- Difficulty
- Beginner
Process Explorer Power Guide (Perfect Step-by-Step, With Extra Explanations)
Process Explorer is the tool you open when Task Manager is not enough.Task Manager answers “what is running” and “what is using CPU.”
Process Explorer answers “what started it,” “where is it on disk,” “what is it loading,” “what is it locking,” and “is it signed by a real publisher.”
This guide is written for beginners, but it includes the advanced workflows power users rely on every day.
What Process Explorer Is
Process Explorer is a Windows utility from Microsoft Sysinternals that shows:- A live list of processes in a parent-child tree (who launched what)
- The exact file path and command line used to start each process
- Which DLLs (modules) are loaded inside a process
- Which handles a process currently holds (files, registry keys, mutexes, pipes)
- Powerful search tools to find “who has this file open?” or “who loaded this DLL?”
Safety First: What Not to Do While Learning
Process Explorer can stop or break things if you use it like a hammer.Avoid these actions until you understand the consequences:
- Do not use “Kill Process” on system processes (you can crash Windows).
- Do not use “Close Handle” as a first attempt (it can corrupt apps or break updates).
- Do not delete files from System32 just because a name looks suspicious.
Then decide what action is safe.
Download and Run Process Explorer Safely
Where to get it
Only download it from official Microsoft Sysinternals sources.The safest place is the Microsoft Learn page for Process Explorer.
Extract it properly
Process Explorer is usually provided as a ZIP.- Right-click the ZIP.
- Click Properties.
- If you see Unblock, check it and click Apply.
- Extract the ZIP to a folder you can find easily, like:
- C:\Tools\Sysinternals\ProcessExplorer
Run it as Administrator
Running as admin lets Process Explorer see more details.- Right-click procexp.exe (or procexp64.exe if present).
- Click Run as administrator.
- If you get a prompt, click Yes.
The Interface, Explained Simply
When Process Explorer opens, you are looking at two main areas:1) Top pane: the process tree
This is a list of everything running.What makes it special is the tree structure:
- Parent process (the “starter”)
- Child process (the “thing that was launched”)
If you see a suspicious process, the parent often tells you the story.
Example:
- If chrome.exe started chrome.exe children, that’s normal.
- If a random unknown process started powershell.exe, that can be a red flag.
2) Bottom pane: DLLs or Handles
The bottom pane is optional but incredibly powerful.- DLL view shows what modules are loaded inside the selected process.
- Handles view shows what files and objects the process currently has open.
First-Time Setup (Do These 5 Things)
1) Show details for all processes
This unlocks visibility into more system processes.- Click File
- Click Show Details for All Processes
2) Turn on the lower pane
- Click View
- Click Show Lower Pane
3) Choose what the lower pane shows
- Click View
- Click Lower Pane View
- Choose Handles or DLLs
- Use Handles when files are locked or you cannot delete something.
- Use DLLs when you suspect injection, weird modules, or add-ons.
4) Make the process list readable: add key columns
Columns are everything. Without them, beginners get lost.- Click View
- Click Select Columns…
Identity and trust
- Company Name
- Description
- Verified Signer (after we enable signature verification)
- User Name
- Integrity Level (helps you see privilege level)
- Image Path
- Command Line
- Parent PID (if available)
- CPU
- Private Bytes
- Working Set
- Working Set is how much physical RAM the process is using right now.
- Private Bytes is memory the process has allocated that cannot be shared with others.
- If Private Bytes steadily grows and never comes down, it can suggest a memory leak.
5) Turn on signature verification (very important)
This helps you quickly separate known publishers from unknown binaries.- Click Options
- Click Verify Image Signatures
Important explanation:
- A valid signature is a trust signal, not a guarantee.
- Malware can be signed sometimes, but most random junk is unsigned.
Unsigned plus weird folder location plus weird command line deserves attention.
Optional Advanced Feature: VirusTotal Checking (Use Carefully)
Process Explorer can optionally show a VirusTotal detection ratio for running processes.What it is good for:
- Quick reputation signal
- Identifying obvious known malware
- A final verdict
- Click Options
- Look for VirusTotal or Check VirusTotal
- Accept terms if prompted
- 0/xx does not mean safe. It means not flagged right now.
- 1 to 3/xx could be false positives. Investigate context.
- High detections plus suspicious path is a strong warning pattern.
Some options may submit hashes or unknown files. Only enable submission if you understand what it shares.
The 7 Power Workflows You Will Actually Use
Workflow 1: Find what is locking a file (the most common use)
Problem: You try to delete a file, rename it, or update it, and Windows says it is “in use.”Solution:
- Open Process Explorer as admin.
- Click Find
- Click Find Handle or DLL…
- Type part of the file name (example: report.docx or setup.msi)
- Click Search
- Double-click the result.
- The process holding it
- The exact handle entry in the lower pane
- Try closing the application normally.
- If it is hidden, close it from the system tray.
- If it is stuck, consider killing that process only if you understand what it is.
Workflow 2: Identify a suspicious process fast (triage checklist)
When something looks odd, do not guess. Follow a checklist.- Name
- Suspicious names often imitate Windows files with slight changes.
- Image Path
Right-click the process → Properties → look at the path.
- Running from AppData\Roaming, AppData\Local\Temp, random folders
- A “system” name running outside C:\Windows\System32
- Command Line
This shows how it was started.
- Long encoded strings
- Hidden flags
- URLs
- Strange parameters that do not match the app
- Parent process
Look at who launched it in the tree.
- Unknown parent launching browsers repeatedly
- Unknown parent launching PowerShell, wscript, mshta, rundll32 unexpectedly
- Verified Signer
- Verified signer from a known vendor is reassuring.
- Unsigned is not automatically malicious, but it increases risk.
- User Name and Integrity
- A process running as SYSTEM or High integrity when it should not is suspicious.
If 3 or more red flags show up, stop and collect evidence for your forum thread.
Workflow 3: “What is using my CPU right now?”
- Click the CPU column header to sort descending.
- Click the top process.
- Right-click → Properties.
- Go to Threads tab (if available).
- Sort threads by CPU.
Sometimes a process is high CPU because one thread is stuck in a loop. Threads view helps you see the hot spot.
Advanced next step:
Configure symbols so stack traces become readable. That’s optional and explained later.
Workflow 4: “What is eating my RAM?”
- Click Private Bytes column to sort.
- Observe the top consumers.
- Watch for growth over time, not one moment.
- A process whose Private Bytes climbs steadily for minutes.
- A browser with many tabs can be big. That can be normal.
- A small unknown process using huge memory is weird.
- Take notes every 30 seconds for 3 to 5 minutes.
- If the number never stabilizes, investigate that app.
Workflow 5: Inspect loaded DLLs (catch injections, shady modules, broken add-ons)
This is especially useful for:- Browser toolbars
- Injectors
- Strange overlays
- Crashes caused by third-party modules
- Click View → Show Lower Pane
- Click View → Lower Pane View → DLLs
- Click the suspicious process in the top pane.
- Review the DLL list.
- DLLs loading from Temp folders or unusual AppData locations
- DLL names that are random, or do not match the main program
- DLLs from unknown vendors that are inside a trusted process
Workflow 6: Kill a process safely (without making things worse)
Killing processes is sometimes necessary, but do it carefully.Safe sequence:
- Try to close the app normally first.
- If it is frozen, right-click the process → Kill Process.
- If there are child processes, consider Kill Process Tree only when you are sure those children belong to the same app.
Never kill system processes like winlogon.exe, csrss.exe, lsass.exe, services.exe.
If you do not recognize a process, do not kill it blindly. Check path and signer first.
Workflow 7: Confirm “what started on boot”
This is helpful when a user says: “Every restart it comes back.”Steps:
- In the process tree, look for processes with odd parents.
- Check the image path and command line.
- If it looks persistent, your next tool is usually Autoruns (another Sysinternals tool) to find startup entries.
Autoruns helps you find where it persists.
The Properties Window (The Most Important Place Beginners Miss)
When you right-click a process in Process Explorer and choose Properties, you are opening the most useful screen in the entire tool.
The main process list is great for spotting “something odd.”
The Properties window is where you prove what it is, where it lives, how it started, and what it is doing.
If you are helping someone on a forum, this is also where you get the clean, shareable facts that let other helpers make confident decisions.
How to Open It (And Why It Matters)
- In Process Explorer, find the process in the top pane.
- Right-click it.
- Click Properties.
Beginner tip: do not skim. Read the Image tab carefully first, because it usually tells the story immediately.
