Things to know about Process Explorer

These are the Main Features
Process Explorer shows dynamic information:
Processes: threads, modules, handles, TCP connections, environment variables, etc.
Kernal Objects (throuh handles)
System Information (CPUs, memory, I/O, Network and GPU)
Text & Graphs

Operations on processes, threads and handles

Search for named objects

- There are a few things in Process Explorer that can be helpful in identifying malware is a lack of a "Description" or "Company Name". Both of these are columns by default in Process Explorer.

- Determining if the process has a verified digital signature can be done by going to "Options" and enabling "Verify Image Signatures".

- Just like the Autoruns application, Process Explorer is integrated with VirusTotal. To enable it go to "Options", "VirusTotal.com" then select "Check VirusTotal.com". For it to work the system must be online. Once agreeing to the Terms of Service, a VirusTotal column showing submitted hashes will appear.

- Each process path can be viewed in the command line. This is not enabled by default. To enable it you would have to go the "View", "Select Columns" which will open a window with several column options to choose from. Here you would select "Command Line" then "OK".

- This column shows how it would appear in the Command Prompt along with any arguments. By analyzing the arguments you may be able to determine if an app or process is malware.

- By right-clicking on a process and opening the Properties and looking at the TCP/IP tab you see all established connections made and remote addresses.

- To see the DLLs a process is using you can select a process, hold down the CTRL button and "D" to open a Window showing all the DLLs in use for that process.

- Holding down the CTRL button and "H", will show you all the handles associated with the Windows APIs for a process to run on Windows.

Видео Things to know about Process Explorer канала Jose Rodriguez