UsingProcessExplorer

ProcessExplorerTutorial Thisinformationwasadaptedfromthehelpfilefortheprogram. ProcessExplorerisanadvancedprocessmanagementutilitythatpicksupwhereTaskManager leavesoff.Itwillshowyoudetailedinformationaboutaprocessincludingitsicon,command line,fullimagepath,memorystatistics,useraccount,securityattributes,andmore.Whenyou zoominonaparticularprocessyoucanlisttheDLLsithasloadedortheoperatingsystem resourcehandlesithasopen.Asearchcapabilityenablesyoutotrackdownaprocessthathasa resourceopened,suchasafile,directoryorRegistrykey,ortoviewthelistofprocessesthat haveaDLLloaded. TheProcessExplorerdisplayconsistsoftwosubwindows.Thetopalwaysshowsalistofthe currentlyactiveprocesses,includingthenamesoftheirowningaccounts,whereasthe informationdisplayedinthebottomwindow,whichyoucanclose,dependsonthemodethat ProcessExplorerisin:ifitisinhandlemodeyouwillseethehandlesthattheprocessselected inthetopwindowhasopened;ifProcessExplorerisinDLLmodeyouwillseetheDLLsand memorymappedfilesthattheprocesshasloaded. ProcessExploreralsohasapowerfulsearchcapabilitythatwillquicklyshowyouwhich processeshaveparticularhandlesopenedorDLLsloaded.TheuniquecapabilitiesofProcess ExplorermakeitusefulfortrackingdownDLLversionproblemsorhandleleaks,andprovide insightintothewayWindowsandapplicationswork. Youcanobtainequivalentcommandlinetools,HandleandListDLLs,attheSysinternalsWeb site. ProcessExplorerdoesnotrequireadministrativeprivilegestorunandworksonWindows 9x/Me,WindowsNT4.0,Windows2000,WindowsXP,Server2003,WindowsVista,Windows Server2008andonthex64versionof64bitWindowsXP,WindowsVista,WindowsServer 2003,andWindowsServer2008.

TheMainWindow

Views TheProcessExplorerwindowshowsbydefaulttwopanes:theupperpaneisalwaysaprocess listandthebottomeithershowsthelistofDLLsloadedintotheprocessselectedintheupper pane,orthelistofoperatingsystemresourcehandles(files,Registrykeys,synchronization objects)theprocesshasopen;theviewmodedetermineswhichinformationisshowninthe bottompane.Toswitchtheview,usetheView|LowerPaneViewmenuitem,the correspondingtoolbarbutton(whichtoggles),ortheCtrl+D(DLLview)andCtrlH(handleview) acceleratorkeys. IfyouareonlyinterestedinseeingtheprocessesrunningonyoursystemYoucanhidethe lowerpanebyselectingView|HideLowerPane,thecorrespondingtoolbarbutton,theCtrl+L accelerator,orbydraggingthepanedividertothebottomoftheProcessExplorerwindow.You canbringbackthelowerpanebyselectingView|ShowLowerPane,typingCtrl+Lorselecting thetoolbarbuttonagain. MiniGraphs ProcessExplorerincludesatoolbarandminigraphsforCPU,memory,andifonWindows2000 orhigher,I/Ohistory,atthetopofthemainwindow.Theycanberesizedwithrespecttoone anotherordraggedsuchthateachisonaseparaterow.Theminigraphsshowhistoryof

