Windows 11

Processes and Services Troubleshooting in windows 11 and windows 10

Processes and Services Troubleshooting

At the end of last Article, I teased you that we hadn’t even got started on managing and troubleshooting Windows applications, processes, and services. This is because maintaining compatibility for older (legacy) programs and software and managing the Microsoft Store and third-party store apps is just a small part of what’s on offer. Let’s face it, while there are a great many millions of people very happy to live exclusively within a web browser for banking, shopping, messaging, email, and work, there is no substitute for a full desktop PC or laptop. My main mobile device as I write this is called the Astro Slide, available from It’s a handheld device with a slide-out 6.39-inch screen and a full keyboard (see Figure 13-1).

Figure 13-1. The Astro Slide from Planet Computers

As mobile devices go, this is a fantastic device for “getting stuff done” while on the move, and it’s popular with everybody from people that need to write longer messages, and emails, to coders that want to work on the move. The device, and this is one of the reasons I mention it here, is also popular with IT system administrators and datacenter technicians that need access to a scripting environment (the Astro runs both Android and Linux) for server-side configuration and troubleshooting. This can happen at just about any time, and having a device on which this can be done, right in your pocket, means both that the response can be faster and that the technician doesn’t have to carry a bulky laptop with them all the time.
As great as the Astro is however, this book is around 600 or more pages long (difficult to be precise at this point in writing it as my last book ran over by more than 100 pages there was so much great information to include), and I simply couldn’t write this or any other of its chapters on a handheld keyboard, no matter how good it was.
For this, I need a full PC; I don’t get on with laptops either for “real work,” much preferring the ergonomics that come with a full keyboard, mouse, and a good-sized monitor at a distance that my desktop PC provides. But this also brings me to software. I could, you might argue, be able to write this book perfectly well in Microsoft Word online, the stripped down web-based version of the web browser.
To this, there are three answers. Firstly, the features and functionality of the webbased version of Word don’t provide all of the features and functionality I need to write, edit, and review a book with my editors. Secondly, I have purchased a Microsoft 365 subscription which comes with the full desktop version of Office anyway, and lastly why would I buy a powerful desktop PC and then just use stuff in a browser?
So, for my long-winded way at getting to the point, we all need software, be this Microsoft Office, customer relationship managers, HR, accounts, and logistics packages, custom (bespoke) packages written especially for the business, or large suites of audio, video, or photo editing software, computer-aided design (CAD), computer graphics design and rendering, programming environments, and so on. The list of tasks for which we still need a proper software package isn’t going to get shorter in the next decade or so.
However, you could feel one of those coming, didn’t you? The increasing use of online apps and Progressive Web Apps (PWAs) and people wanting to live in their web browsers do mean we need to maintain compatibility, so let’s begin there.

Internet Explorer Is Dead… Long Live Internet Explorer!

Microsoft’s Internet Explorer (IE) web browser, which was first introduced in the optional “Plus!” pack for Windows 95 and not even bundled with the operating system at that time, is officially dead… sort of.
All support for the browser ended on June 15, 2022, with no more security or stability patches being issued… which again isn’t true as it’s still included with Windows 10, and Microsoft have committed to supporting it for enterprise customers only for as long as the operating system also gets support.
Internet Explorer though, you might ask, has never been included with Windows 11, so why even mention it here? Well, there are many organizations and corporations that, in the same way they have legacy programs to install, also use legacy intranet and website systems that don’t play nice with modern web browsers.
This support, provided in Microsoft’s Edge web browser, will be supported until “at least 2029” according to Microsoft. So what is this support and how can you take advantage of it?
You can find Internet Explorer compatibility mode in Edge’s Settings, under Default browser (see Figure 13-2).

