When Microsoft acquired Sysinternals in 2006, one of the most famous tools it gained was Process Explorer. For Windows operating systems (OS), especially those up to and including Windows 7, Process Explorer is an excellent replacement for Task Manager. It offers a much clearer view of what is going on and has a lot more options. Besides the options the regular Task Manager has to offer, there are a few extra ones that are particularly interesting when you suspect your machine to be infected. We will discuss a few of these below.
Replace Task Manager
If you would like to replace Task Manager with Process Explorer, it offers an easy way to do this. On the Process Explorer window, under “Options” menu, you will find “Replace Task Manager”, which requires Administrator privileges. Using this will open Process Explorer with every call to taskmgr.exe, including the key combination “Ctrl-Alt-Del”.
Note: Some security programs may flag the intercepted calls done by Image File Execution Options (IFEO) as potentially unwanted.
Loaded DLLs and Handles
Another feature that often comes in handy when you are trying to figure out what’s going on is the option to check the DLLs and handles that are in use by a certain process. To use this option, you have to click the “View” menu and enable the “Show Lower Pane” first. Then you can chose between DLLs and handles.
You can also export the list for a process by selecting the process you are interested in, in the Upper Pane (processes) and clicking on the “Save” symbol in the upper left corner (or use Ctrl+S). A “Save As” dialog box will open and allow you to save the details as a text file. If you want a second opinion this can be very convenient. You can send the text file to the person helping you.
Note: The resulting text file will start with a list of the running processes followed by the list shown in the lower pane.
Identifying the process behind a window
Have you ever looked at an advertisement or Tech Support Scam (TSS) popup and wanted to know which process was responsible for it? Sometimes, these pop up as windows without title bars (if they do, they’re misleading). In a case like this, you can use the cross-hairs in the Process Explorer menu, as shown below:
Drag and drop the cross-hairs on the window you are curious about and in the Process Explorer list of running processes the process responsible for the window will be selected (showing in blue). You now have the name of the process and, in case there are more instances of that process, the Process Identification (PID) associated with it.
VirusTotal
VirusTotal is an online malware repository that allows the general public to analyze files (and URLs) and check if they are found to be malicious by contributing vendors. This is relevant because Process Explorer allows you to check your running processes and loaded DLLs on VirusTotal. To enable this option, click Options > VirusTotal.com > Check VirusTotal.com.
After you agree to the Terms of Service for VirusTotal, you should see a tick mark before that option and a new column showing the number of malware detections for each line, as shown below:
Where the 0 shows the number of detections and the number behind the backslash is how many scanners where queried.
Sometimes, you will see a detection like this:
By clicking the underlined VirusTotal score, you will be taken to the analysis page for that file. In this case, the page will show a false positive, which we have reported to the vendor.
If some processes are showing as “Unknown” in the VirusTotal column, it means that the file associated with the said process hasn’t been uploaded to VirusTotal yet. If you would like the unknown files to be submitted automatically you can enable this under Options > VirusTotal.com > Submit Unknown Executables.
Note: if Process Explorer is not running with Administrator privileges you will not get results on files that are run “as System”.
Summary
We gave you a short introduction to Process Explorer and showed you a few ways to use it when you are trying to identify a possible malware problem with your Windows system.
Links
Download site for latest version and some additional information: Sysinternals Process Explorer
List of Sysinternals Process Utilities
Pieter Arntz