systemactivityandhoveringthemouseoverapointonagraphdisplaysinatooltipthe associatedtimeandtheprocessinformationforpointintime.Forexample,thetooltipforthe miniCPUgraphshowstheprocessthatwasthelargestconsumerofCPU.Clickingonanyofthe minigraphsopenstheSystemInformationdialog. RefreshRateandDifferenceHighlighting ConfiguretherateatwhichProcessExplorerrefreshesitswindowbyusingtheView|Update Speedmenuitem.YoucanrefreshtheviewmanuallyatanytimewithView|Refresh,the refreshtoolbarbutton,orbypressingF5.Somechecks,suchaswhetheraprocessispartofa Jobobjectorusesthe.NETruntime,onlyoccurduringprocessstartup.PressF5tohaveProcess Explorerrecheckthestatusofallprocesses. ProcessExplorerusesdifferencehighlightingtohelpyouseewhatitemschangebetween refreshes.Items,includingprocesses,DLLs,andhandles,thatexitorareclosedshowinredand newitemsshowingreen.Iftherefreshrateisnotpausedthehighlightingremainsineffectfor theintervalspecifiedbytheOptions|DifferenceHighlightDurationdialog,whichhasadefault valueof1second.Ifyoupausethedisplaythedifferencehighlightingisineffectonlyuntilthe nexttimeyoumanuallyrefresh. Opacity YoucanmaketheProcessExplorerwindowpartiallytransparentsothatwindowsbeneathit showthroughonsystemsthatsupportitbymakingaselectionundertheView|Opacitymenu item. Saving WhenyouchooseFile|SaveProcessExplorersavesthecontentsoftheProcessandlowerpane, ifitisshowing,asatabdelimitedtextfile. ShuttingDownorLoggingOff UsetheFile|Shutdownmenuitemstoshutdown,reboot,lockorlogoffthesystem.When available,themenualsooffersoptionsforhibernatingandsuspendingthesystem. Run UsethisoptiontorunotherapplicationsfromProcessExplorerusingthestandardWindows Rundialog. Runas ThisvariantontheRuncommandallowsyoutoenteralternatecredentialsforthelaunching application.ProcessExplorerleveragesthesameWindowsfunctionalityastheRunasWindows commandtoprovidethissupport.TheRunasmenuitemisnotpresentonWindows9x.

RunasLimitedUser ThisvariantontheRuncommandrunstheapplicationyouspecifyinthesameaccountasthat ofProcessExplorer,butwithoutadministrativeprivilegesormembershipinthelocal administratorsgroup.Thisoptionrestrictstheexposureofyoursystemfromapplications,such asInternetExplorer,thatmightbecompromisedthroughaccessofuntrusteddata. ColumnsandColumnSets ColumnSelection TheinformationProcessExplorerdisplaysinitsmainwindowisfullyconfigurable.Youcan reordercolumnsbydraggingthemtotheirnewposition.Toselectwhichcolumnsofdatayou wantvisibleineachoftheviewsandthestatusbar,chooseView|SelectColumnsorrightclick onacolumnheaderanduseSelectColumnsfromtheresultingcontextmenu.Acolumn selectioneditoropensthatletsyoupickthecolumnsyouwanttoenablefortheProcess,DLL, handlepanes,andstatusbar. ColumnSets YoucansaveacolumnconfigurationanditsassociatedsortsettingsbychoosingView|Save ColumnSet.ProcessExplorerwillpromptyoutonamethecolumnset.Youcanloadasaved columnsetbyselectingitintheView|LoadColumnSetmenuorbyenteringitsassociated acceleratorkeys.ToreorderorrenameexistingcolumnsetsgotoView|OrganizeColumnSets toopenthecolumnsetorganizer. GeneralOptions CommandLineUsage:ProcessExplorertakestwooptionsthatmodifyitsbehavior: /e PromptforUACelevationtorestartwithadministrativerightsiflaunched withoutadministrativerights. /s:<pid> SelecttheprocesshavingthespecifiedprocessIDafterstarting. /t StartProcessExplorerminimizedinthetray. /p:[r|h|n|l] SetProcessExplorer'sprioritytorealtime(r),high(h),normal(n),orlow(l). AlwaysonTop:ChoosethisoptiontohaveProcessExplorer'swindowremainaboveother windows. ReplaceTaskManager:SelecttheReplaceTaskManagerentryundertheOptionsmenuto haveProcessExplorerexecuteinsteadofTaskManagerwhenyoulaunchTaskManager.Note thatthisisaglobalsettingthataffectsallusersregardlessofhowtheystartTaskManager. AfterreplacingTaskManagerthemenuitemrenamestoRestoreTaskManagerandselectingit removesProcessExplorer'sassociation.

