UsingProcessExplorer

ProcessExplorerTutorial

Thisinformationwasadaptedfromthehelpfilefortheprogram.
ProcessExplorerisanadvancedprocessmanagementutilitythatpicksupwhereTaskManager
leavesoff.Itwillshowyoudetailedinformationaboutaprocessincludingitsicon,command
line,fullimagepath,memorystatistics,useraccount,securityattributes,andmore.Whenyou
zoominonaparticularprocessyoucanlisttheDLLsithasloadedortheoperatingsystem
resourcehandlesithasopen.Asearchcapabilityenablesyoutotrackdownaprocessthathasa
resourceopened,suchasafile,directoryorRegistrykey,ortoviewthelistofprocessesthat
haveaDLLloaded.
TheProcessExplorerdisplayconsistsoftwosubwindows.Thetopalwaysshowsalistofthe
currentlyactiveprocesses,includingthenamesoftheirowningaccounts,whereasthe
informationdisplayedinthebottomwindow,whichyoucanclose,dependsonthemodethat
ProcessExplorerisin:ifitisinhandlemodeyouwillseethehandlesthattheprocessselected
inthetopwindowhasopened;ifProcessExplorerisinDLLmodeyouwillseetheDLLsand
memorymappedfilesthattheprocesshasloaded.

ProcessExploreralsohasapowerfulsearchcapabilitythatwillquicklyshowyouwhich
processeshaveparticularhandlesopenedorDLLsloaded.TheuniquecapabilitiesofProcess
ExplorermakeitusefulfortrackingdownDLLversionproblemsorhandleleaks,andprovide
insightintothewayWindowsandapplicationswork.

Youcanobtainequivalentcommandlinetools,HandleandListDLLs,attheSysinternalsWeb
site.

ProcessExplorerdoesnotrequireadministrativeprivilegestorunandworksonWindows
9x/Me,WindowsNT4.0,Windows2000,WindowsXP,Server2003,WindowsVista,Windows
Server2008andonthex64versionof64bitWindowsXP,WindowsVista,WindowsServer
2003,andWindowsServer2008.
TheMainWindow

Views
TheProcessExplorerwindowshowsbydefaulttwopanes:theupperpaneisalwaysaprocess
listandthebottomeithershowsthelistofDLLsloadedintotheprocessselectedintheupper
pane,orthelistofoperatingsystemresourcehandles(files,Registrykeys,synchronization
objects)theprocesshasopen;theviewmodedetermineswhichinformationisshowninthe
bottompane.Toswitchtheview,usetheView|LowerPaneViewmenuitem,the
correspondingtoolbarbutton(whichtoggles),ortheCtrl+D(DLLview)andCtrlH(handleview)
acceleratorkeys.

IfyouareonlyinterestedinseeingtheprocessesrunningonyoursystemYoucanhidethe
lowerpanebyselectingView|HideLowerPane,thecorrespondingtoolbarbutton,theCtrl+L
accelerator,orbydraggingthepanedividertothebottomoftheProcessExplorerwindow.You
canbringbackthelowerpanebyselectingView|ShowLowerPane,typingCtrl+Lorselecting
thetoolbarbuttonagain.
MiniGraphs
ProcessExplorerincludesatoolbarandminigraphsforCPU,memory,andifonWindows2000
orhigher,I/Ohistory,atthetopofthemainwindow.Theycanberesizedwithrespecttoone
anotherordraggedsuchthateachisonaseparaterow.Theminigraphsshowhistoryof
systemactivityandhoveringthemouseoverapointonagraphdisplaysinatooltipthe
associatedtimeandtheprocessinformationforpointintime.Forexample,thetooltipforthe
miniCPUgraphshowstheprocessthatwasthelargestconsumerofCPU.Clickingonanyofthe
minigraphsopenstheSystemInformationdialog.
RefreshRateandDifferenceHighlighting
ConfiguretherateatwhichProcessExplorerrefreshesitswindowbyusingtheView|Update
Speedmenuitem.YoucanrefreshtheviewmanuallyatanytimewithView|Refresh,the
refreshtoolbarbutton,orbypressingF5.Somechecks,suchaswhetheraprocessispartofa
Jobobjectorusesthe.NETruntime,onlyoccurduringprocessstartup.PressF5tohaveProcess
Explorerrecheckthestatusofallprocesses.

