Process Explorer

Process Explorer

Process Explorer v11.33 running in Windows Vista
Developer(s)	Sysinternals, Microsoft
Stable release	11.33 / February 4, 2009; 16 years ago (2009-02-04)
Operating system	Windows 2000 (SP4), XP, 2003, Vista and x64 versions
License	Proprietary
Website	Process Explorer Homepage

Process Explorer is a freeware computer program for Microsoft Windows created by Sysinternals, which was acquired by Microsoft Corporation.

Process Explorer is a system monitoring and examination utility and can be used as the first step in debugging software or system problems.

Process Explorer can be used to track down problems. For example, it provides a means to list or search for named resources that are held by a process or all processes. This can be used to track down what is holding a file open and preventing its use by another program. Or as another example, it can show the command lines used to start a program, allowing otherwise identical processes to be distinguished. Or like Task Manager, it can show a process that is maxing out the CPU, but unlike Task Manager it can show which thread (with the callstack) is using the CPU – information that is not even available under a debugger.

Process Explorer is one of a set of administration and monitoring utilities available from the Microsoft Sysinternals website.

Until 2008 Process Explorer worked on Windows 9x/Me, Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Vista including 64-bit versions. The current (Aug 2008) Process Explorer Homepage states that it works on Windows 2000 with Service Pack 4 and upwards.

Recent versions downloaded with the Sysinternals Suite is supposed to support 64 bit versions of Vista and Windows 7 x64 with a second binary, procexp64.exe. However, procexp64.exe has problems on Windows 7 boxes because in needs to be in an editable folder so that it can extract the file from procexp.exe.

• Hierarchical view of processes.
• Ability to display an icon and company name next to each process.
• Live CPU activity graph in the task bar.
• Ability to suspend selected process.
• Ability to raise the window attached to a process, thus "unhiding" it.
• Complete process tree can be killed.
• Interactively alter a service process' access security
• Interactively set the priority of a process
• Disambiguates service executables which perform multiple service functions. For example, when the pointer is placed over a svchost.exe, it will tell if it is the one performing automatic updates/secondary logon/etc., or the one providing RPC, or the one performing terminal services, and so on.

This article may contain unverified or indiscriminate information in embedded lists. Please help clean up the lists by removing items or incorporating them into the text of the article. (November 2009)

5 February 2009 Version 11.33

• This update fixes a bug where the history graph tooltips could display the wrong data point and reduces the memory footprint of the structures that store graph history

12 January 2009 Version 11.32

• This update fixes a bug in the process security page's name resolution and uses history graph tooltips that track the mouse

11 December 2008 Version 11.31

• This update works around a bug in the latest Debugging Tools for Windows debug engine DLL and fixes a bug that could cause objects to show up as <unknown type> when Process Explorer was run without administrative rights

19 November 2008 Version 11.3

• This update to Process Explorer includes numerous enhancements and bug fixes, including a physical memory history graph, options to configure memory tray icons, asyncronous thread symbol resolution and security ID lookup, dynamic recognition of new volume drive letters, multiple character matching in the process view, and a smaller memory footprint

8 June 2008 Version 11.21

• This update fixes a race condition bug in the Process Explorer device driver

28 May 2008 Version 11.20

• Process Explorer now shows thread permissions, adds process working set minimum and maximum columns, and fixes a bug that allows it to run from read-only locations on 64-bit Windows

15 April 2008 Version 11.13

• This includes bug fixes for viewing thread stacks of system threads and 64-bit thread stacks. It also fixes compatibility with Windows 9x and NT 4

7 April 2008 Version 11.12

• This update includes a number of minor enhancements and bug fixes, including support for tracking commit and non-paged pool limits

28 February 2008 Version 11.11

• Fixes a bug in the driver that could cause a crash when viewing the handle table of a process that exits

26 February 2008 Version 11.10

• Support for high DPI
• Display of paging and standby list sizes on Vista, and display of cycles consumed on threads tab on Vista
• Reports the COM object running inside of Dllhost processes and the tasks running inside of Vista Taskeng host processes in the process view hover tooltip

5 November 2007 Version 11.04

• This update fixes a memory leak in the threads tab

26 October 2007 Version 11.03

• This update to Process Explorer, an advanced process information utility, has a number of miscellaneous improvements. For example, the thread support in the process properties dialog is enhanced with Wow64 thread stacks on 64-bit Windows and kernel stacks on Windows Vista and Server 2008. In addition, tooltips on the service hosting processes now show service names, the user SID is displayed on the security properties page, and column headers have tooltips when they’re too small to display their text

14 September 2007 Version 11.02

• This update fixes bugs in column set and NT 4 TCP/IP tab functionality

11 September 2007 Version 11.01

• Fixes a bug in file save and idle thread display

4 September 2007 Version 11.0

• New treelist control for better UI responsiveness
• Asynchronous thread symbol resolution on threads tab of process properties
• More flags on groups in security tab and SID display
• Thread IDs on threads tab
• On-line search uses default web browser and search engine
• Vista ASLR column for processes and DLLs
• Vista Process and thread I/O and memory priorities in process and thread properties
• Vista Process and thread I/O and memory columns
• PROCESS_QUERY_LIMITED_INFORMATION support on process permissions on Vista
• Run as limited user runs with low IL on Vista
• Reports information for all object types on Vista
• Show details for all processes elevation menu item on Vista
• Supports replacement of task manager on Vista
• /e to launch elevated
• /s switch to select a process at startup
• Compiled w/ASLR, DEP
• Faster startup
• Miscellaneous bug fixes and minor improvements

6 November 2006 Version 10.21

• This Process Explorer release fixes a bug in 32-bit path resolution on 64-bit systems and changes the threads tab to asynchronously populate its thread list

10 July 2006 Version 10.2

• Vista integrity level and virtualized columns and process properties
• Signed driver for 64-bit Vista for x64 processors

10 May 2006 Version 10.11

• Vista process cycle counters in process properties and as column
• Service permissions viewing and editing
• Workaround for .NET runtime handle leak
• Many new I/O columns and process properties
• System and per-process I/O bytes history graphs
• I/O history minigraph
• Memory commit history minigraph
• Optional I/O history tray icon
• Windows 64-bit for Itanium support

22 February 2006 Version 10.06
7 February 2006 Version 10.0

• The process column is locked on the left side so that it doesn't scroll horizontally out of view
• You can configure custom column selections and save them as easy-to-access column sets
• Image verification option now verifies images in the background
• More refresh intervals
• Runas menu entry in the File menu
• Run as Limited User menu entry in the File menu to run a process without administrative privileges and group membership
• Process menu includes Restart item to kill and then restart a selected process
• Can suspend individual threads on Threads page of Process Properties dialog
• The Find Window target moves Process Explorer's main window to the back to get it out of the way
• Close Window command uses same End Task functionality as Task Manager
• Show New Processes option scrolls display to make new processes visible
• Heuristics to detect more image packers
• User name of account in which Process Explorer is running is shown in the title bar
• Services can be stopped, resumed, and paused from the Services tab of the Process Properties dialog
• The DLLs that host SvcHost processes are listed in the Services tab of the Process Properties dialog
• Services running within a process display on the process' tooltip
• As a parallel to the CPU Usage History column there's now a Private Bytes Usage History column
• The Process view includes columns that show the working set breakdown of the process in shared, shareable and private pages
• New delta private-bytes column to show changes in private virtual memory usage
• Can copy lines from the Process, DLL and Handle views to the clipboard
• Option to show pagefile-backed (unnamed) sections in DLL view
• DLL and handle searching consolidated
• The DLL view includes columns that show the working set contributions in shared, shareable, and private pages
• The DLL a Rundll32 process hosts is shown in its process tooltip
• Packed DLL highlighting in DLL view
• Image signing verification available for DLLs
• Better DLL properties dialog
• Object address shown in Object Properties dialog
• File object share flags column for Handle view

22 August 2005 Version 9.25

• CPU history in tray icon
• CPU history column
• I/O delta column
• Process security editing
• Reports loaded 32-bit DLLs on Windows 64-bit
• Support for Windows Vista
• Buffer overflow bugfix in v9.25 and higher

26 May 2005 Version 9.11
25 May 2005 Version 9.1

• x64 and x86 executables are in a single binary
• x64 kernel and user-mode stack support
• New Verified Company column shows image signer information
• Strings tab in process properties dialog has in-memory image scan option
• Highlighting for images that are packed (have compressed or encrypted code, which is common in malware)
• Window menu on process context menu allows for minmizing, maximizing, and restoring windows

