They are created and destroyed regularly and return the information from the execution back to the main thread (the persistent one). Note: Threads are the “sub-processes” of the process, each dedicated to the execution of a specific action. The Strings (Printable strings found in the process image/executable or memory):Īnd the list of threads for that process: One that shows the environmental variables used by the process: There is also a tab that shows the current Network Connections: If you’re troubleshooting performance issues, the Performance To see detailed information about a specific process double-click it (or right-click -> properties) and the following window will appear: Take the time to familiarize yourself with the different options, it will pay off in spades afterwards! You can also create a dump of a process for later analysis with tools like WinDBG: These allow you to configure Process Explorer to Run at Logon, Send the executable hashes to VirusTotal for verification (if you’re suspecting malware infection on the machine), Replacing Task Manager with Process Explorer (though I’ve had less than stellar success with that option on particularly problematic machines) and configure Symbols, which we’re going to look at further down in the article. On the top of the bar there is a menu with many different options, but the really interesting ones are these: You can get additional information about the process by putting the mouse cursor on top of it, and it even shows the services running within a svchost.exe instance: All of these columns are fully customizable to fit your needs: NET processes, “Immersive” processes, suspended processes, processes running as the same user as Process Explorer, processes that are part of a job, and packed images. Additionally, you can see the path to the executable and color coding that identifies the process type and state, such as services. More on that later) and much more.Īs you can see Process Explorer presents columns detailing running processes on your system, including the parent/child relationships, CPU usage, memory data, PID, description, company name, certificate signature, and verification status. It shows detailed information about all the running processes on the system, including resource utilisation (GPU, CPU, Memory, ecc…), Path, Signature, Threads and Stacks (though for a clear view of the stacks Symbols have to be configured and WinDBG installed. Process Explorer is, as Mark Russinovich calls it, “Task Manager on Steroids”. Let’s start with a short instruction about these tools. In this blog post we’ll focus on Process Monitor and Process Explorer while Autoruns and Procdump will be covered in the next one. The Sysinternals suite of tools is a collection of over 70 utilities that can be used to troubleshoot and diagnose a wide range of issues on a Windows system. Now that we’ve gotten the Russinovich mantra out of the way, let’s delve in! And here we are on the 2nd post: Introduction to Process Explorer and Process Monitor.īefore we start, repeat after me “When in doubt, run Procmon!”
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |