You can click on Submit Unknown Executables in the same sub-menu to upload and scan the image if its hash is not already available in VirusTotal’s database. Go to Options –> –> Check to submit hash of all the running executables to VirusTotal’s engine and fetch the results. Also, Process Explorer now comes with option to automatically scan images too. This option comes handy when you have to quickly analyse whether the running processes are legitimate or not. To do this, go to Options –> Verify Image Signatures.
You can verify Image Signatures automatically when Process Explorer starts. This information includes basic information like name, version, path, autostart location, DEP/ASLR status but also some pretty cool stuff like open threads (with thread stacks), security context, strings for both image and memory, environment variables and lot more. Properties window of a process in Process Explorer contains very rich information about the process. Right below it, their is an option of selecting whether Lower Pane will show Handles or DLLs. To view Lower Pane, move to View menu and select ‘Show Lower Pane’ option. The Lower Pane can be used to view Handles and DLLs linked to a process. One of the very powerful feature of Process Explorer is its Lower Pane. Select the columns to be displayed and click OK. A dialog box looking like this will appear. The columns to be displayed can be selected by right clicking on any column title and selecting ‘Select Columns’. Process Explorer can display so many details in this list of processes that all the columns were divided in groups. It also shows some other process specific details like the services hosted by the process or package name for Store apps or WMI providers for WMI process. Tooltip contains the Command Line used to start the process and path to the image. The above example shows tooltip of svchost.exe process. The tooltip that comes on hovering over process names contains lot of information about the process. The default colours can be changed from Options –> Configure Colours. White: Process meets no criteria mentioned above.Red: Process that ends shows up in Red for a second, then it disappears from tree.Green: New Process shows up in Green for a second.Blue: Process is running in the same security context as Process Explorer is.Many processes are highlighted in different colours.
PROCESS EXPLORER APPLICATION WINDOWS
For example, if you open Notepad from start menu (which is Windows Explorer) then explorer.exe is the parent of notepad.exe. Parent-child relationship: If a process a.exe starts b.exe then a.exe parent of b.exe. Click again to reset the tree structure back. If you want to sort the list alphabetical order of process names (like in Task Manager) then simply click on Process column title. It also shows the icons of all the running processes. For example, all the svchost.exe are child of services.exe. The Process column of the window lists all the running processes in a tree structure demonstrating the parent-child relationship of the processes. The very first thing to notice about this process tree is that it looks somewhat similar to Task Manager’s Details tab, but much more colourful. The main window of Process Explorer looks like this: This article is aimed to cover main features of this powerful tool in detail. It can be downloaded from Microsoft TechNet website from here.
Process Explorer is a SysInternals utility that is pretty much advanced version of in-built Task Manager.
0 kommentar(er)