ProcessExplorerusesdifferencehighlightingtohelpyouseewhatitemschangebetween
refreshes.Items,includingprocesses,DLLs,andhandles,thatexitorareclosedshowinredand
newitemsshowingreen.Iftherefreshrateisnotpausedthehighlightingremainsineffectfor
theintervalspecifiedbytheOptions|DifferenceHighlightDurationdialog,whichhasadefault
valueof1second.Ifyoupausethedisplaythedifferencehighlightingisineffectonlyuntilthe
nexttimeyoumanuallyrefresh.
Opacity
YoucanmaketheProcessExplorerwindowpartiallytransparentsothatwindowsbeneathit
showthroughonsystemsthatsupportitbymakingaselectionundertheView|Opacitymenu
item.
Saving
WhenyouchooseFile|SaveProcessExplorersavesthecontentsoftheProcessandlowerpane,
ifitisshowing,asatabdelimitedtextfile.

ShuttingDownorLoggingOff
UsetheFile|Shutdownmenuitemstoshutdown,reboot,lockorlogoffthesystem.When
available,themenualsooffersoptionsforhibernatingandsuspendingthesystem.
Run
UsethisoptiontorunotherapplicationsfromProcessExplorerusingthestandardWindows
Rundialog.

Runas
ThisvariantontheRuncommandallowsyoutoenteralternatecredentialsforthelaunching
application.ProcessExplorerleveragesthesameWindowsfunctionalityastheRunasWindows
commandtoprovidethissupport.TheRunasmenuitemisnotpresentonWindows9x.
RunasLimitedUser
ThisvariantontheRuncommandrunstheapplicationyouspecifyinthesameaccountasthat
ofProcessExplorer,butwithoutadministrativeprivilegesormembershipinthelocal
administratorsgroup.Thisoptionrestrictstheexposureofyoursystemfromapplications,such
asInternetExplorer,thatmightbecompromisedthroughaccessofuntrusteddata.
ColumnsandColumnSets
ColumnSelection
TheinformationProcessExplorerdisplaysinitsmainwindowisfullyconfigurable.Youcan
reordercolumnsbydraggingthemtotheirnewposition.Toselectwhichcolumnsofdatayou
wantvisibleineachoftheviewsandthestatusbar,chooseView|SelectColumnsorrightclick
onacolumnheaderanduseSelectColumnsfromtheresultingcontextmenu.Acolumn
selectioneditoropensthatletsyoupickthecolumnsyouwanttoenablefortheProcess,DLL,
handlepanes,andstatusbar.

ColumnSets
YoucansaveacolumnconfigurationanditsassociatedsortsettingsbychoosingView|Save
ColumnSet.ProcessExplorerwillpromptyoutonamethecolumnset.Youcanloadasaved
columnsetbyselectingitintheView|LoadColumnSetmenuorbyenteringitsassociated
acceleratorkeys.ToreorderorrenameexistingcolumnsetsgotoView|OrganizeColumnSets
toopenthecolumnsetorganizer.
GeneralOptions
CommandLineUsage:ProcessExplorertakestwooptionsthatmodifyitsbehavior:
/e PromptforUACelevationtorestartwithadministrativerightsiflaunched
withoutadministrativerights.
/s:<pid> SelecttheprocesshavingthespecifiedprocessIDafterstarting.
/t StartProcessExplorerminimizedinthetray.
/p:[r|h|n|l] SetProcessExplorer'sprioritytorealtime(r),high(h),normal(n),orlow(l).

AlwaysonTop:ChoosethisoptiontohaveProcessExplorer'swindowremainaboveother
windows.

