Windows Troubleshooting Series – Part 2 – Process Explorer & Process Monitor

And here we are on the 2nd post: Introduction to Process Explorer and Process Monitor.

Before we start, repeat after me “When in doubt, run Procmon!”

Now that we’ve gotten the Russinovich mantra out of the way, let’s delve in!

The Sysinternals suite of tools is a collection of over 70 utilities that can be used to troubleshoot and diagnose a wide range of issues on a Windows system. In this blog post we’ll focus on Process Monitor and Process Explorer while Autoruns and Procdump will be covered in the next one.

Let’s start with a short instruction about these tools.

Process Explorer

Process Explorer is, as Mark Russinovich calls it, “Task Manager on Steroids”. It shows detailed information about all the running processes on the system, including resource utilisation (GPU, CPU, Memory, ecc…), Path, Signature, Threads and Stacks (though for a clear view of the stacks Symbols have to be configured and WinDBG installed. More on that later) and much more.

Let’s start with the main window:

As you can see Process Explorer presents columns detailing running processes on your system, including the parent/child relationships, CPU usage, memory data, PID, description, company name, certificate signature, and verification status. Additionally, you can see the path to the executable and color coding that identifies the process type and state, such as services, .NET processes, “Immersive” processes, suspended processes, processes running as the same user as Process Explorer, processes that are part of a job, and packed images. All of these columns are fully customizable to fit your needs:

You can get additional information about the process by putting the mouse cursor on top of it, and it even shows the services running within a svchost.exe instance:

On the top of the bar there is a menu with many different options, but the really interesting ones are these:

These allow you to configure Process Explorer to Run at Logon, Send the executable hashes to VirusTotal for verification (if you’re suspecting malware infection on the machine), Replacing Task Manager with Process Explorer (though I’ve had less than stellar success with that option on particularly problematic machines) and configure Symbols, which we’re going to look at further down in the article. You can also create a dump of a process for later analysis with tools like WinDBG:

Take the time to familiarize yourself with the different options, it will pay off in spades afterwards!

To see detailed information about a specific process double-click it (or right-click -> properties) and the following window will appear:

If you’re troubleshooting performance issues, the Performance

Performance Graph

Disk and Network