Process Explorer tool from SysInternals, will give you a complete overview on what processes are currently running in your PC along with the details on who invoked it and how much system resources it is consuming. This tool will be very essential, if you want to identify which file or directory has a particular program opened. In this article, you will learn 10 best practices and tips which will help to use this tool better.
A process is a container for a set of resources, including one or more threads. A process never consumes a CPU. Its the thread inside the process which consumes the system resources like CPU, Memory etc. Each process at-least has one Thread. Using this tool, you can also determine which thread of a process is consuming CPU.
Some of the benefits, this Tool gives you are..
- Displays the Parent/Child Relationships of the Processes
- Highlighting of different process based on their source and states.
- Customize Columns to suit specific needs to analyze CPU performance, Threads, etc
- Tons of Options to play around with..!
Tip 1:Process Explorer Parameters – Create a Startup Shortcut / Desktop Shortcut to this executable (procexp.exe) and add a parameter /t /e to it.
/t makes this executable run minimized and /e will make it run elevated. As most of the times, you want the system processes also.. it makes sense to run the tool elevated.
When you invoke this shortcut, the Process Explorer will run in the System Tray as shown below. You can just double click to invoke them.
Tip 2: Configuring the Options – Goto Options Menu Item and Select Hide When Minimized and Allow only one instance. This will help you to just minimize the program, even when you click on the X close button. Sometimes, you tend to invoke the shortcut more than once, thinking that the Process Explorer is not running, selecting the Allow only one instance will help you not have multiple entries of Procexp inside the process explorer window.
Tip 3: Configure Symbols – When you invoke any process and go-to the Threads Tab, you will observe a hexadecimal weird address in the Start Address Tab. These will not be helpful for you while troubleshooting. You will need to convert it to a meaninful message and thats where configuring the symbols will be useful.
Goto Options Tab, and click on Configure Symbols item.
You will need to install the Windows Debugging Toolkit, so that you can configure the path of the dbghelp.dll file. Also, configure the Symbols path as both local and internet. For more information read here – http://www.microsoft.com/whdc/devtools/debugging/debugstart.mspx
Once you do this, the hexa-decimal code will be converted to more meaningful message for effective understanding and troubleshooting. You can see in the Start Address column now.
Tip 4: Highlighting Colors – Goto Options Menu Item and Select, Configure highlighting. Using this option, you can customize the colors which you would like to assign for certain roles of processes. By default Pink color is associated for processes with one or more – win32 services, Yellow color for processes which uses .NET Framework, Light blue color for processes which are running with the same user account as the process explorer.
Tip 5: Configure Difference highlighting Duration: Set the Duration to 5 or more seconds. This is an important tip, which will help you distinguish in the difference of the events. The color associations and the process will exist and run for 5 seconds. For example, every process which starts new is associated a green color and every process that stops gets a red. the processes will exist in the Process Explorer for at-least 5 seconds with the same color code, so that you can see them and diagnose the same.
Tip 6: Verifying Processes – When you double-click on any process it opens the properties dialog; this will give you the complete information of that particular process. Its Parent process, Who invoked it, At what time, What OS version is it (32/64 bit) etc. Just observe that, this executable is not verified no matter it comes from Microsoft Corporation. Verifying the processes will help you to determine whether this process is signed to run on this particular edition of the OS. For example, if your machine performance is sluggish, you might run the verify process and see if any of the executables like antivirus are not suited for your PC.
Goto Options Tab and select on Verify Image Signatures. This will start the verification process. Now you click on any column and add a new column for Verified Signer. You will start seeing all the process along with the verified status.
Tip 7: Process Identification – Sometimes, there could be many processes running on your PC (for example, many instances of a same application), In this case it would be difficult to identify the associated process entry in Process Explorer. Thats where exactly, this magnifier comes to your help. Hold the magnifier button, and that will show you all the other windows executing on your PC. Just drop the magnifier on a window which you wanted to identify and that appropriate process would get high-lighted in the Process Explorer.
Tip 8: DLL/Header View – Selecting a Process, and pressing Cntl+D will show the DLL view in the hidden tab. Cntl + H will show the headers which are currently accessed by the process. This will be helpful to understand the components used by a process. You can also choose to search a dll or a Header using the Search option. For eg: If you ever encountered a failed delete action by your process, searching for ‘delete’ will give you more information on what gets called and which file did your process try to delete. You can hover over any process in Process explorer, this will get you all the win32 services running in it.
Cntl+D for DLL View –
Cntl+H for Header View –
Tip 9: Performance Graphs – Double-clicking the graph in the icon bar, will open the performance graph. The red color showcases the kernel mode and the green signifies the transition of Kernel and User mode. If you are running a multi-core PC, choose to ‘show One Graph per CPU’. This will help you manage tasks and also enables you to take a decision to set affinity for a process to a single CPU. (You can right click on a process, Set Affinity to just any of the CPU)
Tip 10: Configure Columns – In the explorer window, Right click on a column header and add new columns. To identify an executable or a process performance, you need to add Threads, CPU Usage, Context Switch Delta and CPU Cycles Delta. This will help you identify which process has more threads and is consuming high CPU usage. Based upon your analysis, you can choose to terminate it for system performance.
Are you aware of any other worthwhile tip on this tool? If yes, drop in as a comment here and I shall feature it in this article appropriately!
Also read about the other SysInternals Tools here –
This will list all the available softwares/programs for this program. You can choose a program here and click on OK button. Ensure that, you select the Check box “Always use the selected Program to open this kind of file”.
For windows administrators who are new to PowerShell, 