ReplaceTaskManager:SelecttheReplaceTaskManagerentryundertheOptionsmenuto
haveProcessExplorerexecuteinsteadofTaskManagerwhenyoulaunchTaskManager.Note
thatthisisaglobalsettingthataffectsallusersregardlessofhowtheystartTaskManager.
AfterreplacingTaskManagerthemenuitemrenamestoRestoreTaskManagerandselectingit
removesProcessExplorer'sassociation.

HideWhenMinimized:checkthisitemintheOptionsmenutohaveProcessExplorerruninthe
trayasasmallgraphreflectingcurrentCPUusagewhenyouminimizeit.IfCPUusageisunder
70%themetershowsingreen;ifitsbetween70%and90%itshowsinyellow;ifitsabove90%
itshowsinred.TheCPUusagegraphupdatesatthecurrentlydefinedrefreshinterval.Ifyou
wantProcessExplorertostartinthetraythenspecifythe/toptionasitscommandline
argument.SingleclickingonProcessExplorer'strayiconrestoresthewindowandbringsitto
theforeground,regardlessofwhetheritsminimizedinthetrayornot.
AllowOnlyOneInstance:checkthistopreventmultipleinstancesofProcessExplorertorun
simultaneously.

ConfirmKill:uncheckthisifyoudonotwantProcessExplorertopromptyouforconfirmation
beforeterminatingaprocessyou'vedirectedittokill.
CPUHistoryinTray:thisoptiontogglesProcessExplorer'strayiconbetweenastandardchart
representationofthecurrentCPUusageandaminiatureversionoftheCPUhistorygraph.
VerifyImageSignatures:ifthisischeckedthenimagescorrespondingtoprocessesarechecked
fortrustedsignaturesautomaticallywhenyouviewaprocesspropertiesandtheresultis
shownnexttothecompanyfieldintheprocesspropertiesdialog."(Verified)"nextacompany
namemeansthefileissignedbyatrustedrootcertificateauthorityand"(UnabletoVerify)"
meansthefileiseitherunsignedorsignedbyanuntrustedauthority.Uncheckthisoptionto
speedperformancewhenviewingprocessimageproperties.
ConfigureSymbols:onWindowsNTandhigher,ifyouwantProcessExplorertoresolve
addressesforthreadstartaddressesinthethreadstaboftheprocesspropertiesdialogandthe
threadstackwindowthenconfiguresymbolsbyfirstdownloadingtheDebuggingToolsfor
WindowspackagefromMicrosoft'swebsiteandinstallingitinitsdefaultdirectory.Openthe
ConfigureSymbolsdialogandspecifythepathtothedbghelp.dllthat'sintheDebuggingTools
directoryandhavethesymbolenginedownloadsymbolsondemandfromMicrosofttoa
directoryonyourdiskbyenteringasymbolserverstringforthesymbolpath.Forexample,to
havesymbolsdownloadtothec:\symbolsdirectoryyouwouldenterthisstring:
srv*c:\symbols*http://msdl.microsoft.com/download/symbols
DifferenceHighlightDuration:thisdialogallowsyoutoconfigurethedurationoftimethatnew
processesshowingreenandonesthathaveexitedshowinred.Thedefaultisonesecond.You
canchangethehighlightingcolorsbyeditingthemintheConfigureHighlightingdialogthatyou
openintheOptionsmenu.
SystemInformation

OnWindowsNTandhighertheSystemInformationentryintheViewmenuandtypingCtrl+I
opensadialogboxthatshowsglobalsystemperformancemetricslikethoseshowninTask
Manager.Theinformationincludestheamountofcommittedandavailablevirtualandphysical
memoryaswellaspagedandnonpagedkernelbufferusage.

GraphsshowtheCPUusagehistoryofthesystemaswellasthecommittedvirtualmemory
usage,andonWindows2000orhighersystemsanI/OgraphshowsI/Othroughputhistory.
RedintheCPUusagegraphindicatesCPUusageinkernelmodewhereasgreenisthesumof
kernelmodeandusermodeexecution.Whencommittedvirtualmemory,whichTaskManager
labelsinitsgraphsonWindows2000andhigheras"PFUsage"andonNT4as"MemUsage",
reachesthesystemCommitLimit,applicationsandthesystembecomeunstable.TheCommit
Limitisthesumofmostofphysicalmemoryandthesizesofanypagingfiles.IntheI/Ograph
thebluelineindicatestotalI/Otraffic,whichisthesumofallprocessI/Oreadsandwrites,
betweenrefreshesandthepinklineshowswritetraffic.

WhenyoumovethemouseovertheCPUgraphapopupdisplayseitheronthefarleftorright
ofthegraphthatshowstheCPUusageandnameoftheprocessthathadthelargest
contributiontoCPUusageatthecorrespondingpointintime,aswellasthetimeofthepoint.
Similarly,timestampinformationforapointisshownintheCommitgraph.Finally,ontheI/O
graphthetooltipshowstheprocessperformingthemostI/Oatthetimeofthepoint,including
theamountofdataitreadandwrote.Thepopupsupdateasdatamovesunderthemouse,but
youcanfreezeapopupbyrightclickingandthemovethemousetounfreezethepopup.
OnsystemswithmultipleCPUstheSystemInformationdialogincludesaShowonegraphper
CPUcheckbox.Checkingitswitchesthedisplayintoaperprocessorview.Hyperthreaded(SMT)
processorssharingthesamecoreandNUMAprocessorssharingthesamenodearegrouped
togetherandthemousetooltipshownwhenhoveringoveragraphdisplaystheprocessorand
coreornodenumbers.Notethatthemousetooltipsforaprocessorgraphshowthenameof
theprocessthatconsumedthemostCPUontheentiresystemattheassociatedtime,notthe
processthatconsumedthemostCPUontheparticularCPU.
TheProcessView
SortingandtheProcessTree
BydefaultProcessExplorersortsprocessesintothesystemprocesstree.Theprocesstree
reflectstheparentchildrelationshipbetweenprocesseswherechildprocessesareshown
directlybeneaththeirparentandrightindented.Processesthatareleftjustifiedareorphans;
theirparenthasexited.Tochangethesortordersimplyclickonathecolumnbywhichyou
wishtosort.ToreturnthesorttotheprocesstreeselectView|ShowProcessTree,clickthe
processtreetoolbarbutton,ortypeCtrl+T.
InterruptsandDPCs
OnWindowsNTbasedsystemsProcessExplorershowstwoartificialprocesses:Interruptsand
DPCs.Theseprocessesreflecttheamountoftimethesystemspendsservicinghardware
interruptsandDeferredProcedureCalls(DPCs),respectively.HighCPUconsumptionbythese
activitiescanindicateahardwareproblemordevicedriverbug.Toseethetotalnumberof
interruptsandDPCsexecutedsincethesystembootedaddtheContextSwitchcolumn.Another
sometimesusefulmetricisthenumberofinterruptsandDPCsgeneratedperrefreshinterval,
whichyouseewhenyouaddtheCSwitchesDeltacolumn.
FindWindow'sProcess
Youcanhighlighttheprocessthatownsawindowvisibleonthedesktopbydraggingthetarget
liketoolbarbuttonoverthewindowinquestion.ProcessExplorerwillselecttheowning
processentryintheprocessview.
ProcessViewOptions
SeveralitemsintheOptionsandViewmenusaffectthewayprocessesdisplay:
ConfigureHighlighting:selectthismenuitemundertheOptionsmenutoopenadialogboxthat
allowsyoutoconfigurehighlightcolorsusedintheProcessViewandtheDLLview.
HighlightServices:onWindowsNTandhigherthisoptionhasProcessExplorershowprocesses
thatarerunningWin32servicesintheserviceprocesshighlightcolor.TheServicestabofthe
processpropertiesdialogshowsthelistofservicesrunningwithinaprocess.

HighlightJobs:onWindows2000andhigherchoosethisoptiontohaveProcessExplorershow
processesthatarepartofaWin32JobintheJobobjecthighlightcolor.Jobsgroupprocesses
togethersothattheycanbemanagedasasingleitemandareusedbytheRunascommand,for
example.UsetheJobtaboftheprocesspropertiesdialogtoseethelistofprocessesrunningin
thesamejobastheselectedprocessandtoseejoblimitsthathavebeenappliedtothejob.

