How many times per week do you use Task Manager? Depending on your role in IT, you could be using Task Manager anywhere from 3 to 25 times per week. Over the course of a year, an IT pro can end up spending quite a lot of time looking at Task Manager, so why settle for anything less than optimal?
In this article, I give you five very excellent reasons for making the switch and replacing Task Manager with the free Sysinternals Process Explorer. Co-founder Mark Russinovich has been steadily updating many of the Sysinternals utilities by adding Windows 8 support, fixing bugs, and adding new features. (Editor’s Note: Download the latest Sysinternals utilities, including Sysinternals Process Explorer, from the Microsoft Sysinternals website.)
1. Color-coded processes
You might not think at first glance that color coding your processes is much to get excited about (and believe me, I am able to keep my excitement about color coding in check). Still, this is an understated and really cool feature. Not only because of the easy, at-a-glance ability to see which processes are service processes and which are user processes (check out the typical color-coding separation displayed in the picture below), but it also includes some very important security information.
Opening the Options and selecting Configure Colors shows that one of the color-coding classifications available in Process Explorer is whether the process contains packed images. Processes with packed images include DLLs that are packed in a way to prevent access into the DLLs from the Operating System. There are a few legitimate software pieces that used packed images, but you are very likely to recognize those processes as security software that you’re running. However, if you see what looks like a normal system process such as WinDebug (misspelling intentional) that is a packaged image, you should regard this as a red flag and immediately zero in on those processes to verify their legitimacy.
2. Access to threads
Trying to get thread information out of the default task manager is an exercise in frustration. It’s not shown by default, and if you’re already in the know about being able to select columns to display extra information, you’re likely disappointed that when you elect to show the threads column, it only shows you the number of threads of a process.
With Process Explorer, you get detailed access to the threads. You can see all threads in a process and dial in on a specific thread to interact with it by viewing the stack or even suspending or killing the thread!
Hands down, Process Explorer is far and away better than Task Manager at showing the level of detail that benefits IT professionals.
3. The crosshair process picker lets you highlight the process from its UI
If you don’t know which process a Window belongs to, then you can use the crosshair process picker to find out. Simply drag the crosshair off of the toolbar to the application of which you want to view the process information and drop it when the window you want is selected.
It doesn’t need a lot of explanation, and it can be much easier than scrolling through the list looking for the process. It is also especially helpful in cases where the process name is not intuitive or something that makes sense based on the title of the application window.
4. TCP/IP connections list for each individual process
The amount of detail that is provided by Process Explorer is beyond compare. Take, for example, the inclusion of TCP/IP connection information about individual processes. This is something that Task Manager just doesn’t do. It’s something that even NBTSTAT doesn’t do.
The screenshot above shows the difference in the properties of Outlook running on my PC. On the left is the results from Process Explorer, and on the right are the results from Task Manager.
Task Manager doesn’t include any information about network connections, and if you use Task Manager to view network connectivity, you only get a summary information about the network usage.
Process Explorer, however, has details about every connection that a process has, its current state, the protocol being used, and even address resolution so that you can see a hostname instead of an IP address.
5. Search Online and Microsoft Verification utilities directly from the Process Explorer UI
I’m sure that I’m not alone in my experience of trying to determine if a program I see running in Task Manager is a legitimate program or a malware-infected file. With Process Explorer, if you see a process listed, you can right click it and select “Search Online,” which opens up a browser and performs a search for that filename. Yes, you could have done that yourself without much trouble, but now you can do it yourself with even less trouble.
But the file verification utility surpasses a simple Bing search when dealing with a file that you’re unsure is really the actual file that it’s supposed to be. For instance, the above screenshot shows a before-and-after of the same process, svchost.exe, which is the actual name of the service running engine. Services that you see listed in PowerShell with the Get-Service command are running underneath an svchost.exe process. But what if the svchost.exe is actually infected, and it’s not the svchost.exe file that you think it is?
With file verify, you can be sure. Click the “Verify” button on the process properties window, and the dialog pauses briefly to check in with Microsoft to see if the svchost.exe file that is running in that process is the actual certifiable svchost.exe that comes from Microsoft. On the right side, you can see that after the verification process is completed, and “(Verified)” is prepended to the Manufacturer.
Even some files that are not Microsoft programs can be verified. For example, I ran the verification on the Synaptics Touchpad Enhancements process.
The picture below shows the results. Even though it’s not a Microsoft program, the driver has gone through the Microsoft Windows Hardware Compatibility procedure to get their drivers verified as being compatible with my version of Windows. Before, the executable reports the file as being from Synaptics Incorporated. However, after it passed verification based on the hardware compatibility information held by Microsoft it was able to confirm that I do have the authentic software running. (Note the ‘(Verified)’ Microsoft Windows Hardware Compatibility Publisher’ text above the version number in the second screenshot below.)
We’ve all used Task Manager before, but if you have never used Process Explorer as a more powerful alternative then you’ve really been missing out. With Process Explorer you have access to threads, security information, networking, and in every capacity it outperforms Task Manager.