Image Tab (Your Main Investigation Tab)
Think of the Image tab as the process’s ID card.It tells you where the program is actually running from and exactly how it was launched. For investigation, those are the two biggest clues.
What you will see and how to interpret it
Full path to the executable (Image Path)
This is the exact file location on disk.Why it matters:
- Legit software usually runs from predictable locations.
- Unwanted software often runs from user-writable folders so it can hide and persist.
- C:\Windows\System32\... (core Windows components)
- C:\Program Files\... or C:\Program Files (x86)\... (installed applications)
- C:\Users\<name>\AppData\Local\Programs\... (some legit apps install here, but still worth checking)
- C:\Users\<name>\AppData\Local\Temp\...
- C:\Users\<name>\AppData\Roaming\... with random folder names
- A “Windows-looking” name running from a non-Windows directory
- Multiple copies of the same exe in different strange folders
If the path looks odd, take a screenshot before you do anything else.
Command Line
This is the exact command used to start the process.It often includes:
- Startup switches
- Configuration files
- URLs
- Script references
- Encoded payloads
- Very long strings that look encoded
- References to PowerShell, wscript, mshta, rundll32, regsvr32
- URLs or IP addresses in the command line
- Strange parameters for a program that should not need them
Two processes can have the same name, but the command line reveals what they are truly doing.
Example logic:
- chrome.exe with normal switches is expected.
- An unknown process launching chrome.exe with a weird URL and hidden flags is worth investigating.
Current Directory
This is the working folder the process uses by default.Why it matters:
Many droppers and adware families run from a folder and expect supporting files next to them. If the current directory is a Temp folder or a weird AppData path, it supports the suspicion raised by the image path.
User
Shows which Windows account is running the process.Why it matters:
- Normal apps usually run under your user account.
- Some processes run under SYSTEM or service accounts, which can be normal for Windows components.
- A random unknown process running as SYSTEM is worth deeper attention.
Signer / Verified Signer (sometimes shown here or via columns)
If signature verification is enabled, you may see signer details.How to interpret:
- “Verified” from a known vendor is a positive signal.
- “Unable to verify” could be a network issue, certificate issue, or truly unsigned.
- “Not signed” plus weird path is a strong red-flag combo.
What to do with the Image tab for forum evidence
If you are collecting evidence for a help thread, capture:- The full image path
- The command line
- The parent process name (you can see it in the tree or sometimes in properties)
- The signer status
Screenshot the Image tab. It saves time and avoids typos.
Performance Tab (Confirm the Problem Is Real)
The Performance tab answers: “Is this process actually causing the slowdown, or is it just present?”Beginners often panic when they see a process name they do not recognize. The Performance tab helps you separate “weird but idle” from “weird and actively harming performance.”
What you typically see
CPU time and current CPU usage
- Current CPU usage shows what it is doing right now.
- CPU time shows how much it has consumed since it started.
- A process that spikes CPU briefly can be normal.
- A process that sits at high CPU for minutes is worth investigation.
Memory metrics
You may see values like:- Working Set
- Private Bytes
- Working Set is the physical RAM in use.
- Private Bytes is memory that belongs only to that process.
Trends. If Private Bytes keeps climbing steadily, it can suggest a leak or malicious behavior. A single high number can be normal depending on the app.
I/O Activity (Disk reads/writes)
Disk activity can explain:- Constant drive usage
- Slowness even when CPU is low
- Fan noise and heat from heavy disk usage
A background process writing constantly to disk while also being unknown and unsigned.
A simple test you can do
Watch the Performance tab for 30 to 60 seconds.If CPU, memory, or I/O are clearly active and not settling down, the process is doing real work. That is when deeper investigation matters.
Threads Tab (Find the Exact “Stuck” Part)
The Threads tab is where you go when:- The process uses high CPU but you cannot tell why
- The app is frozen
- Your browser or security tool is stuck
- You want to identify one hot thread instead of blaming the whole process
What you’ll see
A list of threads inside that process, often with:- CPU usage per thread
- Start address (what started the thread)
- Module name (sometimes)
- Possibly stack information (more useful with symbols configured)
- Open Properties → Threads.
- Click the CPU column to sort highest first.
- Look at the top thread.
- If one thread is burning CPU, the problem is localized.
- If multiple threads are busy, the whole process is active.
Do not terminate threads one-by-one. That can crash the program.