Highlight.NETProcesses:thisoptionappearsonWindowsNTbasedsystemsthathavethe
.NETFrameworkinstalled.Whentheoptionischeckedmanagedapplications(thosethatuse
the.NETFramework)arehighlightedinthe.NETprocesshighlightcolor.
HighlightOwnProcesses:onWindowsNTandhighercheckingthisoptionresultsinProcess
Explorershowingintheownprocesshighlightcolortheprocessesthatarerunninginthesame
useraccountasProcessExplorer.

HighlightPackedImages:malware,includingviruses,spyware,andadwareisoftenstoredina
packedencryptedformondiskinordertoattempttohidethecodeitcontainsfrom
antispywareandantivirus.
ShowFractionalCPU:whenthisoptionisselectedProcessExplorershowsCPUusagetotwo
decimalplaces.Thiscanbeusefultoidentifyprocessesthatwouldotherwiseappearidle,but
thatareperformingbackgroundprocessing.

ShowNewProcesses:whenenabledProcessExplorerscrollstheProcessviewtobringinto
viewnewprocesses.
TheProcessContextMenu
WhenyouhaveaprocessselectedtheitemsintheProcessmenubecomeactive.Youcan
accessthesamemenuitemsbyrightclickingonaprocess.Theitemsenableyoutodothe
following:
BringtoFront:selectthisoptiontobringanywindowsownedbytheselectedprocesstothe
foreground.
SetPriority:youcanchangethebasepriorityofaprocesswiththissubmenu.Whenyou
changethebasepriorityofaprocessthesystemadjuststheprioritiesofthreadswithinthe
processsothattheyremainatthesamerelativeprioritywithrespecttothenewbasepriority.
SetAffinity:onsystemswithmultipleCPUsthismenuitemletsyoubindthethreadsofa
processtoparticularCPUs.

Debug:choosingthismenuitemlaunchesthedebuggerregisteredin
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\AeDebugwiththe
selectedprocessasthecommandlineargument.

LaunchDepends:ifProcessExplorerfindstheDependencyWalkertool(see
http://www.dependencywalker.com)withtheselectedprocessastheargument.The
DependencyWalkertoolshowsstaticDLLdependencies.

Kill:thisitemterminatesaprocesswiththeTerminateProcessAPI.Notethataprocess
terminatedinthiswayisnotwarnedofitsterminationandthereforedoesnotwriteunsaved
dataitmayhave.

KillProcessTree:iftheprocesspaneisintheprocesstreesortingmodethismenuitemis
availableandallowsyoutokillaprocessandallofitsdescendants.

Suspend:ifyouwantaprocesstobecometemporarilyinactive,sothatasystemresourcesuch
asnetwork,CPUordisk,becomesavailableforotherprocesses,youcansuspendtheprocess.
Suspendedprocessesshowinadarkgreycolor.Toresumeasuspendedprocesschosethe
Resumeitemfromtheprocesscontextmenu.

Restart:whenyouselectthisitemProcessExplorerterminatesthehighlightedprocessand
startsthesameimageusingthesamecommandlinearguments.Notethatthenewinstance
mayfailtorunorbehavedifferentlyiftheoriginalprocessraninadifferentuseraccountor
hadadifferentenvironment.

Properties:thisselectionopensapropertydialogthatshowsyoumoreinformationabouta
process.

SearchOnline:selectingthisentrywillresultinProcessExplorerlaunchingthesystem's
configuredInternetbrowserandinitiatinganInternetsearchfortheselectedprocess'name.
ProcessProperties
Youcanviewadditionaldetailsforaprocessbydoubleclickingonit,orbyselectingitandusing
theProcess|Propertiesmenuitemorthepropertiestoolbarbutton.OnWindows9xsystems
thedialogshowsversioninformationfortheprocessimage,thefullpathoftheprocessimage
file,andthecommandlineusedtolaunchtheprocess.OnWindowsNTandhigherthereare
severaltabsinthedialog,describedbelow.Anydynamicdata,suchasperformance
information,updatesattherefreshdatecurrentlyselectedforProcessExplorer.Youcan
manuallyrefreshdynamicinformationbytypingF5inapage.
Image:
Thispageshowsversioninformationextractedfromtheprocess'imagefile,thefullpathofthe
imagefileandthecommandlinethatlaunchedtheprocess.Italsoshowsthecurrentdirectory
oftheprocess,theuseraccountinwhichtheprocessisrunning,thenameoftheprocess'
parentprocess,andthetimeatwhichtheprocessstartedexecution.