HideWhenMinimized:checkthisitemintheOptionsmenutohaveProcessExplorerruninthe trayasasmallgraphreflectingcurrentCPUusagewhenyouminimizeit.IfCPUusageisunder 70%themetershowsingreen;ifitsbetween70%and90%itshowsinyellow;ifitsabove90% itshowsinred.TheCPUusagegraphupdatesatthecurrentlydefinedrefreshinterval.Ifyou wantProcessExplorertostartinthetraythenspecifythe/toptionasitscommandline argument.SingleclickingonProcessExplorer'strayiconrestoresthewindowandbringsitto theforeground,regardlessofwhetheritsminimizedinthetrayornot. AllowOnlyOneInstance:checkthistopreventmultipleinstancesofProcessExplorertorun simultaneously. ConfirmKill:uncheckthisifyoudonotwantProcessExplorertopromptyouforconfirmation beforeterminatingaprocessyou'vedirectedittokill. CPUHistoryinTray:thisoptiontogglesProcessExplorer'strayiconbetweenastandardchart representationofthecurrentCPUusageandaminiatureversionoftheCPUhistorygraph. VerifyImageSignatures:ifthisischeckedthenimagescorrespondingtoprocessesarechecked fortrustedsignaturesautomaticallywhenyouviewaprocesspropertiesandtheresultis shownnexttothecompanyfieldintheprocesspropertiesdialog."(Verified)"nextacompany namemeansthefileissignedbyatrustedrootcertificateauthorityand"(UnabletoVerify)" meansthefileiseitherunsignedorsignedbyanuntrustedauthority.Uncheckthisoptionto speedperformancewhenviewingprocessimageproperties. ConfigureSymbols:onWindowsNTandhigher,ifyouwantProcessExplorertoresolve addressesforthreadstartaddressesinthethreadstaboftheprocesspropertiesdialogandthe threadstackwindowthenconfiguresymbolsbyfirstdownloadingtheDebuggingToolsfor WindowspackagefromMicrosoft'swebsiteandinstallingitinitsdefaultdirectory.Openthe ConfigureSymbolsdialogandspecifythepathtothedbghelp.dllthat'sintheDebuggingTools directoryandhavethesymbolenginedownloadsymbolsondemandfromMicrosofttoa directoryonyourdiskbyenteringasymbolserverstringforthesymbolpath.Forexample,to havesymbolsdownloadtothec:\symbolsdirectoryyouwouldenterthisstring: srv*c:\symbols*http://msdl.microsoft.com/download/symbols DifferenceHighlightDuration:thisdialogallowsyoutoconfigurethedurationoftimethatnew processesshowingreenandonesthathaveexitedshowinred.Thedefaultisonesecond.You canchangethehighlightingcolorsbyeditingthemintheConfigureHighlightingdialogthatyou openintheOptionsmenu.

SystemInformation

OnWindowsNTandhighertheSystemInformationentryintheViewmenuandtypingCtrl+I opensadialogboxthatshowsglobalsystemperformancemetricslikethoseshowninTask Manager.Theinformationincludestheamountofcommittedandavailablevirtualandphysical memoryaswellaspagedandnonpagedkernelbufferusage. GraphsshowtheCPUusagehistoryofthesystemaswellasthecommittedvirtualmemory usage,andonWindows2000orhighersystemsanI/OgraphshowsI/Othroughputhistory. RedintheCPUusagegraphindicatesCPUusageinkernelmodewhereasgreenisthesumof kernelmodeandusermodeexecution.Whencommittedvirtualmemory,whichTaskManager labelsinitsgraphsonWindows2000andhigheras"PFUsage"andonNT4as"MemUsage", reachesthesystemCommitLimit,applicationsandthesystembecomeunstable.TheCommit Limitisthesumofmostofphysicalmemoryandthesizesofanypagingfiles.IntheI/Ograph thebluelineindicatestotalI/Otraffic,whichisthesumofallprocessI/Oreadsandwrites, betweenrefreshesandthepinklineshowswritetraffic. WhenyoumovethemouseovertheCPUgraphapopupdisplayseitheronthefarleftorright ofthegraphthatshowstheCPUusageandnameoftheprocessthathadthelargest contributiontoCPUusageatthecorrespondingpointintime,aswellasthetimeofthepoint. Similarly,timestampinformationforapointisshownintheCommitgraph.Finally,ontheI/O graphthetooltipshowstheprocessperformingthemostI/Oatthetimeofthepoint,including

