If you’ve been using Windows for a while, there’s a good chance you’ve had to use the built-in Task Manager at some point or another. Whether it’s to kill a frozen process, track down some nasty malware, or figure out what’s eating up all that memory, the Task Manager is an invaluable tool for any intermediate or advanced user. But for enthusiasts that want extra control, more information, and a host of extra features, there’s a more powerful alternative available: Microsoft’s free Process Explorer tool.
Process Explorer isn’t just a supercharged version of Task Manager with more insight and control over your system’s processes. It also includes the ability to sniff out viruses and identify when programs are clinging to software you want to delete.
Part of the Sysinternals suite of Windows tools (formerly “Winternals”), Process Explorer can be downloaded from TechNet a la carte or as part of the entire suite. If you plan on completely replacing the Task Manager with Process Explorer—and eventually you probably will—you should get the whole suite. More on that later. Here are just a few of the things you can do with Process Explorer.
When you first open Process Explorer, there’s a lot of information there and it can look overwhelming. Don’t panic! Here’s what everything is.
In the top half of the main window, you’ll see a list of processes. This shouldn’t be completely unfamiliar if you’ve used the Details tab in Task Manager (aka the Processes tab in Windows XP and earlier). It lists the process name, the process description, CPU and memory usage, and the company name of the software’s creator—something that’s very useful when you’re malware hunting. (Pro tip: Micronsoft is not a legitimate software manufacturer.) You can customize your columns to include more or less information by right-clicking on the column heading, just like any other program with sortable columns.
The processes are presented hierarchically, which means if a process spawns another process, the child process will be listed nested underneath the parent. If you’d prefer an alphabetical listing instead, just click the “process name” column heading. This list is constantly updating, but if you want to freeze it in time—say, to examine a process that appears and disappears quicker than you can click on it—you can hit the space bar to pause the updates.
There’s a lot more information here—the scrolling line charts at the top of the window, the color codes, the lower pane showing DLLs and handles—but for now let’s focus on the process list.
Killing a process tree
Many people have used Task Manager to end a misbehaving process at some time or another. This functionality exists in Process Explorer as well, where it’s called Kill Process when you right-click a process. Process Explorer does one better than the stock Windows Task Manager by giving you the option to kill the entire process tree. Right-click a process, then click Kill Process Tree; or select Process > Kill Process Tree; or just highlight your process and hit Shift-Del.
Why would you want to kill a whole process tree? Sometimes when a process stalls out, it’s not the real culprit. Instead, one of the child processes it has spawned is the actual bad seed (we’re looking at you, Chrome). Even when the original process is the true villain of the story, killing it can sometimes leave orphan processes behind that can’t do anything without their parent, but which suck up resources anyway. Killing the process tree solves both problems at once.
Finding out which process has a file locked
One of the most frustrating things that Windows users run into on a regular basis is trying to edit or delete a file only to get some variation of the old “This file is open in another program” or “This file is locked for editing” message. If you’re a multitasker and you have a dozen windows open, figuring out which one is locking down your target can be an exercise in wasting time. Process Explorer offers a solution.
Open Process Explorer, select a process, and hit Ctrl+H. That changes the lower pane to “Handle View.” This will show you every file, folder, subprocess and thread that the process has open. If you suspect you know what process is locking your file and want to confirm, this is where you do it.
But what if you don’t know which process is holding your file hostage? Are you supposed to go through every process in the list hunting for your file? You could, but there’s a much easier way: Click Find > Find Handle or DLL, or use the Ctrl+F keyboard shortcut. Just type your filename, and it’ll tell you which process is locking that file.
Is this a virus?
Process Explorer is especially useful if you’re hunting malware. For some really in-depth examples, you can always check out Mark Russinovich’s world-class “The Case Of…” series of blog posts and videos. But you don’t need to be a malware-busting pro like Russinovich to figure out whether a suspicious-looking process is a virus. Process Explorer uses VirusTotal, a Google project that checks questionable processes against the databases of all the major antivirus companies.
First, click the suspicious process, then go to Options > VirusTotal.com > Check VirusTotal.com. (The same path’s also available via the right-click menu.) If this is the very first time you’ve scanned a process, it will take you to the VirusTotal Terms of Service. Otherwise, it adds a VirusTotal column to Process Explorer.
This column shows the number of antivirus services that have flagged that particular process as a potential virus. For example, “7/59” means that 7 out of 59 total antivirus providers think that the process is potentially hazardous. The higher the number, the more likely it is that the process is actually malware. For more information, just click the numbers to open the VirusTotal website, where you can learn more.
Obviously, like any other antivirus measure, this isn’t foolproof, and you can get false positives. For example, Process Explorer itself is occasionally flagged as hazardous. Also, viruses may be too new to have been widely flagged, or they could be deploying any number of anti-antimalware techniques. Nevertheless, Process Explorer’s VirusTotal integration is a very good start.
Replacing Task Manager entirely
Once you get comfortable with it, you’ll discover that Process Explorer is better at managing tasks than Task Manager in almost every way, and you’ll never want to open Task Manager again. Process Explorer can help you out with that.
In the Options menu, you’ll see an item labelled Replace Task Manager. Select that, and every action that would normally have triggered Task Manager, whether you invoke it from the command prompt or select it from the Ctrl+Alt+Delete menu, launches Process Explorer instead. In Windows XP and earlier, that’s all you need to do—but in Windows 8 and 10, there’s a twist.
The Windows 8 and 10 versions of Task Manager don’t just manage processes. They also now handle startup items and service management, which were located in MSConfig in earlier versions of Windows. If you replace that version of Task Manager with Process Explorer, will you lose functionality? When it comes to services, no. The default Services app built into Windows (just type Services into your Start menu and you’ll find it) handles managing your services just fine.
But when it comes to startup items, yes—you will lose functionality. Process Explorer doesn’t handle those at all, so you’ll need another tool for that.
That’s why we recommend that you download the entire Sysinternals suite if you want to replace Task Manager altogether. There’s a utility in there called Autoruns that absolutely blows Task Manager’s startup-item functionality out of the water. How to use Autoruns is a subject for a different article, but you’ll want to extract that and keep it somewhere handy for when you want to give your startup a tune-up.
Most people will use Process Explorer for the features we’ve outlined here, but dig deeper and you’ll find even more power-user tools in its nooks and crannies. If you really want to get nitty-gritty, you can find more details in Process Explorer’s amazingly deep Help files.
Source: pcworld, Microsoft