First I would like to thank Mark Russinovich for taking the time to make Process Explorer and keeping the program free so everyone can use it.
After being busy with some other stuff I was doing I figured it was time to get back to doing some Reviews on the web site. Today I take a look at a utility that I have been meaning to take at look at for quite some time now. I have to say I wished I had known about this utility a long time ago because it certainly does make life easier when trying to figure out what all them running process do on your windows machine.
Process Explorer will run pretty much on any version of windows and that includes windows 98 all the way on up to Vista. When you download the zip file from the Microsoft site you get a zip file with 3 files in it, just make a folder and dump the 3 files in there and your done the install. Don’t forget to make a shortcut to the Process explorer .exe file.
When you load Process Explorer up you see the following interface that I have a screen shot of below. Do note that my screen shot may look a bit different then the one your seeing because I have got mine customized and you can do that in the settings for the program.
Once you get the program up and running you will want to right click on the word Process at the top of the screen this will give you a option to select columns. When you click on the select columns you will see more options that you can turn on and off for the program. The one thing you want to enable with a check mark is the verified signer option. When you have this option enable it will add a new column to your display that will show you what files are signed and what ones are not. Also at the very top of the program you will see a options menu and in there you can check off a option to “Verify Image Signatures” make sure you enable this. When you do enable the “Verify Image signatures” each time you load the program up it will go and verify all the Image Signatures.
The reason its important to have the verified signer option on, is it will tell you if the Microsoft files that your seeing are in fact fairly legit Microsoft files. Some Trojans and Virus’s that exist today like to give them selfs the same process names as the legit Microsoft processes. If you see a Microsoft process and its signed then you can be fairly certain its legit.
While investigating the whole signed files thing I decided to contact Mark Russinovich and ask him directly how easy it would be to fake one of these singed files and I got the following response from him.
“For a signature check to pass the image must have a valid digital signature that roots to a trusted system certificate authority. Malware without such a signature could inject code into process explorer, intercept process explorer’s call to the verification function, and change an invalid result into a valid one.”
So take what you see in Process Explorer with a grain of salt when it comes to the verified signer. Chances are if it says the file is legit it will be but you never really know..
As for other companies other then Microsoft you can’t always depend on them to used signed files. I have several legit processes running that are not signed at all. It would be nice if all software makers used the signed files however a lot of them don’t.
Next up is the lower half of the main interface and this shows you a bunch of info about the current process you have selected such as what files that process is loading up or writing to and it can also show you what registry keys are being accessed as well.
The fact that you can see what file a process is accessing is truly amazing, once again this can help you out in trying to find out more information about a running process. This feature alone makes this program very powerful.
In the image below you will see the screen that pops up when you double click on any of the process that you see in the main window.
The cool part to this screen is that here without doing any searching at all you can see where the process is sitting on the hard drive in terms of where that file is. One of the first things I do when I see a Unknown process is to go and find the file on the hard drive and that involves checking all drives and looking for the file with that file name. Once I find that file I will look at its date and time and see if for example its part of a game I installed. This helps me find out what software package that process belongs to.
In the screen shot above is the strings tab and with that you can see any readable text that might be inside a process. This again can help you help identify what that process is or what it belongs to.
The screen shot above shows you how much ram is in use by a process and also shows any IO a process might be doing.
One thing I have done now for years is, if I didn’t know what a process was I would fire up google and type in the name of that process into google and see what it comes back with. Often times doing this google search can also tell you what the process is for. With Process Explorer you right click on the process and select the “Search Online” function and that will load up your browser and goto google and do the search for you on that process name.
This program has so many things to it I can’t even cover most of them or the Review would be 100 pages long. One thing is for sure and that is this program is WAY better then the stock windows task manager.
The only problem I seen and this wasn’t the fault of Process Explorer but the makers of Secure Rom decided to black list Process Explorer. Now what this means for the average person is if you have any games at all that use Secure Rom the game will NOT load if you have Process Explorer running.
I tried to run Frontlines fuel of War tonight and that has Secure Rom protection and as soon as I started the game up a message come up with a error and a link I clicked on the link and got the following screen shot below.
This type of thing really gets under my skin. First of all I normally wouldn’t run Process Explorer while I was playing a game so for me this isn’t really an issue however what I don’t like is a company like Secure Rom who thinks they can control what I have loaded up on my machine. I remember seeing something like this before with the Alcohol 120% program where I had that on my machine and I went out and PURCHASED a game and the game would not install as long as alcohol 120% was on my computer.
Now in the case of my game test tonight the only thing I had to do was exit the Process Explorer and the game then loaded up fine. It should be noted that Secure Rom also doesn’t like The programs Filemon or Regmon and from what I understand they are black listed as well. Those programs are also for free off Microsoft’s web site and are also done by Mark Russinovich and Bryce Cogswell.
What kills me bout Secure Rom is these guys are going out of their way to Blacklist Process Explorer and yet you can still easily go out and find ways to bypass Secure Rom for every game that comes out with Secure Rom protection. Seems to me the Secure Rom folks have blacklisted the wrong utilities…
I have sent the folks at Secure Rom a e-mail asking if they would talk to me about why this program and other programs have been blacklisted by Secure Rom and so far they have not responded to my request. If they do respond I will update this Review with any information they give me.
In conclusion Process Explorer is what should have come with all versions of windows as the default Windows Task Manager. When you look at what Process Explorer can do you soon realize how much more powerful it is over the standard Windows Task Manager. I still can’t believe that a program this well done and this powerful can be downloaded and used for free..