5 April 2005 Version 9.03
8 February 2005 Version 9.0

• System information dialog has per-CPU graph option with hyperthreaded and NUMA processor information
• A Users menu duplicates the functionality of Task Manager's Users tab, showing Terminal Services session information and supporting logoff, disconnect, and sending messages
• On XP SP2 and higher the TCP/IP tab displays the thread stack at the time an endpoint was opened
• The tray icon context menu includes the shutdown menu
• Search engine option to use Google or MSN Search
• Object address column is available for the handle view
• Image signatures can be checked on-demand in the process properties dialog
• Process explorer is digitally signed with Sysinternals' Verisign Class 3 signing certificate

20 December 2004 Version 8.61

• This minor Version adds a Data Excecution Protection (DEP) status column to the process view on Windows XP and higher and allows copying to the clipboard from the strings and environment variable dialogs

3 December 2004 Version 8.60

• Data Execution Protection (DEP) status on process image tab and as column
• Copy-to-clipboard from process environment variable and strings dialogs
• Can select and copy text strings of process image properties page
• Multi-row tabs on process properties dialog
• Image signing verification on process image properties dialog
• Mini-CPU usage graph on toolbar
• Command-line option for specifying Process Explorer priority
• Manual refresh (F5) forces recheck of job and .NET process status
• Single-clicking on tray icon minimizes and restores main window

4 October 2004 Version 8.52

• Finder tool for identifying the process that owns a selected window
• Strings listings for process and DLL images
• Google menu item for searching process and DLL information
• Tray tooltip shows highest-CPU consuming process
• Window status column (like Task Manager's Status column on the Applications tab)
• DLL view for System process shows list of loaded device drivers

27 June 2004 Version 8.41

• This Process Explorer update includes bug fixes and display of memory tooltips on system and per-process memory usage history graphs

25 May 2004 Version 8.40

• TCP/IP process properties page shows active TCP and UDP endpoints
• Display updating code eliminates all flicker
• 64-bit Version shows which processes are 64-bit on process properties and adds 64-bit process column
• Additional opacity settings
• Improved symbol support

5 April 2004 Version 8.35

• Process Explorer is now available for Windows XP and Server 2003 64-bit Edition for x64

18 March 2004 Version 8.34

• Process Explorer now allows you to set process CPU affinity masks on multiprocessor and hyperthreaded systems

8 March 2004 Version 8.33

• This minor update includes bug fixes and now shows kernel-mode stacks in addition to user mode stacks for user-mode threads.

23 February 2004 Version 8.32

• Runs in non-admin account
• Treeview functionality to collapse and expand process subtrees
• Can bring process-owned window to the foreground
• System CPU graph shows timestamps and most-active process for any given point
• Per-process graph data tracked even when main window is minimized to tray
• Per-process graph data displays timestamps
• Tray icon has black background
• Can set process CPU affinity
• Process tooltip no longer between mouse pointer and process name
• Ability to add a comment to processes and new comment column
• More system information, including I/O deltas and paging data
• New process columns for I/O delta and page-fault delta
• More process performance information in process properties dialog
• Improved performance

9 January 2004 Version 8.20

• Can open multiple process properties dialogs simultaneously
• Process properties and thread stack dialogs are resizable
• System information dialog CPU and memory usage graphs like Task Manager
• More performance data on the System Information dialog
• Per-process CPU and memory graph tab in process properties
• Opacity settings
• New tray window context menu options
• More performance information on process properties dialog
• Lock option in shutdown menu
• Reconfigured menu items and highlighting configuration
• New status bar column options

18 November 2003 Version 8.10

• Status bar information is configurable to show CPU usage, commit charge, # of processes, and more
• Can terminate individual threads
• New Shutdown menu for logging off and shutting down the system
• Only allow one instance option
• Auto-open of lower pane when a find result is clicked

31 October 2003 Version 8.02

• .NET tab for .NET processes that shows AppDomains and .NET performance counters
• When the .NET Framework is detected a .NET tab on the column selection dialog for adding .NET performance counters
• Option to show only .NET processes
• Option to only show your own processes
• System Information dialog showing the same memory counters as Task Manager (when symbols are configured, also shows maximum paged and nonpaged pool values)
• Better symbol configuration guidance
• Difference highlight duration is configurable
• Tray icon for CPU usage that's yellow when usage is > 70% and red when > 90%
• Minimize-to-tray option
• Highlight color configuration dialog
• Context switch and context-switch delta columns
• Run processes using the system Run dialog from the File menu
• Replace task manager option so that when you run Task Manager Process Explorer runs instead
• Only non-zero CPU usage, .NET counters and context-switch values are displayed to clearly highlight process activity
• Search for DLLs or handles regardless of what mode the lower pane is in
• Correct icons for MMC windows
• Mouse hover over process names and DLL names shows full path of executable or DLL

17 September 2003 Version 7.02

• Process suspend/resume
• Thread details including stacks
• Fractional CPU usage
• Job object information
• Right-justified numeric columns with numeric formatting
• Mutex properties shows owning thread if mutex is owned
• More information in process properties
• Start time and CPU time process columns
• Option to hide the lower pane
• Kill process tree
• More accurate Registry key names for profile unload debugging
• New help file

23 May 2003 Version 6.02

• Moveable columns
• Column selection and a wide variety of configurable process, DLL and handle columns
• Asynchronous updates all views
• Refresh highlighting effects last several seconds
• Save function saves process view and current bottom view (handle or DLL)
• Minimize-to-tray option
• Service descriptions on services tab of service process properties dialog

13 November 2001 Version 5.2

• CPU usage column on Win9x
• GDI and USER handle display in process properties (Win2K/XP)
• Find dialog supports handle-type searching

30 July 2001 Version 5.1

• CPU usage column
• Session IDs on systems that have Terminal Services
• Process environment tab in process properties dialog
• Display of process tree (parent/child relationships)
• More efficient refresh
• Debug process menu item that launches registered Win32 debugger

16 June 2001 Version 5.0

• HandleEx has been renamed to Process Explorer
• Autorefresh
• Service process highlighting
• Highlight processes running in your account
• Change process priority
• Launch Depends if its on your PATH
• Displays process group membership and privilege usage
• Shows process start directory
• Improved UI and performance

17 April 2001 Version 4.0

• Support for full handle viewing on Win9x/Me (with the exception of Registry key handles)

15 January 2001 Version 3.1

• Highlights relocated DLLs
• Runs on Windows 9x/Me

26 December 2000 Version 3.0

• Process icons
• Refresh highlighting: new entries in the process, handle and DLL views are green, and deleted ones red
• Listview tooltips
• DLL descriptions in the DLL view
• Jump-to-entry in the find dialog
• Efficient refresh

14 September 2000 Version 2.26

• Close any open handle
• See the user associated with every process (previous Versions only showed the user for certain ones)

24 February 2000 Version 2.21

• HandleEx now shows memory-mapped files as modules in the DLL view
• The driver is integrated with the GUI, making a one-file image
• HandleEx uses the Win2K security editors when running on Win2K
• You can Tab between the top and bottom windows

22 October 1999 Version 2.1

• It properly handles the System Idle process in Win2K
• You can view properties and security attributes of objects, including the signal states of mutexes, events, and semaphores.
• A number of minor user-interface enhancements

8 September 1999 Version 2.01

• A number of user-interface enhancements, including full-row selection and a right-click context-menu
• A 'kill' command for terminating processes
• A 'properties' command for viewing additional information about a process or DLL
• Display of process name for process handles, and process name and thread ID for thread handles
• Parent processes are reported
• Window titles for visible windows are shown with their owning process

26 March 1998 Version 1.2

• NTHandleEx has been renamed to HandleEx
• Improved user-interface, displays DLL file time-stamps, and has a save-to-file capability

26 January 1998 Version 1.0 NTHandeleEx

Process Lasso

Cited References

• Process Explorer Official Webpage Microsoft Retrieved on December 29, 2008
• Using Process Explorer to tame svchost.exe - Advanced topics February 9, 2008
• Process Explorer Part 2 February 10, 2008
• Process Explorer Guide for Newbies February 27, 2009
• Process Explorer v11.33 page at Microsoft Technet February 4, 2009
• Sysinternals Suite at Microsoft Technet Updated continuously as of August 2009