Figure 13-2. You can manage Internet Explorer compatibility in Edge

There are three options available to you. The first is to allow IT to open website and intranet sites in Edge. The choices are Never, Incompatible sites only, and Always (recommended). Below this is an option to choose which web  and intranet sites you want to open in IE compatibility mode; the options are Default, Allow, and Don’t allow.
Lastly, you can add specific websites and intranet sites to the feature using the Add button. Type or cut and paste the address from your browser to add it. One downside though is that this expires after one month and needs to be refreshed (see Figure 13-3), so it’s better to manage this feature through Group Policy or server-side configuration if you can.

Figure 13-3. You can add web and intranet sites to IE compatibility mode

To set these policies, open Group Policy by searching for gpedit in the Start Menu and navigate to Computer Configuration ➤ Administrative Templates ➤ Windows Components ➤ Microsoft Edge. Here, you will find several IE 11 policies including “Send all intranet sites to Internet Explorer 11” (see Figure 13-4).

Figure 13-4. You can manage IE compatibility in Group Policy

Using Installed Web Apps and Edge OS?

Microsoft has been losing out to Google in the education market now for years, with the rival’s Chrome OS having made strong inroads due to being lightweight enough to run on low-end hardware and not requiring restarts for large updates. In more recent times, Google has begun making impressive inroads into the business sector, and this is a real and credible threat to Microsoft, not just for Windows but for sales of Microsoft 365, Office, and their Azure Cloud services, all of which Google has a (not as good admittedly) competitor to.
In recent months, there have been rumors circulating about Edge OS, a superlightweight version of Windows 11 that contains only the Edge web browser (which is now based on Google’s Chromium browser engine anyway) and the Microsoft Store.
This new OS, if it even exists and is released, could compete much more readily with Chrome OS, and the addition of Android apps through the Amazon Appstore plug-in would certainly help in this regard.
In Windows 11 you can use Edge to install websites as though they were apps and manage them in the browser. These are called Progressive Web Apps (PWAs). A working group including Apple, Google, Microsoft, Sony, Samsung, and the Worldwide Web Consortium (W3C) is devising appropriate compatibility and operability standards for PWAs, which include being able to work while offline and access files that are also stored offline.
Microsoft’s Edge web browser is fully compatible with PWAs but also allows you to install any website as though it were an app, with the caveat being that non-PWA sites won’t still work without an Internet connection.
You can install a website as an app from the Edge Settings menu, by clicking Apps and Install this site as an app (see Figure 13-5).

Figure 13-5. Any website can be installed as an app in Edge

With the app installed, you are asked if you want to pin its icon to the Start Menu or Taskbar or to add a link to the desktop and even start the “app” when you sign in to Windows (see Figure 13-6).

Figure 13-6. You can pin web apps to the Start Menu and Taskbar

With the app installed, you can then run it as though it were any other app (see Figure 13-7), and it will appear in its own window on the desktop.

Figure 13-7. You can run installed websites as though they were a normal app

When you need to manage or to remove a web app, you do this from within Edge. Again, from the browser Settings, click Apps and then click Manage apps. This will open a browser tab displaying all the apps you have installed (see Figure 13-8). From here, you can get Details of the app such as any permissions that are set for it.

Figure 13-8. You manage installed web apps from the browser

Also, either from the Details panel or from the three dots icon in the top-right corner of the app information, you can find an Uninstall option.

Using the Browser Task Manager

Just as Windows 11 has its own Task Manager for managing running processes and services, so too does Edge, and this is one of the reasons why some people suspect Edge OS to be a real thing. From the Edge Settings menu, click More Tools and then Browser Task Manager. This opens a fairly basic Task Manager in which you can see tabs and processes running inside the browser (see Figure 13-9).