ProcessExplorerchecksforwhetherornotanimagehasbeendigitallysignedbyacertificate
rootauthoritytrustedbythecomputeranddisplaysthestatusofthecheck,whichiseither
"Trusted"(signed),"Unsigned",or"NotVerified"(signaturehasnotbeenchecked).Youcan
presstheVerifybuttontohaveProcessExplorercheckthesignatureofanimagethathasnot
beenverified.NotethattheverificationoperationcanresultinProcessExplorercontactingweb
sitestocheckforcertificatevalidity.SeetheVerifyImageSignaturesoption.

EnteracommentforaprocessintheCommentfield.Commentsarevisibleintheprocessview
intheCommentcolumn,orifyoudonothavethecommentcolumnselected,inthetooltip
thatdisplayswhenyouhoverthemouseoveraprocess.Commentsapplytoallprocesseswith
thesamepathandarerememberedfromexecutiontoexecution.

OnsystemsthatsupportDataExecutionProtection(DEP),ProcessExplorershowstheDEP
statusoftheselectedprocessaseither"on"or"off".SoftwareDEPiscurrentlysupportedby
WindowsXPSP2andhigheron32bitx86systemswhereashardwareDEPisavailableonlyon
64bitversionsofWindows.YoucanalsoviewDEPstatusbyaddingthecorrespondingDEP
Statuscolumntotheprocessview.

Malware,includingviruses,spyware,andadwareisoftenstoredinapackedencryptedformon
diskinordertoattempttohidethecodeitcontainsfromantispywareandantivirus.Process
Explorerusesaheuristictodetermineifanimageispackedandifitischangesthetextabove
thefullpathdisplayfieldtoinclude"(Imageisprobablypacked)".
Performance:
MemoryandCPUperformancedatadisplaysonthispage,includingphysicalandvirtual
memory,andCPUusage.Thedatarefreshesatthesameintervalthatthemaindisplaydoes.
PerformanceGraph:
Ahistoryofaprocess'CPUusageanditsprivatebytesallocationshowsasinTaskManagerlike
graphsonthispage.RedintheCPUusagegraphindicatesCPUusageinkernelmodewhereas
greenisthesumofkernelmodeandusermodeexecution.PrivateBytesrepresentsthe
amountofprivatevirtualmemoryaprocesshasallocatedandisthevaluethatwillriseofa
processexhibitingamemoryleakbug.NotethatwhiletheSystemInformationperformance
graphsupdatewhileProcessExplorerisminimizedtothetray,thesegraphsdonot.Theprivate
bytesusagegraphsarescaledagainstthepeakamountofprivatebytestheprocesshas
allocated;ifthepeakgrowsthegraphsrecalculatetheirscales.IntheI/Ographtheblueline
indicatestotalI/Otraffic,whichisthesumofallprocessI/Oreadsandwrites,between
refreshesandthepinklineshowswritetraffic.TheI/OgraphisscaledagainstthepeakI/O
traffictheprocesshasgeneratedsincethestartofmonitoring.

Movingthemouseoverpartofagraphresultsinthetimeofthecorrespondingdatapoint
beingshowninthegraphasapopupeitheronthefarleftorright.
Threads:
Thelistofthethreadsrunningintheprocessshowsonthistab.Thethreadlistshowsstart
addressinformationthat'sprovidedbytheWindowssymbolengine.Ifyouwanttosee
accuratenamesforstartaddressesthenfollowthedirectionsforconfiguringsymbols.