theamountofdataitreadandwrote.Thepopupsupdateasdatamovesunderthemouse,but youcanfreezeapopupbyrightclickingandthemovethemousetounfreezethepopup. OnsystemswithmultipleCPUstheSystemInformationdialogincludesaShowonegraphper CPUcheckbox.Checkingitswitchesthedisplayintoaperprocessorview.Hyperthreaded(SMT) processorssharingthesamecoreandNUMAprocessorssharingthesamenodearegrouped togetherandthemousetooltipshownwhenhoveringoveragraphdisplaystheprocessorand coreornodenumbers.Notethatthemousetooltipsforaprocessorgraphshowthenameof theprocessthatconsumedthemostCPUontheentiresystemattheassociatedtime,notthe processthatconsumedthemostCPUontheparticularCPU. TheProcessView SortingandtheProcessTree BydefaultProcessExplorersortsprocessesintothesystemprocesstree.Theprocesstree reflectstheparentchildrelationshipbetweenprocesseswherechildprocessesareshown directlybeneaththeirparentandrightindented.Processesthatareleftjustifiedareorphans; theirparenthasexited.Tochangethesortordersimplyclickonathecolumnbywhichyou wishtosort.ToreturnthesorttotheprocesstreeselectView|ShowProcessTree,clickthe processtreetoolbarbutton,ortypeCtrl+T. InterruptsandDPCs OnWindowsNTbasedsystemsProcessExplorershowstwoartificialprocesses:Interruptsand DPCs.Theseprocessesreflecttheamountoftimethesystemspendsservicinghardware interruptsandDeferredProcedureCalls(DPCs),respectively.HighCPUconsumptionbythese activitiescanindicateahardwareproblemordevicedriverbug.Toseethetotalnumberof interruptsandDPCsexecutedsincethesystembootedaddtheContextSwitchcolumn.Another sometimesusefulmetricisthenumberofinterruptsandDPCsgeneratedperrefreshinterval, whichyouseewhenyouaddtheCSwitchesDeltacolumn. FindWindow'sProcess Youcanhighlighttheprocessthatownsawindowvisibleonthedesktopbydraggingthetarget liketoolbarbuttonoverthewindowinquestion.ProcessExplorerwillselecttheowning processentryintheprocessview. ProcessViewOptions SeveralitemsintheOptionsandViewmenusaffectthewayprocessesdisplay: ConfigureHighlighting:selectthismenuitemundertheOptionsmenutoopenadialogboxthat allowsyoutoconfigurehighlightcolorsusedintheProcessViewandtheDLLview.

HighlightServices:onWindowsNTandhigherthisoptionhasProcessExplorershowprocesses thatarerunningWin32servicesintheserviceprocesshighlightcolor.TheServicestabofthe processpropertiesdialogshowsthelistofservicesrunningwithinaprocess. HighlightJobs:onWindows2000andhigherchoosethisoptiontohaveProcessExplorershow processesthatarepartofaWin32JobintheJobobjecthighlightcolor.Jobsgroupprocesses togethersothattheycanbemanagedasasingleitemandareusedbytheRunascommand,for example.UsetheJobtaboftheprocesspropertiesdialogtoseethelistofprocessesrunningin thesamejobastheselectedprocessandtoseejoblimitsthathavebeenappliedtothejob. Highlight.NETProcesses:thisoptionappearsonWindowsNTbasedsystemsthathavethe .NETFrameworkinstalled.Whentheoptionischeckedmanagedapplications(thosethatuse the.NETFramework)arehighlightedinthe.NETprocesshighlightcolor. HighlightOwnProcesses:onWindowsNTandhighercheckingthisoptionresultsinProcess Explorershowingintheownprocesshighlightcolortheprocessesthatarerunninginthesame useraccountasProcessExplorer. HighlightPackedImages:malware,includingviruses,spyware,andadwareisoftenstoredina packedencryptedformondiskinordertoattempttohidethecodeitcontainsfrom antispywareandantivirus. ShowFractionalCPU:whenthisoptionisselectedProcessExplorershowsCPUusagetotwo decimalplaces.Thiscanbeusefultoidentifyprocessesthatwouldotherwiseappearidle,but thatareperformingbackgroundprocessing. ShowNewProcesses:whenenabledProcessExplorerscrollstheProcessviewtobringinto viewnewprocesses. TheProcessContextMenu WhenyouhaveaprocessselectedtheitemsintheProcessmenubecomeactive.Youcan accessthesamemenuitemsbyrightclickingonaprocess.Theitemsenableyoutodothe following: BringtoFront:selectthisoptiontobringanywindowsownedbytheselectedprocesstothe foreground. SetPriority:youcanchangethebasepriorityofaprocesswiththissubmenu.Whenyou changethebasepriorityofaprocessthesystemadjuststheprioritiesofthreadswithinthe processsothattheyremainatthesamerelativeprioritywithrespecttothenewbasepriority.

SetAffinity:onsystemswithmultipleCPUsthismenuitemletsyoubindthethreadsofa processtoparticularCPUs. Debug:choosingthismenuitemlaunchesthedebuggerregisteredin HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\AeDebugwiththe selectedprocessasthecommandlineargument. LaunchDepends:ifProcessExplorerfindstheDependencyWalkertool(see http://www.dependencywalker.com)withtheselectedprocessastheargument.The DependencyWalkertoolshowsstaticDLLdependencies. Kill:thisitemterminatesaprocesswiththeTerminateProcessAPI.Notethataprocess terminatedinthiswayisnotwarnedofitsterminationandthereforedoesnotwriteunsaved dataitmayhave. KillProcessTree:iftheprocesspaneisintheprocesstreesortingmodethismenuitemis availableandallowsyoutokillaprocessandallofitsdescendants. Suspend:ifyouwantaprocesstobecometemporarilyinactive,sothatasystemresourcesuch asnetwork,CPUordisk,becomesavailableforotherprocesses,youcansuspendtheprocess. Suspendedprocessesshowinadarkgreycolor.Toresumeasuspendedprocesschosethe Resumeitemfromtheprocesscontextmenu. Restart:whenyouselectthisitemProcessExplorerterminatesthehighlightedprocessand startsthesameimageusingthesamecommandlinearguments.Notethatthenewinstance mayfailtorunorbehavedifferentlyiftheoriginalprocessraninadifferentuseraccountor hadadifferentenvironment. Properties:thisselectionopensapropertydialogthatshowsyoumoreinformationabouta process. SearchOnline:selectingthisentrywillresultinProcessExplorerlaunchingthesystem's configuredInternetbrowserandinitiatinganInternetsearchfortheselectedprocess'name. ProcessProperties Youcanviewadditionaldetailsforaprocessbydoubleclickingonit,orbyselectingitandusing theProcess|Propertiesmenuitemorthepropertiestoolbarbutton.OnWindows9xsystems thedialogshowsversioninformationfortheprocessimage,thefullpathoftheprocessimage file,andthecommandlineusedtolaunchtheprocess.OnWindowsNTandhigherthereare severaltabsinthedialog,describedbelow.Anydynamicdata,suchasperformance information,updatesattherefreshdatecurrentlyselectedforProcessExplorer.Youcan manuallyrefreshdynamicinformationbytypingF5inapage.