Threads are mainly for diagnosis and evidence gathering.
TCP/IP Tab (If Present): What Is This Talking To?
The TCP/IP tab answers: “Is this process communicating over the network right now?”This is extremely useful when someone says:
- “Why is this connecting to the internet?”
- “Why is my firewall showing this?”
- “Why am I seeing strange domains in my logs?”
What you typically see
- Remote IP addresses and ports
- Connection states (established, listening, etc.)
- Possibly remote hostnames depending on version and resolution
- A browser connecting to many domains is normal.
- A background process with a weird name connecting to unknown IPs can be suspicious.
Do not jump to conclusions from one connection. Many legitimate apps connect to CDNs and cloud services.
Instead, combine signals:
- suspicious path + unsigned + weird connections = investigate
- signed + known vendor + normal install path = usually fine
Why the TCP/IP tab might be missing
Not all versions show it the same way, and sometimes you may need to enable certain view options or run as admin. It can also vary with Windows version and permissions.If you cannot see network connections here, a common next step is to use a dedicated network tool or Windows built-in resource monitors, but Process Explorer is still great for the rest of the triage.
Practical “Beginner Workflow” Using Properties (Do This Every Time)
If a process looks suspicious, do this in order:- Open Properties
- Read the Image tab
- Path, command line, signer, user
- Check Performance
- Is it actually doing anything heavy?
- Check Threads if CPU is high
- Which thread is hot?
- Check TCP/IP if network behavior is part of the complaint
- Screenshot the Image tab (and TCP/IP tab if relevant) for your forum thread
Configure Symbols (Advanced, Optional, Worth It)
Symbols make deep debugging readable.Without symbols:
- You see raw addresses and unclear stack info.
- You can see function names and better call stacks.
- Diagnosing repeated crashes
- High CPU thread analysis where you want deeper clues
- Click Options
- Click Configure Symbols…
- Set a local cache folder like C:\Symbols
- Use the Microsoft symbol server path (commonly used in Windows debugging)
How to Collect Perfect Evidence for a Forum Help Thread
If you want helpers to solve the issue quickly, capture consistent details.For a suspicious process, collect:
- Process name
- PID
- Full image path
- Command line
- Parent process name
- Verified signer status (and company name)
- User name and integrity level
- VirusTotal ratio (only if enabled)
- A screenshot of the Properties Image tab
- Right-click the process → Properties
- Screenshot the Image tab
- Copy the command line text if possible
Common Beginner Mistakes (And How to Avoid Them)
Mistake: “It’s signed so it’s safe”
Signed is better than unsigned, but not perfect.Use it as one data point.
Mistake: “VirusTotal says 0, so it’s clean”
A low score is not a guarantee.New threats can be undetected.
Mistake: Killing processes too early
You lose evidence and sometimes cause bigger problems.Observe first, capture details, then act.
Mistake: Closing random handles
Closing handles can break apps and corrupt files.Use handle search to identify the process, then close the program normally.
Quick Cheat Sheet
If a file is “in use”
- Find → Find Handle or DLL → search file name → jump to process → close the app
If CPU is high
- Sort by CPU → Properties → Threads → identify hot thread
If something looks suspicious
- Check path → check command line → check parent → check signer → collect screenshot
If it keeps coming back after reboot
- Identify the running process → then use Autoruns to find persistence
FAQ
Can I break Windows with Process Explorer?
Yes, if you kill critical system processes or close random handles.If you mostly observe, check properties, and collect info, it is safe.
Why do I see multiple “svchost.exe” processes?
That is normal. Windows uses service host processes to run many services.Your job is to look at path and signer and confirm it’s the real Windows one.
What is the single most important thing to check for a suspicious process?
The Image Path and Command Line in Properties.Malware often reveals itself by where it runs from and how it launches.
Why does the parent process matter so much?
Because it tells you the launch chain.A normal parent-child relationship usually looks normal. Weird chains often point to infection or unwanted software.
When should I use “Kill Process Tree”?
When you are sure the parent process and its children are part of the same unwanted program.If you do not understand the tree, use Kill Process on the specific offending process only, or ask for help.
What if I cannot find a suspicious process in Process Explorer?
It might have already exited, or it might be a scheduled task that runs briefly.In those cases, tools like Autoruns, Task Scheduler inspection, or event logs are usually the next step.