Figure 13-9. You can manage hung processes direct from the browser

Right-clicking anywhere inside the Browser Task Manager will display a menu of available metrics, such as CPU Time, Start Time, GPU Memory, and Process Priority.
If you need to close a process that has hung or is misbehaving, you can do this by clicking the process and then clicking the End process button in the bottom-right corner of the window.
Advanced Management of Windows Processes and Services While we’re on the subject of Task Manager, you’ll remember that in Chapter 12 I detailed how you can use the Windows 11 Task Manager to manage running processes.
It’s actually more powerful than this still as there are advanced controls available under the Details tab.
If you need to close any process on the PC that has hung, then just as you can with the Processes tab, you can right-click any process and select End Task from the context menu that appears to close it; sometimes, though, you need more control, especially if several dependent processes are also running that you need to shut down.
This is where the Details tab comes into its own. This is a more technical and more detailed version of the Processes tab and includes absolutely everything running on the PC, including DLL files. Here, if you need to close an app with all of its dependencies, perhaps because an open dependency is preventing you from restarting the app, you can right-click and select End Process Tree from the context menu (see Figure 13-10).

Figure 13-10. You can close a process and all its dependencies from the Details tab

It is by right-clicking a process in the Details tab that you can also choose additional options:

  • Set priority allows you to set a processing priority for the process, from low to Real time. This is useful if you need or want to give the process more processing power, such as when rendering video.
  • Set affinity lets you choose which physical and virtual processor cores will be used by the process.
  • Analyze wait chain displays which processes are using or are waiting to use a resource that is currently in use or locked by another process.
  • UAC virtualization obfuscates the path for a target folder the process needs to write to and instead presents it with a virtualized container, a sort of symbolic link to that path. This can be used when an older program needs permissions that are normally blocked by User Account Control.
  • Create dump file will create a binary .DMP file with data on what the process is doing at that moment and save the file to the %LocalAppData%\Temp folder on your hard disk. This can later be read using a compatible program such as the Windows Software Development Kit to see what was going on with the app and its PCresource usage at that moment.
  • Open file location will open a File Explorer window at the install location of that process executable or DLL.
  • Search online will open a search window looking for details on the process.
  • Properties will open a properties inspector panel for that process.
  • Go to services will switch to the Services tab, and we’ll look at these later in this Article.

Managing and Troubleshooting Services

Services are programs that run in the background on your PC and that perform specific duties, such as managing print queues, implementing security, and handling network traffic. Essentially, they’re programs that enable software to utilize hardware and features of your PC and of Windows and that are called by and shared by different apps on the PC simultaneously.
This is in stark contrast to how things were done in the early days of PCs. In my home office, I have created my own computer museum (available at for those who are interested). In among the many palmtop and handheld devices that I’ve always been a fan of, as I’m sure you guessed at the beginning of this chapter, and such classics as an original Apple Macintosh and a first-generation IBM 5150 PC with a copy of WordPerfect 5.1.
I loved this word processor and achieved so much with it. One of its idiosyncrasies though was that among the many 5¼-inch floppy disks it came on were disks containing drivers for the most common printers available at the time. As WordPerfect 5.1 was a DOS program, there were no such things as print services; you needed to load the correct printer driver into the program when you needed to print a document.
These days, services are just something we take for granted. They can cause problems though, especially when you have services that are shared between different running apps on the PC, and doubly so when you consider these are not just written by Microsoft but also come from third-party software companies.
Task Manager in Windows 11 contains its own Services tab from which you can manage services, but it’s only truly useful for being able to search online on a right-click for a service if you’re unsure of what it is (see Figure 13-11).

Figure 13-11. Task Manager allows you to search online for details of services

The best place to manage and troubleshoot services is directly from the Services panel. You can access this from Windows Tools or from a Start Menu search. When it opens, you will see it’s standard Microsoft Management Console (MMC) fare and contains a full list of all the installed services on the PC, along with their current status (Stopped, Running, Suspended) and their startup type (Disabled, Manual, Automatic) (see Figure 13-12).

Figure 13-12. The Services MMC is the best place to manage and troubleshoot services

Tip:One advantage Task Manager has over the Services MMC is that it lists the PID (Process Identifier) for running services. This is useful if you need to match a PID in an Event Viewer report to a service on the PC to identify it.

Clicking the column headers in Services will enable you to sort them by that column type, so you can, for example, group them by Status to make it easier to see all the running and stopped services.
If you suspect a service has crashed or is misbehaving, you can restart it, stop it, or start it from a right-click (see Figure 13-13).