Image: Thispageshowsversioninformationextractedfromtheprocess'imagefile,thefullpathofthe imagefileandthecommandlinethatlaunchedtheprocess.Italsoshowsthecurrentdirectory oftheprocess,theuseraccountinwhichtheprocessisrunning,thenameoftheprocess' parentprocess,andthetimeatwhichtheprocessstartedexecution. ProcessExplorerchecksforwhetherornotanimagehasbeendigitallysignedbyacertificate rootauthoritytrustedbythecomputeranddisplaysthestatusofthecheck,whichiseither "Trusted"(signed),"Unsigned",or"NotVerified"(signaturehasnotbeenchecked).Youcan presstheVerifybuttontohaveProcessExplorercheckthesignatureofanimagethathasnot beenverified.NotethattheverificationoperationcanresultinProcessExplorercontactingweb sitestocheckforcertificatevalidity.SeetheVerifyImageSignaturesoption. EnteracommentforaprocessintheCommentfield.Commentsarevisibleintheprocessview intheCommentcolumn,orifyoudonothavethecommentcolumnselected,inthetooltip thatdisplayswhenyouhoverthemouseoveraprocess.Commentsapplytoallprocesseswith thesamepathandarerememberedfromexecutiontoexecution. OnsystemsthatsupportDataExecutionProtection(DEP),ProcessExplorershowstheDEP statusoftheselectedprocessaseither"on"or"off".SoftwareDEPiscurrentlysupportedby WindowsXPSP2andhigheron32bitx86systemswhereashardwareDEPisavailableonlyon 64bitversionsofWindows.YoucanalsoviewDEPstatusbyaddingthecorrespondingDEP Statuscolumntotheprocessview. Malware,includingviruses,spyware,andadwareisoftenstoredinapackedencryptedformon diskinordertoattempttohidethecodeitcontainsfromantispywareandantivirus.Process Explorerusesaheuristictodetermineifanimageispackedandifitischangesthetextabove thefullpathdisplayfieldtoinclude"(Imageisprobablypacked)". Performance: MemoryandCPUperformancedatadisplaysonthispage,includingphysicalandvirtual memory,andCPUusage.Thedatarefreshesatthesameintervalthatthemaindisplaydoes. PerformanceGraph: Ahistoryofaprocess'CPUusageanditsprivatebytesallocationshowsasinTaskManagerlike graphsonthispage.RedintheCPUusagegraphindicatesCPUusageinkernelmodewhereas greenisthesumofkernelmodeandusermodeexecution.PrivateBytesrepresentsthe

