Windows Server

Process Explorer (Replace built-in Task Manager)

This tool is similar to the task manager which is a built-in tool in Window. This performs more advanced functionalities as opposed to the traditional task manager.

– It helps detect viruses and processes running in the background.

“Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.

The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in. The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work”. Microsoft.

This tool can be download here https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer Extract the tool and run the procex.exe as shown below.

Accept the licensee agreement.

After clicking on Agree, this will launch the process explorer window.

When you click on options, you will find a list of functions that can be performed.

  • Verify image signature
  • Command kill
  • Replace built-in Task Manager etc.

All what can be done via the task manager can be done here as well. You can click on a process as shown below and perform any of the following.

This process can also be achieved selecting a process,

  • On the top menu icon, click on Process and
  • Perform any desired task as shown in the image below

This can also be achieved by selecting the process itself and right clicking on it as shown below.

When you click on properties of an application, a lot can be identified as shown below such as the –

  • GPU Graph,
  • Threads,
  • TCP/IP,
  • Security,
  • Environment,
  • Strings,
  • Image,
  • Performance,
  • Performance graph and
  • Disk and network.

Under the image, you will find the process (program), command prompt command, current directory, and registry key associated (location)

  • When the program started
  • The user that started the program etc.

Here you can also use the VirusTotal embedded tool.  As shown below by clicking on submit. SysInteranl supports VirusToal which allows users to query VirusTotal for files running on their PCs. See for more info https://blog.malwarebytes.com/cybercrime/2014/01/process-explorer-now-including-virustotal-support/

Under security: Here you will find a list of GPO applied to the user account and privileges.

Under the Disk and Network, you can view the Network I/O and disk I/O etc as shown below.

Under View, you can select Columns as shown below and select the column on how the process view of the explorer will look like.

Now select the process view of any of the columns you wish to appear on the process explorer.

Note: Same can be done to other menu listed here such as

  • Process Disk
  • Process Network,
  • Process GPU
  • DLL
  • .Net
  • Status bar
  • Process I/O

For more on Process explorer, see https://techdirectarchive.com/2020/03/07/process-explorer/

For other SysInternal tool tours, see https://techdirectarchive.com/2020/01/25/windows-sysinternals-tools-psexec-and-auto-logon/

Advertisements

Leave a Reply

%d bloggers like this: