Process Explorer - Taking a Screenshot of Process Explorer.
Table of Contents
- Getting and Running Process Explorer
- Taking screenshot of Process Explorer with some example screenshots.
1) Introduction to Process Explorer
Process Explorer is a lot like Task Manager, which is the program you access via the following keys on your keyboard: "CTRL+ALT+DELETE". Task Manager is used to display process information such as the process name, memory usage and other application information. However, the information that Task Manager displays is rather limited compared to what Process Explorer can show you. With Process Explorer one can see the entire process tree for a particular applications, which consists of all other processes that were started by the original process, or parent, in the tree.
Process Explorer has many different uses such as examining what process are active and what processes are making connections to outside computers. In this guide I will demonstrate the kinds of information one can gleam from using Process Explorer as opposed to using task manager.
2) Getting and Running Process Explorer
Getting Process Explorer is easy just use the below link:
Download Process Explorer
This is a completely free tool that is easy to run. You do not have to install anything, as it is just an executable program that runs on various Windows operating systems. Process Explorer is only available for Windows XP, Windows Vista, Windows 7, Windows 2003, and Windows 2008 (including their IA 64bit Counterparts).
Opening and running Process Explorer is quite easy:
After downloading the zipped file, you will need to unzip it in order to use it. You will have to remember where you downloaded the file and where it is saved. For example, I have a folder called Downloads on my other drive. I have Firefox and Internet Explorer set to save files to that location. You will want to consult the following images on where to locate the download folder for Firefox and Internet Explorer.
1) Firefox Default Download Location:
You can get to that window via Tools then Options, and you will want to look at the General Tab.
2) Internet Explorer will use the last location that you saved a file to. For example, for me it is on my other drive as seen in my screenshot. You can either choose Open, Save, or Cancel. Open will automatically open the file after it is downloaded. Save will save the file to a location for later use if you want to use it again, and cancel just cancels the download from happening. I would recommend that you save it for future use. It is a very useful tool.
Now that we have noted where we saved it to after downloading it, we need to extract it. You can use your favorite unzipping tool such as WinRAR, WinZIP, 7zip, or you can use what comes with Windows XP and later called Compressed Folders.
After locating the file ProcessExplorer.zip, you will want to do the following:
The easiest way is to just double click it and read the on screen instructions for how to extract/unzip it. I am going to use Windows Compressed Folders for ease of use since everyone has that already.
1) Right click the file.
2) Select Extract All and the following Window will come up:
At this point you can extract the needed files anywhere on your computer, but I am going to pick D:\downloads\ProcessExplorerfor the destination. Just hit , and we are almost done. Upon successful extraction the following image will be seen.
3) Final Process of extracting Process Explorer from the Zipped file.
Now all you do to run Process Explorer is to double click the file called: procexp.exe and you are now ready to use Process Explorer.
3) Taking screenshot of Process Explorer with some example screenshots.
When asked to take a snap shot you can either use alt+prt scn, which is located above the home, end, page up, page down, and delete keys, and open your favorite photo editor such as The GIMP which is a free image editing program, MSPaint which is installed by default on most systems, Paint.NET which is also free, and many others that are available. Then go to Edit and hit Paste, and then to file and save as filename.jpg or something easy to remember. After you do this, head on over to a free image hosting website such as ImageShack.us, Photobucket.com, and many others (those are just the most popular). If you have a custom site that you run, then you can use that storage and web space to host your images (keep in mind your limits on bandwidth).
Now that you have taken the screenshots, and have hosted them to your web space. You can post them to a new topic, or to a current one that you have started by doing the following:
Some of the images that may be of use are as follows:
1) Process Explorer Main
You will notice along the top various column headers such as Process, PID, CPU, Company Name, User Name, Path, and Image Type. These are all used in verifying what a process is doing, how much time it is taking up, who the process is being ran as, and the process path (which can be used to determine a legitimate process).
2) Here is a graphical representation of the colors that you will see in the main window. Of course, as you can see, you can change the colors for the main window.
3) The below image is what you get when you mouse over particular process, and the resulting is the ability for you to see what is running under that said process or service. This is extremely useful when seeing what svchosts are actually doing:
4) The below is an image for a particular process's properties which will tell us what is running under the said properties. You will notice the various tabs in the screenshot. Each tab tells you something that that process is doing such as what ports the process is being used to communicate to the computer and other processes. You can do this by right clicking on a process and selecting processes.
Why would you want to take a screenshot of Process Explorer?
The below output is very disorganized, and is produced when you save a text based representation of Process Explorer. A graphical representation of Process Explorer, and the processes that are active would show us more accurately as to what is running without having to spend too much time on analyzing a file that is humanly unreadable.
Process PID CPU Description Company Name User Name Path Image Type aim.exe 4412 AOL Instant Messenger America Online, Inc. alphacentari\cryptodan C:\Program Files (x86)\AIM\aim.exe 32-bit AOLacsd.exe 1396 AOL Connectivity Service AOL LLC NT AUTHORITY\SYSTEM C:\Program Files (x86)\Common Files\aol\acs\AOLacsd.exe 32-bit audiodg.exe 1208 0.39 Windows Audio Device Graph Isolation Microsoft Corporation NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\audiodg.exe n/a csrss.exe 648 Client Server Runtime Process Microsoft Corporation NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe 64-bit csrss.exe 716 Client Server Runtime Process Microsoft Corporation NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe 64-bit dllhost.exe 1508 COM Surrogate Microsoft Corporation NT AUTHORITY\SYSTEM C:\Windows\System32\dllhost.exe 64-bit DPCs n/a 1.16 Deferred Procedure Calls 64-bit
As you can, see a screenshot of Process Explorer is much easier to read, then the text based output that a File and Save As produces.
If you want to see the actual file then visit the following link: Process Explorer Text Based Capture