1
00:00:02,260 --> 00:00:07,600
The Windows XP system used for illustration and these presentations has Process Explorer installed and

2
00:00:07,600 --> 00:00:14,450
ready for use on the first launch of the program you'll be asked to accept the license.

3
00:00:14,570 --> 00:00:16,470
The programs we'll talk about now.

4
00:00:16,650 --> 00:00:19,770
Process Explorer and Process Monitor are freeware

5
00:00:23,260 --> 00:00:26,340
that can be downloaded from Microsoft Web sites.

6
00:00:28,700 --> 00:00:31,340
Let's first see how the Process Explorer works.

7
00:00:34,850 --> 00:00:42,880
It's obvious at a glance that the application differs from the system tool.

8
00:00:43,040 --> 00:00:49,120
The shown processes are sorted into a hierarchical order a process treeview that shows child and parent

9
00:00:49,120 --> 00:00:49,870
processes

10
00:00:53,260 --> 00:01:01,030
as you can see the Explorer process also started other processes.

11
00:01:01,140 --> 00:01:06,960
If you run a command line interface and launch a calculator and it you'll be able to see that a command

12
00:01:06,960 --> 00:01:12,740
line interface has been started in the system environment and that it started the calculator in turn.

13
00:01:15,700 --> 00:01:19,400
The feature that allows you to view the process hierarchy is very helpful.

14
00:01:20,720 --> 00:01:25,910
You can see there that there are very many processes that are top level.

15
00:01:26,040 --> 00:01:27,050
Let's see why.

16
00:01:29,660 --> 00:01:37,270
Right clicking on a process displays a list of operations you can for example terminate a selected process

17
00:01:40,120 --> 00:01:42,380
after killing the command line process.

18
00:01:42,400 --> 00:01:48,710
The calculator is still running but moves to the top of the tree Windows systems.

19
00:01:48,740 --> 00:01:54,710
Unlike Linux or Unix systems don't track or store information on child parent relationship processes

20
00:01:56,740 --> 00:01:59,980
Windows can't rebuild the relationships in any way.

21
00:02:00,070 --> 00:02:05,850
The system seems to consider this as redundant in the majority of cases.

22
00:02:05,850 --> 00:02:12,700
Terminating a parent process will cause its child process to move up in the process hierarchy.

23
00:02:12,890 --> 00:02:19,020
What else sets process explorer and Windows Task Manager apart.

24
00:02:19,230 --> 00:02:24,920
For a start Process Explorer returns greater amounts of information.

25
00:02:24,990 --> 00:02:29,590
Let's analyze the SCV host process.

26
00:02:29,600 --> 00:02:37,460
There can be several SCV hosts X-C process is listed as Fisi hosts runs many times and it's actually

27
00:02:37,460 --> 00:02:40,410
not certain what processes the program has launched.

28
00:02:42,080 --> 00:02:47,120
One of the most common problems you can encounter with your computer is that SPC hosts can use up over

29
00:02:47,120 --> 00:02:56,530
99 percent of your C-p you and we don't even know what it does or if it can be terminated these questions

30
00:02:56,530 --> 00:03:03,160
can't be answered because as the host is simply a program that helps the other process has run and the

31
00:03:03,160 --> 00:03:06,940
problem is that Windows Task Manager doesn't display its child processes

32
00:03:09,780 --> 00:03:15,040
hovering a mouse over a selected process in Process Explorer is enough to discover that this instance

33
00:03:15,040 --> 00:03:17,650
of SPC host launched two services

34
00:03:21,320 --> 00:03:22,700
by right clicking on the process.

35
00:03:22,700 --> 00:03:29,100
You can also select Properties the properties display not only the path of the selected file and its

36
00:03:29,100 --> 00:03:32,170
configuration parameters.

37
00:03:32,220 --> 00:03:36,130
It also shows services that have been launched by it and their directories.

38
00:03:44,230 --> 00:03:49,640
Tracking individual elements is simple.

39
00:03:49,750 --> 00:03:53,930
It's also easier to notice suspicious processes.

40
00:03:53,930 --> 00:03:55,950
You can also view and Process Explorer.

41
00:03:56,000 --> 00:04:02,310
The provider of a selected piece of software and see if the application is described.

42
00:04:02,360 --> 00:04:10,420
Also the icon of the program is visible all these features are missing from Windows Explorer by clicking

43
00:04:10,420 --> 00:04:12,560
on the properties of a process.

44
00:04:12,700 --> 00:04:16,720
You can see if it establishes any network connections.

45
00:04:16,820 --> 00:04:20,120
If it does you'll be able to see the computers to which it connects

46
00:04:26,070 --> 00:04:30,330
you can also move to the strings tab and see all strings that can be found in the file from which the

47
00:04:30,330 --> 00:04:33,710
process has run.

