Thursday, 2 February 2017

Forensically examine your PC’s processes

Forensically examine your PC’s processes

Take a peek at the inner workings of Windows with Task Manager

Ever wondered what goes on under the hood of Windows? If your PC is running smoothly, doing its job, then probably not. It’s when things start to go wrong — your PC slows to a crawl, or non-responsive application errors keep popping up— that you suddenly take a keen interest. There are plenty of tools out there that promise to speed up your computer, fix errors, and make things as good as new again (whatever that means), but there’s always an element of risk involved in trusting your PC to a program that doesn’t really explain what it’s doing, failing to point out that cleaning out the Registry doesn’t—on its own, at any rate — speed things up, and, more often than not, introduces problems you later can’t unpick to resolve without a refresh or, worse still, full-blown reinstall.


We may live in a post-truth world, but your PC doesn’t care about any of that. Knowledge is power, and understanding how Windows works arms you with the insights you need to make more informed choices about what to do the next time your PC decides to slow to a crawl. In this feature, we’re going to take a close look at the programs, processes, handles, and threads that make up the bulk of what your PC does. And if all that sounds like gobbledegook, don’t worry, because we’ll also explain how everything fits together to help you understand exactly what’s going on.

We kick things off by having a look at Windows 10’s powerful Task Manager tool to take a closer peek — you’ll even learn a clever trick that can sometimes help bring frozen applications back to life. And if you want to go deeper, we’ll take you on a tour of Process Explorer, which offers a forensic look at exactly what’s going on — both in the foreground and behind the scenes. You’ll discover how to free up system resources, track down troublesome processes, and generally keep your PC running a bit more smoothly.

We’ll also take a brief look at some other tools that can help you monitor your PC and track down fixes to your problems. But enough natter — it’s time to arm yourself with the tools and techniques you need to better understand your PC.

The main focus of our feature is the programs and processes that are running whenever you’re using Windows. These include apps, games, and other programs you launch yourself, as well as background processes, such as Windows Services, your security software’s auto-protect features, and Windows Explorer itself. Windows ships with its own built-in tool for monitoring and — to some degree — managing all of these in the form of Task Manager.

Task Manager has evolved into quite a powerful tool in recent versions of Windows — launch it by right-clicking the Taskbar. The default basic view merely
shows running programs — right-click to close it or switch to that program (handy if it’s hidden from view). Note that the “Always on top” option merely ensures that the Task Manager window can’t be hidden by other windows.

To tap into Task Manager’s full range of features, click “More details,” which splits things into a multi-tabbed view. The main tab is “Processes,” an expanded view of all the processes and threads running on your PC. By default, these are split into three groups: apps are programs you launch from Windows Explorer; background processes are third-party programs running in the background, and Windows processes refer to core processes related to Windows.

You’ll see four additional columns of information, labeled “CPU,” “Memory,” “Disk,” and “Network.” These represent the process’s usage (as a percentage in CPU terms). You can quickly see which processes are hogging system resources by clicking any of the columns to sort the list accordingly. Once identified, you can decide whether or not to close the program or process in question — if you don’t recognize its name, right-click it, and choose “Properties > Details” for a more verbose description, or choose “Search online” to search Bing for both the process name and its underlying filename.

Tip: Cloud storage apps often hog all available network resources, which in turn can result in sluggish performance. Once verified as the culprit in Task Manager, open their settings, and look for a section where you can apply limits to their upload and download speeds — OneDrive users should go to “Settings > Network tab,” for example.

Recover Frozen Apps


If a program is not responding, the process should be highlighted—from here, you can attempt to close it by selecting the process and clicking the “End task” button. If that’s too drastic a step, you may be able to recover it by right-clicking and choosing “Go to details.” This takes you to the “Details” tab, where processes are listed with more information — their status (running or suspended), the user who launched them (typically you, SYSTEM, or a SERVICE), and a PID (Process ID).

To try to free up a non-responding thread from here, right-click it again, and choose “Analyze wait chain.” This lists any threads that are using or waiting to use resources being used elsewhere. Ending the thread may be enough to free up the original process—we’ve done this a few times in Firefox when an individual tab has become non-responsive, for example.

There are some other handy options under the “Details” tab — you can alter thread priorities here, which in turn can stop particular processes from taking over your PC, and slowing everything else down. Simply right-click the offending process, and choose “Set Priority > Below Normal” to see whether it helps. You can also give threads more priority if you feel they need extra attention, but avoid giving any thread “Realtime” priority, because it brings Windows grinding to a halt.

Another option is “Set affinity.” This determines which processor cores a program or service can use — if you have a dual-core CPU or better, you might find older applications designed in the era of single-core processing run better if you limit their access to a specific core, rather than allowing them to use all available cores. In most cases, you’ll find Windows is perfectly capable of assigning resources efficiently, so it’s of largely academic interest only.

Trim Startup


One other Task Manager tab is worthy of attention: “Start-up.” This doesn’t just list which programs are set to start with Windows — it provides a “Start-up impact” tab that rates apps’ resource usage as “High,” “Medium,” or “Low.” Keep an eye on those rated “High”—if start-up times and overall performance suffer, preventing these from starting with Windows (right-click the program and choose “Disable”) may help improve matters.