amountofprivatevirtualmemoryaprocesshasallocatedandisthevaluethatwillriseofa processexhibitingamemoryleakbug.NotethatwhiletheSystemInformationperformance graphsupdatewhileProcessExplorerisminimizedtothetray,thesegraphsdonot.Theprivate bytesusagegraphsarescaledagainstthepeakamountofprivatebytestheprocesshas allocated;ifthepeakgrowsthegraphsrecalculatetheirscales.IntheI/Ographtheblueline indicatestotalI/Otraffic,whichisthesumofallprocessI/Oreadsandwrites,between refreshesandthepinklineshowswritetraffic.TheI/OgraphisscaledagainstthepeakI/O traffictheprocesshasgeneratedsincethestartofmonitoring. Movingthemouseoverpartofagraphresultsinthetimeofthecorrespondingdatapoint beingshowninthegraphasapopupeitheronthefarleftorright. Threads: Thelistofthethreadsrunningintheprocessshowsonthistab.Thethreadlistshowsstart addressinformationthat'sprovidedbytheWindowssymbolengine.Ifyouwanttosee accuratenamesforstartaddressesthenfollowthedirectionsforconfiguringsymbols. TheModulebuttononthethreadspagelaunchesExplorer'sfilepropertiesdialogboxforthe imagefilethatcontainsthestartaddressofthecurrentlyselectedthread.TheStackbutton showsthecurrentstackoftheselectedthread.Stackinformationisunreliableunlesssymbol filesareavailableforprocessandDLLsreferencedinthestack. UsetheKillbuttontoterminateathread.Notethatterminatingathreadmayleadtoacrashor erraticbehavioroftheprocess. UsetheSuspendbuttontosuspendathread.Notethatsuspendingthreadsmaycauseits processtostopexecuting. TCP/IP: AnyactiveTCPandUDPendpointsownedbytheprocessareshownonthispage. OnWindowsXPSP2andhigherthispageincludesaStackbuttonthatopensadialogthatshows thestackofthethreadthatopenedtheselectedendpointatthetimeoftheopen.Thisisuseful foridentifyingthepurposeofendpointsintheSystemprocessandSvchostprocessesbecause thestackwillincludethenameofthedriverorservicethatisresponsiblefortheendpoint. Security: ProcessExplorerreportsthelistofgroupsandprivilegeslistedinthesecuritytokenofthe processonthispage.Privilegesshowningreyaredisabled.Thepermissionsbuttonopensa permissionseditorthatshowstheaccesspermissionsassignedtotheprocess. Job:

ThistabispresentonlyforprocessesthatarepartofaWin32Job.TheJobpageshowsthelist ofprocessesthatarepartofthesamejobandthelimitsthatareappliedtothejob. .NET: Thistabispresentonlyformanagedprocesses,whicharethosethatusethe.NETFramework. TheAppDomainspresentintheprocessshow,aswelltheavailable.NETperformancecounter objects.Selecta.NETperformanceobjecttoseethevaluesoftheobject'scounters.The countersupdateatthecurrentlyselectedrefreshintervalandyoucantypeF5tomanually refresh. Services: ThistabispresentonlyforprocessesthatareexecutingWin32services,andliststheservices runningwithintheprocess.ProcessExplorershowsaservice'snameanddisplayname,andon Windows2000andhigher,ifavailable,theservice'sdescription.Thepermissionsbuttonopens apermissionseditorthatshowstheaccesspermissionsassignedtotheservice. Environment: Theenvironmentvariablesassociatedwiththeprocessshowonthispage. Strings: Allprintablestringsofatleast3charactersinlengthdisplayonthispage.Imagestringsareread fromtheprocessimagefileondiskwhereasMemorystringsarereadfromtheimage'sin memorystorage.Memorystringsmaybedifferentthanondiskstringswhenanimageusesa decompressesordecryptswhenitloadsintomemory. TheDLLView TheDLLContextMenu TheDLLviewshowstheimagefile,DLLs,anddatafilesmappedintotheaddressspaceofthe selectedprocess.WhenyouclickthepropertiestoolbarbuttonorselectPropertiesfromthe DLLmenuProcessExploreropensapropertiesdialogfortheDLLormappedfilethatcontains twotabs: Image: Thispageshowsversioninformationextractedfromtheimagefileandthefullpathofthe imagefile.