TheModulebuttononthethreadspagelaunchesExplorer'sfilepropertiesdialogboxforthe
imagefilethatcontainsthestartaddressofthecurrentlyselectedthread.TheStackbutton
showsthecurrentstackoftheselectedthread.Stackinformationisunreliableunlesssymbol
filesareavailableforprocessandDLLsreferencedinthestack.

UsetheKillbuttontoterminateathread.Notethatterminatingathreadmayleadtoacrashor
erraticbehavioroftheprocess.

UsetheSuspendbuttontosuspendathread.Notethatsuspendingthreadsmaycauseits
processtostopexecuting.
TCP/IP:
AnyactiveTCPandUDPendpointsownedbytheprocessareshownonthispage.
OnWindowsXPSP2andhigherthispageincludesaStackbuttonthatopensadialogthatshows
thestackofthethreadthatopenedtheselectedendpointatthetimeoftheopen.Thisisuseful
foridentifyingthepurposeofendpointsintheSystemprocessandSvchostprocessesbecause
thestackwillincludethenameofthedriverorservicethatisresponsiblefortheendpoint.
Security:
ProcessExplorerreportsthelistofgroupsandprivilegeslistedinthesecuritytokenofthe
processonthispage.Privilegesshowningreyaredisabled.Thepermissionsbuttonopensa
permissionseditorthatshowstheaccesspermissionsassignedtotheprocess.
Job:
ThistabispresentonlyforprocessesthatarepartofaWin32Job.TheJobpageshowsthelist
ofprocessesthatarepartofthesamejobandthelimitsthatareappliedtothejob.
.NET:
Thistabispresentonlyformanagedprocesses,whicharethosethatusethe.NETFramework.
TheAppDomainspresentintheprocessshow,aswelltheavailable.NETperformancecounter
objects.Selecta.NETperformanceobjecttoseethevaluesoftheobject'scounters.The
countersupdateatthecurrentlyselectedrefreshintervalandyoucantypeF5tomanually
refresh.
Services:
ThistabispresentonlyforprocessesthatareexecutingWin32services,andliststheservices
runningwithintheprocess.ProcessExplorershowsaservice'snameanddisplayname,andon
Windows2000andhigher,ifavailable,theservice'sdescription.Thepermissionsbuttonopens
apermissionseditorthatshowstheaccesspermissionsassignedtotheservice.
Environment:
Theenvironmentvariablesassociatedwiththeprocessshowonthispage.
Strings:
Allprintablestringsofatleast3charactersinlengthdisplayonthispage.Imagestringsareread
fromtheprocessimagefileondiskwhereasMemorystringsarereadfromtheimage'sin
memorystorage.Memorystringsmaybedifferentthanondiskstringswhenanimageusesa
decompressesordecryptswhenitloadsintomemory.
TheDLLView
TheDLLContextMenu
TheDLLviewshowstheimagefile,DLLs,anddatafilesmappedintotheaddressspaceofthe
selectedprocess.WhenyouclickthepropertiestoolbarbuttonorselectPropertiesfromthe
DLLmenuProcessExploreropensapropertiesdialogfortheDLLormappedfilethatcontains
twotabs:
Image:
Thispageshowsversioninformationextractedfromtheimagefileandthefullpathofthe
imagefile.

ProcessExplorerchecksforwhetherornotanimagehasbeendigitallysignedbyacertificate
rootauthoritytrustedbythecomputeranddisplaysthestatusofthecheck,whichiseither
"Trusted"(signed),"Unsigned",or"NotVerified"(signaturehasnotbeenchecked).Youcan
presstheVerifybuttontohaveProcessExplorercheckthesignatureofanimagethathasnot
beenverified.NotethattheverificationoperationcanresultinProcessExplorercontactingweb
sitestocheckforcertificatevalidity.SeetheVerifyImageSignaturesoption.

