How Process Explorer Can Help IT Professionals Find Malware and Viruses

Process Explorer (formerly Winternals Software and later acquired and rebranded by Microsoft as Windows Sysinternals) is a free Windows task manager with more detailed information than its standard tool. Process Explorer can assist in diagnosing malware-related or excessive CPU utilization issues quickly.

The top window displays a real-time list of processes with their characteristics, such as description, developer of software running it and memory usage data. In contrast, the lower pane shows handles and DLLs opened by specific processes.

Searching for a Process

Microsoft’s built-in Task Manager is an essential part of Windows for basic tasks, like killing frozen processes or finding out who’s eating up all the memory. But for power users or tech enthusiasts looking for more advanced features to detect malware or decipher mysterious processes, there’s also Microsoft’s free Process Explorer which offers more advanced tools and features for hunting down these processes.

The tool provides real-time views of processes and their modules in real time, showing what each is up to at any moment. The display also includes real-time CPU/memory usage charts as well as software company names – IT professionals can choose what information they wish to see displayed and sort data according to any column in real-time.

Once you select a process, a “Process Properties” window opens providing more detailed information, including command line arguments and security attributes. If you need help tracking down an individual handle or module click “Find Handle or DLL” under the Menu and enter its name into a search box; this will result in a list of processes which all contain that specific handle or DLL in their open windows.

Process Explorer also enables you to alter the priority that your system assigns a process, making this an extremely valuable feature for troubleshooting and performance monitoring purposes. However, please keep in mind that these changes may take some time to take effect: for example if you set an application as low priority, the system may still try to execute its code even though its priority has changed; this may result in errors or instabilities on its execution path.

Process Explorer stands out as an invaluable resource for IT pros due to its ability to identify suspicious processes as malware by comparing them with antivirus databases. Integrating with VirusTotal, an independent Google project which checks processes against databases of major antivirus companies, Process Explorer makes this identification even simpler; you can even add a column showing which antivirus sites have flagged certain processes as potentially malicious processes in its view of Process Explorer.

Customizing the Display

Process Explorer may seem intimidating at first, but IT professionals can adapt its display to meet their needs. The top window displays real-time listings of processes with their descriptions, CPU and memory usage statistics, software company names and other useful details organized hierarchically with parent processes on top and child processes below; IT professionals may select which columns they wish to see displayed and even sort lists by particular columns.

The bottom window of Process Explorer displays a zoomed-in view of Windows processes, changing depending on which mode Process Explorer is in; for instance, it can show which handles and DLLs a process has opened or loaded – an invaluable resource if you’re trying to diagnose a particular issue, such as DLL version conflict.

Bottom Window Performance Graphs Additionally, Process Explorer includes performance graphs which display both CPU usage and private bytes allocation for selected processes. These can help identify any processor bottlenecks or memory leak issues by being scaled against peak values of private virtual memory allocated. They will even rise if an application uses more memory than anticipated! These performance graphs do not update if Process Explorer window is minimized into tray mode.

IT professionals investigating malware infestation can also use the bottom window as a useful resource. If the process selected is a service, its Service tab shows its name and description provided by Win32 service on Windows 2000 or later; clicking Permissions opens a dialog that allows you to review what permissions were granted to it.

For those not concerned with malware detection, the bottom window can be used to quickly find processes consuming most resources or to check what applications are running on a computer. If your application crashes or slows down unexpectedly, use the right-click menu to kill that process (be wary as doing so could lead to system instability or worse!). However, be careful when performing this action as you could cause your system to crash altogether!

Identifying a Locked File

When trying to delete, rename, or move files on Windows, a message stating the action cannot be completed due to them being “busy/locked/used by another program” may appear. Most often this issue can be quickly addressed by finding out which application has taken control over holding on to your file hostage and closing it down; but sometimes its source could even come from within a system process itself making retrieving your file much harder.

Process Explorer can help identify locking processes by using its search icon (which looks like binoculars at the top of its program window) to locate it. Enter all or part of the name of a file you suspect might be locked and hit Enter; Process Explorer will display all processes with open or locked versions, along with information such as name, PID number and where they reside on your computer.

If you know which process has your file locked away, use Process Explorer tools to kill or shut down its parent process tree. You can also bring up its associated window in front, set affinity or priority based on other processes running alongside it or how often CPU time gets distributed, and look up its name online.

Process Explorer is a free task manager and system monitor with more features than the built-in Microsoft Task Manager. Part of Sysinternals for Windows tools (now rebranded as Windows Sysinternals), Process Explorer can be downloaded either individually from TechNet or as part of a full suite from Microsoft’s TechNet website.

Process Explorer can incorporate the optional VirusTotal monitoring feature, which scans suspicious files against antivirus websites for malware. While this feature is entirely discretionary, installing it in your corporate environment might prove useful when working with potentially dangerous programs. Furthermore, an optional lower pane that lists handles and DLLs associated with each process can also be activated; to do this simply select it then choose View > Show Lower Pane from within Process Explorer.

Identifying a Virus

Viruses come in a wide variety of shapes, sizes and life cycles. They often spawn within an outer protein shell called a capsid and possessing an interior nucleic acid genome. Their behaviors also vary widely but they typically use similar tactics to infiltrate computers and do their damage.

Though not meant as an alternative to anti-virus software, Windows Sysinternals’ suite of tools can aid administrators and malware analysts in their search for any sign of suspicious activity. With over 70 tools that detect specific behaviors that indicate viruses or malware presence – most notably Process Explorer, ProcMon and Autoruns – Windows Sysinternals tools provide administrators and analysts a means of discovering it more quickly than traditional anti-virus solutions alone.

Process Explorer stands out among malware analyst tools by showing the hexadecimal representation of every executable running on your computer, enabling you to quickly spot suspicious code within a file running in memory. Furthermore, its ability to generate hashes for all processes (including system processes ) makes it an indispensable asset in their arsenal.

Process Explorer stands out as an invaluable source of data regarding file and Registry activity on a running system, providing a wealth of insight into an application in use. IT professionals can use it to quickly identify potential trouble spots such as DLL version mismatch or leakages that need attention.

Process Explorer also features integration with VirusTotal, allowing IT professionals to quickly scan running files against this huge database without uploading them for analysis. Furthermore, Process Explorer displays the VirusTotal ratio for each process that indicates how many antivirus engines flagged its executable as potentially malicious.

IT professionals using Process Explorer should keep in mind that malware can hide from detection by manipulating the operating system at kernel level, making detection impossible. Mark Russinovich, the creator of Process Explorer, recommends first suspending (right click option) any suspicious processes before killing them to prevent malware from restarting themselves after you kill them.

Press ESC to close