ProcessExplorerchecksforwhetherornotanimagehasbeendigitallysignedbyacertificate rootauthoritytrustedbythecomputeranddisplaysthestatusofthecheck,whichiseither "Trusted"(signed),"Unsigned",or"NotVerified"(signaturehasnotbeenchecked).Youcan presstheVerifybuttontohaveProcessExplorercheckthesignatureofanimagethathasnot beenverified.NotethattheverificationoperationcanresultinProcessExplorercontactingweb sitestocheckforcertificatevalidity.SeetheVerifyImageSignaturesoption. Malware,includingviruses,spyware,andadwareisoftenstoredinapackedencryptedformon diskinordertoattempttohidethecodeitcontainsfromantispywareandantivirus.Process Explorerusesaheuristictodetermineifanimageispackedandifitischangesthetextabove thefullpathdisplayfieldtoinclude"(Imageisprobablypacked)". Strings: Allprintablestringsofatleast3charactersinlengthdisplayonthispage.Imagestringsareread fromtheprocessimagefileondiskwhereasMemorystringsarereadfromtheimage'sin memorystorage.Memorystringsmaybedifferentthanondiskstringswhenanimageusesa decompressesordecryptswhenitloadsintomemory. HighlightRelocatedDLLs WhenyouselecttheRelocatedDLLsentryintheOptions|ConfigureHighlightingdialogany DLLsthatarenotloadedattheirprogrammedbaseaddressshowinyellow.DLLsthatcannot loadattheirbaseaddressbecauseotherfilesarealreadymappedtherearerelocatedbythe loader,whichconsumesCPUandmakespartsoftheDLLthataremodifiedaspartofthe relocationunsharable. SearchOnline SelectingthisentrywillresultinProcessExplorerlaunchingthesystem'sconfiguredInternet browserandinitiatinganInternetsearchfortheselectedDLL'sname. TheHandleView TheHandleContextMenu TwoitemsappearundertheHandlemenuorwhenyourightclicktoshowtheHandlecontext menu: CloseHandle:choosethisitemtoforceclosedahandle.Usethisatyourownrisk:becausethe processthatownsthehandleisnotawarethatitshandlehasbeenclosed,usingthisfeature canleadtoacrashoftheapplicationordatacorruption;closingahandleintheSystemprocess canleadtoasystemcrash.

 Properties:whenyouselectthisitemProcessExploreropensahandlepropertiesdialogthat showsyouthetotalnumberofhandlesopentotheobject,aswellaskernelreferencestothe object.Italsoshowsinformationspecifictothetypeofobjectyouareviewing.Forexample, whenyouviewthepropertiesofamutantobjectProcessExplorerreportswhetherornotthe mutantisheld,andifso,bywhichthread. TheSecuritytabonthehandlepropertiesdialogshowsthesecuritythat'sappliedtotheobject thehandlereferences. ShowUnnamedHandles Bydefault,ProcessExplorershowsonlyhandlestoobjectthathavenames.SelecttheShow UnnamedHandlesitemundertheViewmenutohaveProcessExplorerlistallthehandles openedbyaselectedprocess,eventhosetoobjectsthatarenameless.NotethatProcess ExplorerconsumessignificantlymoreCPUresourcewhenthisoptionisselected. TheUsersMenu OnsystemsthatincludeTerminalServicesProcessExplorerdisplaysaUsersmenuthatliststhe currentlyconnectedsessions.ProcessExplorercreatesamenuentryforeachsessionthat's nameincludesthesession'ssessionIDandtheuserloggedintothesession.Eachentryopensa submenuthathasoptionsfordisconnecting,loggingoff,andsendingamessagetothe session'suser.Inaddition,aPropertiesmenuforeachsessionentryopensadialogboxthat listsdetailedinformationaboutthesession,includingtheIPaddressandnameoftheclient connectedtothesession. ThecontentsoftheUsersmenuareupdatedeachtimeyouopenthemenutoreflectcurrent sessioninformation. Searching OneofthecommonproblemsProcessExplorersolveswitheaseisthequestion:whatprocess hasthisfileordirectoryopen,orwhichprocesseshaveaparticularDLLloaded? YoucanperformahandleandDLLsearchbyselectingFind|FindHandleorDLLorbytyping Ctrl+F.SearchesarecaseinsensitivesubstringsearchesofallofthehandlesopenedandDLLs loadedonthesystemwiththetextyouenter.Thus,tosearchfortheprocessorprocessesthat havec:\directory\somefile.txtopenenterenoughtexttomakethesearchfindonlytheresults youareinterestedine.g."somefile". Thesearchdialogpopulateswiththelistofresultsindexedbyprocess.Selectlinesintheresults tohaveProcessExplorerselectthereportedprocessandDLLorhandle,anddoubleclickona linetohaveitdothesameanddismisstheSearchdialog.