Figure 13-13. You can start, stop, and restart services from a right-click

Tip:The Pause option for Services is useful when stopping a service will result in an error being generated and perhaps a program crashing. It is also useful when diagnosing malware infections, which we will look at in Chapter 18, when stopping a service may cause the malware to start a new instance of that service.

When you need finer control over a service, right-click it and select Properties from the menu that appears. This will display a dialog with four tabs (see Figure 13-14).

Figure 13-14. You can get fine control over services in Windows

The first tab, General, contains buttons to Start, Stop, Pause, and Resume the service in addition to being able to change its “Startup type.” The way services start in Windows is determined by the service author, and they will determine the best way to start services.
You may find though, for one example, that a service is causing a PC to start slowly or take a long while to get to the desktop after sign-in. This can happen on lower-end hardware if a lot of services are set to run when a user signs in. If you identify services that won’t be needed for the first couple of minutes, perhaps a printer service, you can set them for a Delayed Start which will start then quietly in the background after the user is already at the desktop and can start work.
Under the Log On tab, you will see that the service will almost certainly be set to sign in as the Local System Account (see Figure 13-15). This enables the system to be properly managed by Windows. You may have a custom service running in your organization however that requires specific sign-in credentials, either for security or permission reasons.

Figure 13-15. You can set sign-in credentials for a service

While this situation is rare, it can be useful. To give just one example, you might have a running security service that needs elevated privileges that the user does not have, so that it can access a secure folder store on the network. Here, you can give the service access to the secure environment without also needing to pass those permissions to the end user.
It's under the Recovery tab that you’ll find all the troubleshooting tools for services (see Figure 13-16). Here, you can tell the PC what it should do if and when a service fails or crashes.

Figure 13-16. You can troubleshoot services from the Recovery tab

The default options for a service will vary from one service to another, but they are as follows:

  • Take no action so that when the service crashes, it will just stop.
  • Restart the service which will start the service again or at least attempt to restart it. You can optionally specify a delay in minutes for the service to be restarted after.
  • Run a program which will enable you to specify a program or script to run, with optional command line parameters. This can be used to report errors, reinstall or restart the service, or run a diagnostic tool.
  • Restart the computer which is best used only for stand-alone machines that do not have a user interacting with them, as they might get upset. If you have a dedicated PC running as an ATM, a manufacturing controller, or a medical device, then having Windows automatically restart the PC can often be a good way to keep the system running.

These options are available for the first, second, and subsequent failures, and you can Reset [the] fail count after a specified number of days.
Lastly, the Dependencies tab will tell you if any other Windows services are dependent on this one (see Figure 13-17). It is most common for a service to stand entirely on its own, but you might find that some services call and require the use of others. These can also crash and be affected when a service fails, and you might need to also restart or troubleshoot them.

Figure 13-17. You can see any services that are dependent on the selected one

Managing and Troubleshooting Processes and Services with PowerShell

As you might expect, PowerShell comes with a range of commands for managing and troubleshooting processes and services. You can get information about running processes on a local or remote PC(s) with the Get-Process command. There are also different options and subcommands you can use this with to drill down into specific processes on the PC to get data about them, and you can read about these subcommands on the Microsoft Docs website.
Windows and third-party services can be interrogated the same way with the GetService command. You can use this command on its own to see the status of all installed Services or in one of the following formats:

  • Get-Service "net*" to list services that begin with set characters but continue using a wildcard.
  • Get-Service -Displayname "*network*" to display services that have a specific word or term in their descriptive name.
  • Get-Service -Name "net*" -Exclude "Netlogon" to search for services but to exclude specific ones from the results.
  • Get-Service | Where-Object {$_.Status -eq "Running"} to obtain a list of current running Services. This can also be used with the subcommands “Stopped” and “Suspended.”

You can read more about how to manage Services using PowerShell on the Microsoft Docs website.
Some very useful commands for managing Processes and Services on a PC include Stop-Process, Start-Process, Stop-Service, Start-Service, and perhaps one of the most useful, especially with troublesome third-party services, Suspend-Service and Restart-Service. More information on how these useful and simple commands work can be found on the Microsoft Docs website.