Task Manager’s other tabs enable you to monitor performance over time via a series of graphs (“Performance”), plus keep an eye on apps you’ve installed through the Microsoft Store by measuring their resource usage over time (“App history”). The “Users” tab is handy when two or more users are logged on at once, providing a list of user-generated running processes. Finally, “Services” provides a cut-down version of which low-level processes are running (or not). You can manually start, stop, and restart services from here, but for more granular control (such as setting a Service’s start-up setting), right-click the service, and choose “Open Services.”

Process Explorer


The Windows 10 Task Manager tool goes a long way to giving you a peek inside your system, as well as the tools for dealing with runaway and non-responding programs, processes, and threads. But you can delve even deeper into your system with the help of Process Explorer, a free tool developed by Microsoft’s Sysinternals team. Find out more and download it from https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx — it’s completely portable, and can be run directly from your web browser (go to https://live.sysinternals.com/procexp.exe to do so).

We’ll assume you’re downloading it: once done, right-click “ProcessExplorer.zip,” choose “Properties,” check “Unblock,” and click “OK.” Now extract its contents, then right-click either “procexp.exe” or “procexp64.exe” (depending on your Windows system type), and choose “Run as administrator.” Process Explorer doesn’t require elevated access, but if you want a complete look at your system, you should do so to allow it to peer wherever it needs to.

Process Explorer opens to a singlepane window. Expand the “Options” menu, and check “Hide When Minimized” and “Allow Only One Instance.” The former option ensures that when you close or hide Process Explorer, it minimizes to the Taskbar Notification area, where a realtime graph lets you keep an eye on CPU usage (roll your mouse over it, and a pop-up window reveals overall CPU usage, as well as that of the most demanding app running). Go to “Options > Tray Icons” to measure additional metrics via their own system tray icons, with seven choices on offer, including “GPU memory” and “Commit” (total predicted memory the system may need at any one time based on current usage).

Dig Deeper


But we digress. Return to the main Process Explorer window, which lists all running processes. You’ll see some processes are nested inside others in a tree-like structure. This makes it clear from which process a particular process or program spawned (for example, if you open a program in the usual way, it appears  nested underneath explorer.exe; however, if you open your web browser by clicking a link in another program — Word, say — it appears underneath the parent program instead).

Processes are also color-coded to help you identify what’s going on with each —to see what the colors represent, from recently launched threads (green) to threads ending (red), choose “Options > Configure Colors.”

Note this view is lost if you click any of the other column headings — such as “CPU” — to determine resource hogs. But if you double-click the process to open its Properties dialog, you can see the name of its parent process underneath the “Image” tab with other useful information (such as which user the process is running under).

As an aside, look carefully at the System process. You’ll see an entry marked “Interrupts.” This is an artificial process in that it actually tracks the system’s interaction with your hardware. If you spot high CPU consumption for this figure, then it indicates a potential problem with your hardware or — more likely — a driver bug. Don’t bother clicking it for further information, though — there’s nothing to see, literally.

Microscopic Examination


One of the many ways in which Process Explorer enables you to see what’s really happening under the hood is through its support for showing detailed information about a process’s threads. Switch to the “Thread tab” — ignoring the warning about missing symbol files (not needed unless you’ve got the chops to go the extra mile, or you’re a developer) — and you’ll see a list of all threads associated with that process. You get to see the CPU usage for individual threads, as well as the files calling that thread, which helps pinpoint where a resource leak may be occurring. You can kill or suspend individual threads from this dialog box, but save any work before doing so — you could easily bring down the parent process from here, or even Windows itself if you don’t know what you’re doing.

A process’s “Properties” dialog contains a wealth of potentially helpful information. Use the “Performance” and “Performance Graph” tabs to measure its impact over time, for example. Switch to the “Service” tab to list which services it utilizes, or select “Environment” to view any environmental variables used by the program. The “Strings” tab is linked to the list of values provided by any DLL files used — these can help identify a process if you’re struggling to work out what it relates to.

Handles and DLL Files


Process Explorer also enables you to take a close look at a process’s handles and DLL files (the resource files that can be shared between multiple programs). Select your thread and press Ctrl-H — a new pane appears listing its handles. From here, double-click a handle to get more information about it (most specifically,  a description of the handle type, such as “Section” or “WindowStation.”) It’s possible to close individual handles by right-clicking and choosing the “Close” option — but, as with threads, if you don’t know what you’re doing, it’s likely you’ll bring the whole process crashing down.

Press Ctrl-D, and this lower pane switches to DLL view, listing all the DLL files that the process in question is accessing. Double-click a DLL file to access its properties — switch to the “Strings” tab and you’re shown a list of string values it contains. Press Ctrl-H to switch back to Handles view, or Ctrl-L to toggle the lower pane on and off.

What does this information tell you? It gives you detailed insights into what makes up a process — how it’s composed of multiple threads, and what resources it utilizes in the form of handles and DLL files. Not only does it enable you to see exactly what’s happening with individual processes, but it also helps you to learn exactly how programs and processes run.

