Windows provides different tools to list and get information about processes. The task manager can be used to list and manage process. But task manager have limited capabilities. So if we are a pentester or system administrator who lives in deep water we can use process explorer for more functionality.
Process explorer is provided as Sysinternal utilities and downloaded from following link as zipped file.
In order to run process explorer we just need to select the architecture and click executable. There is no need to install.
As we can see in the previous screenshot process explorer comes with a help file in chm format. We can get detailed help about the process explorer from this help document.
We can get process list and their detailed information just clicking to the process explorer file.
Process are listed according to their parent and child relationship. Process listed as a sub row are child of the upper process. Following information about processes can be seen from this page.
CPUcolumns shows generall CPU usage percentage of this process.
Private Bytescolumns show the size of memory only used by this process and not shared with other processes and DLL’s.
PIDcolumn shows process identifier given by operating system and used to easily identify the process.
Descriptioncolumns shows the process information.
Company Namecolumns shows the executable file and application vendor company.
Detailed Process Information
More detailed process information can be shown with the properties of the the selected process. Just right click on the process and select
Properties . This will open a window like below.
We can see that there are a lot of tabs those provides related information. By default threads tab is opened and list existing threads of the current process which their Thread ID.
Following information can be get with other tabs.
TCP/IPtab provides the network ports and remote connections about this process.
Securitytab provides owner, group and other related security information
Environmenttab provides information about the process environment variables like OS, PATH, HOMEPATH etc.
Stringstab provides the identified strings in this process memory area.
Imagetab provides executable file path related information
Performancetab provides CPU, I/O, Memory related statistics and information
Performance Graphtab shows simple CPU, Memory and I/O graphs about process
Threadstab shows related threads and their thread ID’s
Another useful feature of the process explorer is killing selected process. This can be done right click to the related process and select
Kill Process from the menu. We can also select process and use
DELETE key to do same operation.
Kill Process Tree
In previous step we just killed a single process. We can also kill the process tree. Process tree is the parent process and its child process. This will also kill the child processes too.
Check Process and Executable In Virus Total
There is very useful feature which is security related. We can check the executable file and running processes against Virus Total. Virtual Total is a services provides more than 50 antivirus applications to check uploaded executable files. This virus check will made us more secure. We can apply this check to suspicious process easily like below.