JRB - Fotolia
Four ways to put Sysinternals Process Explorer to work
IT admins can use Process Explorer in Sysinternals to find suspicious software, inspect process and object privileges, and more.
You can use Sysinternals Process Explorer to check locked files and folders, identify suspect software, uncover process affiliations and more.
Process Explorer is part of the Sysinternals suite. The first time you look at Process Explorer's Threads tab in the Properties page to find a process that's running, you'll probably get an error message that says your version of the Dbghelp.dll does not support the Microsoft Symbol Server. To fix this, click on the Microsoft Debugging Tools link, then download and install the right version. Scroll down the page until you see the Debugging Tools for whichever version of Windows you run. To install only the debugging tools, uncheck all the features in the installer except Debugging Tools for Windows. Once you install the debugging tools, the Threads tab displays information about all the threads associated with the process you're viewing.
When Process Explorer opens for the first time in Windows 10, lots of elements in the listing are highlighted. To produce a color key, click the Options menu entry, then Configure Highlighting.
In the screenshot below, you can see most of what's running on the machine is categorized as Jobs, which represent background and OS processes. Items in purple are Packed Images, which contain compressed code -- iexplorer.exe, the process for Internet Explorer, in this case. The blue item (csrss.exe) is the selected item in the display pane. Yellow indicates a relocated DLL or a .NET process -- sidebar.exe is the latter.
Process Explorer's default display is the tree view, which shows all the processes that are currently running in Windows on the target machine, organized by overall priority. One option that's not turned on by default is Verify Image Signatures. It's worth turning this on so Process Explorer checks the digital signatures for all the executables it detects, and it can tell you when malware, adware and other uninvited software running on your PC causes problems.
Right-clicking on processes inside the program lets you access options such as the ability to kill the process or the parent process tree it belongs to, suspend or restart the process. You can also bring the window associated with the process to the front, set affinity -- other processes it should run alongside -- priority -- how often it should get a slice of CPU time -- and even look up the process by name on the Internet.
Checking locked files or folders
If you get an error message from File Explorer that says, "This action can't be completed because the folder or a file in it is open in another program," the file or folder is probably locked.
You can search the file or folder name in Process Explorer to identify the process locking it. Simply click the search icon -- the binoculars on the toolbar at the top of the program window -- or enter Ctrl+F to open the search box in Process Explorer, and then type the name of the file or folder into the search textbox. Process Explorer shows which process has the file or folder in its grip. You can either close that process, or right-click the handle entry that the file or folder belongs to and pick the Close Handle option from the resulting pop-up menu. You may lose any unsaved changes to that object in the process.
Process Explorer is available as a free download from TechNet, or you can run the code directly from the Internet if you don't want to download and unpack a .zip file.
Sniffing out suspect software
If you right-click any process entry in the main Process Explorer listing pane, you can select Properties from the resulting pop-up window. By default, that window opens with the Image tab selected. One important entry on that tab is Current directory. Many malware processes masquerade as the Service Host process, or svchost.exe, a generic process that usually runs in multiple instances on any Windows system. For example, my Surface Pro 3 has nine instances of svchost.exe running, and my desktop has 16.
Svchost.exe should only run in the protected \Windows\Ssytem32 directory. If you find an instance of the process running in another directory, especially one outside the Windows folder hierarchy, it's a sure sign of malware or something else you don't want pretending to be a legitimate Windows process.
Discovering process affiliations
If you use Sysinternals Process Explorer and you come across an unfamiliar process, you'll want to know where your runtime environment is using the process. Open the search box and type the name of the process. If you click on a dasHost.exe entry -- the process that checks your inbox and posts an onscreen notification when you get a new email -- in the search results box, it highlights the processes where that instance is referenced in the main Process Explorer window. This helps you explore the often complex relationships of processes in the Windows runtime environment.
Inspecting process and object privileges
Right-click a process or handle in Process Explorer to open the Properties window. Then click on the Security tab to inspect the security groups the object belongs to, as well as its security privileges and their settings. This won't work for all handles, but does for many of them, and it can be extremely helpful when you're troubleshooting privilege or access issues and identifying Group Policy problems.