Get More Help


Process Explorer is a powerful tool, and it can take a while to get your head around it. The Help file is a good place to start — press F1 to access it — but you’ll find some handy online resources, too. There’s a PDF handout from Kansas State University (http://bit.ly/procexplhandout) that provides a good introduction — it was written back in 2009, but is still relevant. And don’t forget the official Process Explorer forum (http://forum.sysinternals.com), which contains an FAQ, among other handy resources.

It’s also worth taking a look at some of Sysinternals’ other tools as well — Autoruns (http://bit.ly/autoruns) gives you a similarly detailed view of the start-up process, split across major tabs. It’s easier to grasp than Process Explorer, and provides you with all the tools you need to streamline your startup. If you want to monitor file system, Registry, process, thread, and DLL activity in real time, then Process Monitor (http://bit.ly/processmonitor) is the tool to go for — this is particularly handy if a program is crashing, because it provides you with more detail as to where in the process things might be going wrong. Finally, RAMMap (http://bit.ly/ram-map) lets you take a peek into how your system RAM is managed.


Understand Process Terminology


Programs, processes, handles, and threads — what are they, and how do they link together? It can get confusing, particularly given the way that both Task Manager and System Explorer present running programs, processes, and threads.

Programs are a series of files that are combined to provide you with the tools and functionality you use on a daily basis, from a web browser or office package to your game collection. They can also include underlying Windows programs (such as File Explorer) and lower level Services, which work in the background to provide features such as networking and automatic updates.

Processes provide resources to run a program, which are stored in “virtual address space,” a reserved portion of RAM. They comprise the program, open “handles” to system objects, which determine what resources are required (such as DLL files), as well as environment variables. Processes are assigned a security context, which determines their level of access to the system, plus a unique process identifier (PID). They’re also assigned a priority class, which determines how fast the process runs in relation to other processes. Minimum and maximum “working set sizes” are also applied, to set limits on how much physical memory the process requires.

Each process is split into threads, which allows Windows to allocate CPU time between processes. Each thread can execute any part of the process’s code, and shares the process’s virtual address space and resources. They have their own properties, such as unique identifiers and exception handlers, and they stop and start to a schedule, so they don’t all run at once.


Check for Malware


Process Explorer can also help track down potential security risks that are running, by comparing a process’s parent file with the VirusTotal online database, which checks files against dozens of reputable antivirus engines. Switch the feature on by choosing “Options > VirusTotal.com > Check VirusTotal.com.” Click “Yes” to agree to the VirusTotal terms of service (these are displayed in your browser), and then Process Explorer will submit the hashes of every running process and thread to the VirusTotal website. It also adds a new VirusTotal column to the main view. You’ll see a list of clickable links reading “0/56” or “3/57.” Each one links to the antivirus scan results for that individual file.

Any files listed as “0/57” or similar have been rated safe by all the antivirus engines used; focus your efforts on those marked in red, where the score is 1 or higher. Click the link and you’re taken to a web page of results, with the suspected infections placed prominently at the top, along with the source antivirus engine and suspected infection. Google the result, together with the filename, to see what’s out there, but unless there are multiple matches, it’s likely to be a false positive.

If your file isn’t listed there, that means it hasn’t yet been scanned by VirusTotal’s engines — right-click the file and choose “Submit to VirusTotal” to upload it, then wait for it to be scanned. The results appear in due course.

You can also check files for their digital signatures — double-click the process and switch to the “Image” tab, then click the “Verify” button. Look for “(Verified),” followed by the name of the digital certificate authority under “Image File.” This, on its own, is no guarantee of whether or not a file is safe, but it is an extra layer of security.


Process Explorer Tips and Tricks


Struggling to identify a window’s parent process or thread? Open Process Explorer, then drag the target-like icon next to the binoculars icon on to the window in question, and its associated thread is highlighted.

Click the binoculars icon or press Ctrl-F to open the search tool — this enables you to search by handle or DLL substring to see which processes are using (and possibly holding on to) resources. If you can’t access a file because “it’s open in another program,” this can find what’s locking it.

Choose “View > Select Columns,” and you’ll see you can view pretty much any kind of data about a process or thread that you want. Most useful views can be found on the “Process Image” (for additional info about the process) and “Process Performance” tabs (check “CPU History,” for example, to track a process’s resource consumption over time on a graph). Many of these options are overkill, but Google any terms to find out more about them. Also take the time to look at the “Handles” and “DLL” tabs — you can add extra information to both panes.

We like running Task Manager and Process Explorer together, but if Process Explorer offers all the functionality you need, you can make it your default task manager — choose “Options > Replace Task Manager.” Now, pressing Ctrl-Alt-Del or right-clicking the Taskbar and choosing “Task Manager” launches Process Explorer.

Should you wish to reset Process Explorer to its defaults, right-click its system tray icon, and choose “Close Process Explorer.” Press Win-R, type “regedit,” and hit Enter. Navigate to “HKEY_CURRENT_USER\SOFTWARE\Sysinternals.” Right-click the “Process Explorer” subkey, choose “Delete,” then close Registry Editor.