48
00:04:33,820 --> 00:04:40,550
If this file is encrypted you can display information directly from memory.

49
00:04:40,560 --> 00:04:42,940
You can check it for any suspicious content.

50
00:04:44,440 --> 00:04:49,030
If the file is compressed it will be highlighted in a bright color in the program's main window.

51
00:04:52,830 --> 00:04:58,670
As we mentioned many programs can be loaded directly as system drivers.

52
00:04:58,690 --> 00:05:01,140
Let's see if there's anything that can be done with this problem.

53
00:05:02,530 --> 00:05:10,350
After highlighting the system process you'll be able to open the programs lower pain the page shows

54
00:05:10,350 --> 00:05:16,680
references for example the operations executed by a selected process or libraries loaded by the process

55
00:05:18,280 --> 00:05:20,550
in the case of a specific process like system.

56
00:05:20,560 --> 00:05:28,080
The lower panel will contain all loaded and running drivers.

57
00:05:28,200 --> 00:05:33,930
You can display the properties of drivers in the same manner the properties will include the directory

58
00:05:33,930 --> 00:05:40,470
in which the driver is stored and the strings that can be found in the file.

59
00:05:40,510 --> 00:05:45,250
If something seems alarming but you're not absolutely certain that it's malware you can right click

60
00:05:45,250 --> 00:05:51,840
on the selected process and click on search on line.

61
00:05:51,850 --> 00:05:54,480
This will open the default web browser with search results

62
00:05:58,140 --> 00:06:01,730
you'll be able to read the opinions and comments on the process online.

63
00:06:05,200 --> 00:06:11,920
Process Explorer shows processes run by child processes process tree and overall returns much more data

64
00:06:11,920 --> 00:06:18,770
on selected processes than Windows Task Manager does including path description and icons.

65
00:06:18,780 --> 00:06:27,950
The tool also offers a feature for displaying operations executed by a process or the libraries it created.

66
00:06:28,050 --> 00:06:34,930
If the process is the system process will see a list of drivers loaded into memory.

67
00:06:34,950 --> 00:06:40,650
The program offers detailed information on all selected objects including strings that are contained

68
00:06:40,740 --> 00:06:49,220
inside the process or its binary image another edge it has over Windows Explorer is the final option.

69
00:06:50,850 --> 00:06:51,600
After it's run.

70
00:06:51,600 --> 00:06:59,070
You can select any window once it selected the main window of the Explorer will highlight the process

71
00:06:59,070 --> 00:07:01,560
that created the selected window on the screen

72
00:07:04,340 --> 00:07:08,870
often your desktop may contain elements whose origin is unknown.

73
00:07:08,900 --> 00:07:11,630
The Find feature may help us identify them with these

74
00:07:14,970 --> 00:07:20,430
new processes will be highlighted in green for a moment while processes that are terminated show and

75
00:07:20,430 --> 00:07:27,970
read this feature is very handy since if a process you end will restart after a while this will be clearly

76
00:07:27,970 --> 00:07:38,680
noticeable in the main window as rows will be highlighted in green and red.

77
00:07:38,730 --> 00:07:46,510
The last option that can help us identify unwanted software is the future for verifying signatures.

78
00:07:46,510 --> 00:07:51,790
Let's take a look at some X-C.

79
00:07:51,870 --> 00:07:57,900
If the file was digitally signed the image tab would show an option for verifying the signatures correctness

80
00:07:59,960 --> 00:08:06,020
would be able to see if the certificate is valid and whether or not the file had been modified will

81
00:08:06,060 --> 00:08:09,730
examine quickly a process that is potentially signed digitally.

82
00:08:09,930 --> 00:08:13,050
For example Prus XP NIXEY

83
00:08:16,180 --> 00:08:22,810
since we've selected global verification the verify button is not active at the top of the window you

84
00:08:22,810 --> 00:08:28,480
can see that the program is not simply claim to be Microsoft's but that it has in fact been signed by

85
00:08:28,480 --> 00:08:29,800
a Microsoft certificate

86
00:08:32,980 --> 00:08:40,420
this difference is crucial process explorer will be better in detecting unwanted software than the system

87
00:08:40,420 --> 00:08:49,950
task manager will give you the tools for investigating and looking into processes that are suspicious.

88
00:08:49,960 --> 00:08:56,950
You can see what the process is do you can check if they have a valid signature and also see which programs

89
00:08:56,950 --> 00:09:05,150
or network processes and with that we've arrived at the end of the process explorer overview.

90
00:09:05,180 --> 00:09:06,890
Come back to this program in a moment.

91
00:09:06,890 --> 00:09:11,240
Trying to stop sketchy processes or remove them from a system in some other way.