Malware,includingviruses,spyware,andadwareisoftenstoredinapackedencryptedformon
diskinordertoattempttohidethecodeitcontainsfromantispywareandantivirus.Process
Explorerusesaheuristictodetermineifanimageispackedandifitischangesthetextabove
thefullpathdisplayfieldtoinclude"(Imageisprobablypacked)".
Strings:
Allprintablestringsofatleast3charactersinlengthdisplayonthispage.Imagestringsareread
fromtheprocessimagefileondiskwhereasMemorystringsarereadfromtheimage'sin
memorystorage.Memorystringsmaybedifferentthanondiskstringswhenanimageusesa
decompressesordecryptswhenitloadsintomemory.
HighlightRelocatedDLLs
WhenyouselecttheRelocatedDLLsentryintheOptions|ConfigureHighlightingdialogany
DLLsthatarenotloadedattheirprogrammedbaseaddressshowinyellow.DLLsthatcannot
loadattheirbaseaddressbecauseotherfilesarealreadymappedtherearerelocatedbythe
loader,whichconsumesCPUandmakespartsoftheDLLthataremodifiedaspartofthe
relocationunsharable.
SearchOnline
SelectingthisentrywillresultinProcessExplorerlaunchingthesystem'sconfiguredInternet
browserandinitiatinganInternetsearchfortheselectedDLL'sname.
TheHandleView
TheHandleContextMenu
TwoitemsappearundertheHandlemenuorwhenyourightclicktoshowtheHandlecontext
menu:

CloseHandle:choosethisitemtoforceclosedahandle.Usethisatyourownrisk:becausethe
processthatownsthehandleisnotawarethatitshandlehasbeenclosed,usingthisfeature
canleadtoacrashoftheapplicationordatacorruption;closingahandleintheSystemprocess
canleadtoasystemcrash.

Properties:whenyouselectthisitemProcessExploreropensahandlepropertiesdialogthat
showsyouthetotalnumberofhandlesopentotheobject,aswellaskernelreferencestothe
object.Italsoshowsinformationspecifictothetypeofobjectyouareviewing.Forexample,
whenyouviewthepropertiesofamutantobjectProcessExplorerreportswhetherornotthe
mutantisheld,andifso,bywhichthread.

TheSecuritytabonthehandlepropertiesdialogshowsthesecuritythat'sappliedtotheobject
thehandlereferences.
ShowUnnamedHandles
Bydefault,ProcessExplorershowsonlyhandlestoobjectthathavenames.SelecttheShow
UnnamedHandlesitemundertheViewmenutohaveProcessExplorerlistallthehandles
openedbyaselectedprocess,eventhosetoobjectsthatarenameless.NotethatProcess
ExplorerconsumessignificantlymoreCPUresourcewhenthisoptionisselected.
TheUsersMenu
OnsystemsthatincludeTerminalServicesProcessExplorerdisplaysaUsersmenuthatliststhe
currentlyconnectedsessions.ProcessExplorercreatesamenuentryforeachsessionthat's
nameincludesthesession'ssessionIDandtheuserloggedintothesession.Eachentryopensa
submenuthathasoptionsfordisconnecting,loggingoff,andsendingamessagetothe
session'suser.Inaddition,aPropertiesmenuforeachsessionentryopensadialogboxthat
listsdetailedinformationaboutthesession,includingtheIPaddressandnameoftheclient
connectedtothesession.

ThecontentsoftheUsersmenuareupdatedeachtimeyouopenthemenutoreflectcurrent
sessioninformation.
Searching
OneofthecommonproblemsProcessExplorersolveswitheaseisthequestion:whatprocess
hasthisfileordirectoryopen,orwhichprocesseshaveaparticularDLLloaded?

YoucanperformahandleandDLLsearchbyselectingFind|FindHandleorDLLorbytyping
Ctrl+F.SearchesarecaseinsensitivesubstringsearchesofallofthehandlesopenedandDLLs
loadedonthesystemwiththetextyouenter.Thus,tosearchfortheprocessorprocessesthat
havec:\directory\somefile.txtopenenterenoughtexttomakethesearchfindonlytheresults
youareinterestedine.g."somefile".

Thesearchdialogpopulateswiththelistofresultsindexedbyprocess.Selectlinesintheresults
tohaveProcessExplorerselectthereportedprocessandDLLorhandle,anddoubleclickona
linetohaveitdothesameanddismisstheSearchdialog.