whichiseither"Trusted"(signed),"Unsigned",or"NotVerified"(signaturehasnotbeenchecked).YoucanpresstheVerifybuttontohaveProcessExplorercheckthesignatureofanimagethathasnotbeenverified.NotethattheverificationoperationcanresultinProcessExplorercontactingwebsitestocheckforcertificatevalidity.SeetheVerifyImageSignaturesoption.EnteracommentforaprocessintheCommentfield.CommentsarevisibleintheprocessviewintheCommentcolumn,orifyoudonothavethecommentcolumnselected,inthetooltipthatdisplayswhenyouhoverthemouseoveraprocess.Commentsapplytoallprocesseswiththesamepathandarerememberedfromexecutiontoexecution.OnsystemsthatsupportDataExecutionProtection(DEP),ProcessExplorershowstheDEPstatusoftheselectedprocessaseither"on"or"off".SoftwareDEPiscurrentlysupportedbyWindowsXPSP2andhigheron32bitx86systemswhereashardwareDEPisavailableonlyon64bitversionsofWindows.YoucanalsoviewDEPstatusbyaddingthecorrespondingDEPStatuscolumntotheprocessview.Malware,includingviruses,spyware,andadwareisoftenstoredinapackedencryptedformondiskinordertoattempttohidethecodeitcontainsfromantispywareandantivirus.ProcessExplorerusesaheuristictodetermineifanimageispackedandifitischangesthetextabovethefullpathdisplayfieldtoinclude"(Imageisprobablypacked)".
Performance:
MemoryandCPUperformancedatadisplaysonthispage,includingphysicalandvirtualmemory,andCPUusage.Thedatarefreshesatthesameintervalthatthemaindisplaydoes.
PerformanceGraph:
Ahistoryofaprocess'CPUusageanditsprivatebytesallocationshowsasinTaskManagerlikegraphsonthispage.RedintheCPUusagegraphindicatesCPUusageinkernelmodewhereasgreenisthesumofkernelmodeandusermodeexecution.PrivateBytesrepresentsthe
-
amountofprivatevirtualmemoryaprocesshasallocatedandisthevaluethatwillriseofaprocessexhibitingamemoryleakbug.NotethatwhiletheSystemInformationperformancegraphsupdatewhileProcessExplorerisminimizedtothetray,thesegraphsdonot.Theprivatebytesusagegraphsarescaledagainstthepeakamountofprivatebytestheprocesshasallocated;ifthepeakgrowsthegraphsrecalculatetheirscales.IntheI/OgraphthebluelineindicatestotalI/Otraffic,whichisthesumofallprocessI/Oreadsandwrites,betweenrefreshesandthepinklineshowswritetraffic.TheI/OgraphisscaledagainstthepeakI/Otraffictheprocesshasgeneratedsincethestartofmonitoring.Movingthemouseoverpartofagraphresultsinthetimeofthecorrespondingdatapointbeingshowninthegraphasapopupeitheronthefarleftorright.
Threads:
Thelistofthethreadsrunningintheprocessshowsonthistab.Thethreadlistshowsstartaddressinformationthat'sprovidedbytheWindowssymbolengine.Ifyouwanttoseeaccuratenamesforstartaddressesthenfollowthedirectionsforconfiguringsymbols.TheModulebuttononthethreadspagelaunchesExplorer'sfilepropertiesdialogboxfortheimagefilethatcontainsthestartaddressofthecurrentlyselectedthread.TheStackbuttonshowsthecurrentstackoftheselectedthread.StackinformationisunreliableunlesssymbolfilesareavailableforprocessandDLLsreferencedinthestack.UsetheKillbuttontoterminateathread.Notethatterminatingathreadmayleadtoacrashorerraticbehavioroftheprocess.UsetheSuspendbuttontosuspendathread.Notethatsuspendingthreadsmaycauseitsprocesstostopexecuting.
TCP/IP:
AnyactiveTCPandUDPendpointsownedbytheprocessareshownonthispage.OnWindowsXPSP2andhigherthispageincludesaStackbuttonthatopensadialogthatshowsthestackofthethreadthatopenedtheselectedendpointatthetimeoftheopen.ThisisusefulforidentifyingthepurposeofendpointsintheSystemprocessandSvchostprocessesbecausethestackwillincludethenameofthedriverorservicethatisresponsiblefortheendpoint.
Security:
ProcessExplorerreportsthelistofgroupsandprivilegeslistedinthesecuritytokenoftheprocessonthispage.Privilegesshowningreyaredisabled.Thepermissionsbuttonopensapermissionseditorthatshowstheaccesspermissionsassignedtotheprocess.
Job:
-
ThistabispresentonlyforprocessesthatarepartofaWin32Job.TheJobpageshowsthelistofprocessesthatarepartofthesamejobandthelimitsthatareappliedtothejob.
.NET:
Thistabispresentonlyformanagedprocesses,whicharethosethatusethe.NETFramework.TheAppDomainspresentintheprocessshow,aswelltheavailable.NETperformancecounterobjects.Selecta.NETperformanceobjecttoseethevaluesoftheobject'scounters.ThecountersupdateatthecurrentlyselectedrefreshintervalandyoucantypeF5tomanuallyrefresh.
Services:
ThistabispresentonlyforprocessesthatareexecutingWin32services,andliststheservicesrunningwithintheprocess.ProcessExplorershowsaservice'snameanddisplayname,andonWindows2000andhigher,ifavailable,theservice'sdescription.Thepermissionsbuttonopensapermissionseditorthatshowstheaccesspermissionsassignedtotheservice.
Environment:
Theenvironmentvariablesassociatedwiththeprocessshowonthispage.
Strings:
Allprintablestringsofatleast3charactersinlengthdisplayonthispage.ImagestringsarereadfromtheprocessimagefileondiskwhereasMemorystringsarereadfromtheimage'sinmemorystorage.Memorystringsmaybedifferentthanondiskstringswhenanimageusesadecompressesordecryptswhenitloadsintomemory.
TheDLLView
TheDLLContextMenu
TheDLLviewshowstheimagefile,DLLs,anddatafilesmappedintotheaddressspaceoftheselectedprocess.WhenyouclickthepropertiestoolbarbuttonorselectPropertiesfromtheDLLmenuProcessExploreropensapropertiesdialogfortheDLLormappedfilethatcontainstwotabs:
Image:
Thispageshowsversioninformationextractedfromtheimagefileandthefullpathoftheimagefile.
-
ProcessExplorerchecksforwhetherornotanimagehasbeendigitallysignedbyacertificaterootauthoritytrustedbythecomputeranddisplaysthestatusofthecheck,whichiseither"Trusted"(signed),"Unsigned",or"NotVerified"(signaturehasnotbeenchecked).YoucanpresstheVerifybuttontohaveProcessExplorercheckthesignatureofanimagethathasnotbeenverified.NotethattheverificationoperationcanresultinProcessExplorercontactingwebsitestocheckforcertificatevalidity.SeetheVerifyImageSignaturesoption.Malware,includingviruses,spyware,andadwareisoftenstoredinapackedencryptedformondiskinordertoattempttohidethecodeitcontainsfromantispywareandantivirus.ProcessExplorerusesaheuristictodetermineifanimageispackedandifitischangesthetextabovethefullpathdisplayfieldtoinclude"(Imageisprobablypacked)".
Strings:
Allprintablestringsofatleast3charactersinlengthdisplayonthispage.ImagestringsarereadfromtheprocessimagefileondiskwhereasMemorystringsarereadfromtheimage'sinmemorystorage.Memorystringsmaybedifferentthanondiskstringswhenanimageusesadecompressesordecryptswhenitloadsintomemory.
HighlightRelocatedDLLs
WhenyouselecttheRelocatedDLLsentryintheOptions|ConfigureHighlightingdialoganyDLLsthatarenotloadedattheirprogrammedbaseaddressshowinyellow.DLLsthatcannotloadattheirbaseaddressbecauseotherfilesarealreadymappedtherearerelocatedbytheloader,whichconsumesCPUandmakespartsoftheDLLthataremodifiedaspartoftherelocationunsharable.
SearchOnlineSelectingthisentrywillresultinProcessExplorerlaunchingthesystem'sconfiguredInternetbrowserandinitiatinganInternetsearchfortheselectedDLL'sname.
TheHandleView
TheHandleContextMenu
TwoitemsappearundertheHandlemenuorwhenyourightclicktoshowtheHandlecontextmenu:CloseHandle:choosethisitemtoforceclosedahandle.Usethisatyourownrisk:becausetheprocessthatownsthehandleisnotawarethatitshandlehasbeenclosed,usingthisfeaturecanleadtoacrashoftheapplicationordatacorruption;closingahandleintheSystemprocesscanleadtoasystemcrash.
-
Properties:whenyouselectthisitemProcessExploreropensahandlepropertiesdialogthatshowsyouthetotalnumberofhandlesopentotheobject,aswellaskernelreferencestotheobject.Italsoshowsinformationspecifictothetypeofobjectyouareviewing.Forexample,whenyouviewthepropertiesofamutantobjectProcessExplorerreportswhetherornotthemutantisheld,andifso,bywhichthread.TheSecuritytabonthehandlepropertiesdialogshowsthesecuritythat'sappliedtotheobjectthehandlereferences.
ShowUnnamedHandles
Bydefault,ProcessExplorershowsonlyhandlestoobjectthathavenames.SelecttheShowUnnamedHandlesitemundertheViewmenutohaveProcessExplorerlistallthehandlesopenedbyaselectedprocess,eventhosetoobjectsthatarenameless.NotethatProcessExplorerconsumessignificantlymoreCPUresourcewhenthisoptionisselected.
TheUsersMenu
OnsystemsthatincludeTerminalServicesProcessExplorerdisplaysaUsersmenuthatliststhecurrentlyconnectedsessions.ProcessExplorercreatesamenuentryforeachsessionthat'snameincludesthesession'ssessionIDandtheuserloggedintothesession.Eachentryopensasubmenuthathasoptionsfordisconnecting,loggingoff,andsendingamessagetothesession'suser.Inaddition,aPropertiesmenuforeachsessionentryopensadialogboxthatlistsdetailedinformationaboutthesession,includingtheIPaddressandnameoftheclientconnectedtothesession.ThecontentsoftheUsersmenuareupdatedeachtimeyouopenthemenutoreflectcurrentsessioninformation.
Searching
OneofthecommonproblemsProcessExplorersolveswitheaseisthequestion:whatprocesshasthisfileordirectoryopen,orwhichprocesseshaveaparticularDLLloaded?YoucanperformahandleandDLLsearchbyselectingFind|FindHandleorDLLorbytypingCtrl+F.SearchesarecaseinsensitivesubstringsearchesofallofthehandlesopenedandDLLsloadedonthesystemwiththetextyouenter.Thus,tosearchfortheprocessorprocessesthathavec:\directory\somefile.txtopenenterenoughtexttomakethesearchfindonlytheresultsyouareinterestedine.g."somefile".Thesearchdialogpopulateswiththelistofresultsindexedbyprocess.SelectlinesintheresultstohaveProcessExplorerselectthereportedprocessandDLLorhandle,anddoubleclickonalinetohaveitdothesameanddismisstheSearchdialog.
