Process Properties
You can view additional details for a process by double-clicking on it, or by selecting it and using the Process|Properties menu item or the properties toolbar button. On Windows 9x systems the dialog shows version information for the process image, the full path of the process image file, and the command-line used to launch the process. On Windows NT and higher there are several tabs in the dialog, described below. Any dynamic data, such as performance information, updates at the refresh date currently selected for Process Explorer. You can manually refresh dynamic information by typing F5 in a page.
Image:
This page shows version information extracted from the process' image file, the full path of the image file and the command-line that launched the process. It also shows the current directory of the process, the user account in which the process is running, the name of the process' parent process, and the time at which the process started execution.
Process Explorer checks for whether or not an image has been digitally signed by a certificate root authority trusted by the computer and displays the status of the check, which is either "Trusted" (signed), "Unsigned", or "Not Verified" (signature has not been checked). You can press the Verify button to have Process Explorer check the signature of an image that has not been verified. Note that the verification operation can result in Process Explorer contacting web sites to check for certificate validity. See the Verify Image Signatures option.
Enter a comment for a process in the Comment field. Comments are visible in the process view in the Comment column, or if you do not have the comment column selected, in the tool tip that displays when you hover the mouse over a process. Comments apply to all processes with the same path and are remembered from execution to execution.
On systems that support Data Execution Protection (DEP), Process Explorer shows the DEP status of the selected process as either "on" or "off". Software DEP is currently supported by Windows XP SP2 and higher on 32-bit x86 systems whereas hardware DEP is available only on 64-bit versions of Windows. You can also view DEP status by adding the corresponding DEP Status column to the process view.
Malware, including viruses, spyware, and adware is often stored in a packed encrypted form on disk in order to attempt to hide the code it contains from antispyware and antivirus. Process Explorer uses a heuristic to determine if an image is packed and if it is changes the text above the full path display field to include "(Image is probably packed)".
Performance:
Memory and CPU performance data displays on this page, including physical and virtual memory, and CPU usage. The data refreshes at the same interval that the main display does.
Performance Graph:
A history of a process' CPU usage and its private bytes allocation shows as in Task Manager-like graphs on this page. Red in the CPU usage graph indicates CPU usage in kernel-mode whereas green is the sum of kernel-mode and user-mode execution. Private Bytes represents the amount of private virtual memory a process has allocated and is the value that will rise of a process exhibiting a memory leak bug. Note that while the System Information performance graphs update while Process Explorer is minimized to the tray, these graphs do not. The private bytes usage graphs are scaled against the peak amount of private bytes the process has allocated; if the peak grows the graphs recalculate their scales. In the I/O graph the blue line indicates total I/O traffic, which is the sum of all process I/O reads and writes, between refreshes and the pink line shows write traffic. The I/O graph is scaled against the peak I/O traffic the process has generated since the start of monitoring.
Moving the mouse over part of a graph results in the time of the corresponding data point being shown in the graph as a popup either on the far left or right.
Threads:
The list of the threads running in the process shows on this tab. The thread list shows start address information that's provided by the Windows symbol engine. If you want to see accurate names for start addresses then follow the directions for configuring symbols.
The Module button on the threads page launches Explorer's file properties dialog box for the image file that contains the start address of the currently selected thread. The Stack button shows the current stack of the selected thread. Stack information is unreliable unless symbol files are available for process and DLLs referenced in the stack.
Use the Kill button to terminate a thread. Note that terminating a thread may lead to a crash or erratic behavior of the process.
Use the Suspend button to suspend a thread. Note that suspending threads may cause its process to stop executing.
TCP/IP:
Any active TCP and UDP endpoints owned by the process are shown on this page.
On Windows XP SP2 and higher this page includes a Stack button that opens a dialog that shows the stack of the thread that opened the selected endpoint at the time of the open. This is useful for identifying the purpose of endpoints in the System process and Svchost processes because the stack will include the name of the driver or service that is responsible for the endpoint.
Security:
Process Explorer reports the list of groups and privileges listed in the security token of the process on this page. Privileges shown in grey are disabled. The permissions button opens a permissions editor that shows the access permissions assigned to the process.
Job:
This tab is present only for processes that are part of a Win32 Job. The Job page shows the list of processes that are part of the same job and the limits that are applied to the job.
.NET Assemblies:
This tab is present on Windows Vista and higher when Process Explorer runs with administrative rights and only for managed processes, which are those that use the .NET Framework. AppDomains and the assemblies loaded in each are displayed in a tree view.
.NET Performance:
This tab is present only for managed processes, which are those that use the .NET Framework. The AppDomains present in the process show, as well the available .NET performance counter objects. Select a .NET performance object to see the values of the object's counters. The counters update at the currently selected refresh interval and you can type F5 to manually refresh.
Services:
This tab is present only for processes that are executing Win32 services, and lists the services running within the process. Process Explorer shows a service's name and display name, and on Windows 2000 and higher, if available, the service's description. The permissions button opens a permissions editor that shows the access permissions assigned to the service.
Environment:
The environment variables associated with the process show on this page.
Strings:
All printable strings of at least 3 characters in length display on this page. Image strings are read from the process image file on disk whereas Memory strings are read from the image's in-memory storage. Memory strings may be different than on-disk strings when an image uses a decompresses or decrypts when it loads into memory.