Troubleshooting Processes and Services with Microsoft Sysinternals

Microsoft’s Sysinternals suite contains a wealth of tools and utilities for managing processes and services on a PC, both locally and for remote PCs across a network. You can download Sysinternals from


PsTools isn’t a single utility, but it is a full suite of utilities for administering PC systems remotely. It includes utilities that can remotely execute apps, display information about files and users, kill processes, get detailed information about processes, and shut down and restart the PC. Full details of the tools available and their switches can be found on the Sysinternals website.


This command is used to execute processes on a remote PC. Use this in the format PsExec \\RemotePC “C:\\long app name.exe”.


PsFile, also detailed earlier in this chapter, will display a list of files that are currently open on a remote PC. Use this in the format PsFile [\\RemotePC [-u OptionalUsername [-p UserPassword]]] [[id | PathAndNameOfFile] [-c ToCloseFile].


This tool is used to display the Security Identifier (SID) of a remote computer or user. Use it in the format psgetsid [\\RemotePC[,RemotePC[,...] | @file\] [-u OptionalUsernam [-p UserPassword]]] [account|SID].


PsInfo can display information about a remote computer. You can use this with the switch \\RemotePC for a specific PC or \\* to run it on all networked PCs. You can also use it with these switches to get detailed information on [-h] installed hotfixes, [-s] installed applications, and [-d] disk information and use [-c] to export the data as a CSV file.


PsPing does exactly what you might expect it to: it displays detailed ping information to test network connections. It is a Command Line utility that is much more configurable than Windows 10’s standard Ping command. PsPing is used with one of four main switches and then a series of subswitches to test for ICMP (the main protocol used by routers for reporting errors), TCP, latency, and bandwidth. Full details of the switches are available on the Sysinternals website.


If you need to kill a running process on a remote PC, then PsKill is the tool to use. Use it in the format pskill [- ] [-t] [\\RemotePC [-OptionalUsername [-p UserPassword]]] <processname | process id> where [- ] displays a list of supported options, and [-t] kills not just the process but all its dependent processes as well.


PsList will display detailed information about the processes running on a remote PC. Use it with the switches [-d] to display additional details, [-m] to show memory usage information, and [-t] to show process trees.


This tool will display details of each user currently logged on (signed in) to a remote PC. This can be used with the switch [-l] to only show accounts logged in to the PC locally, and not across the network.


This is used to create a dump of event log records from a remote PC. There are quite a few switches and commands for this utility, which you can see in Table 13-1. You use it in the format psloglist [- ] [\\RemotePC[,RemotePC[,...] | @file [-u OptionalUsername [-p UserPassword]]] [-s [-t delimiter]] [-m #|-n #|-h #|-d #|-w][-c][-x][-r][-a mm/dd/ yy][-b mm/dd/yy][-f filter] [-i ID[,ID[,...] | -e ID[,ID[,...]]] [-o event source[,event source][,..]]] [-q event source[,event source][,..]]] [-l event log file] <eventlog>.


This security tool can be used to change account passwords on a remote PC. Use it in the format pspasswd [[\\RemotePC[,RemotePC[,..] | @file [-u Username [-p Password]]] Username [NewPassword].


This lets you view and control services on a remote PC. Use it in the format psservice [\\RemotePC [-u OptionalUsername] [-p UserPassword]] <command> <options>.


PsShutdown can be used to either shut down or restart a remote PC. This can be used with the following useful switches: [-f] to force all applications to close immediately rather than giving them time to close on their own; [-l] to lock the remote PC; [-m] to display a message to appear on the screen for anybody using the PC when the shutdown countdown commences, which can be set with the [-t xx] switch, the default being 20 seconds; [-r] to restart the PC; and [-c] to allow the shutdown to be aborted by somebody still using the remote PC.


If you need to suspend a process on a remote PC, then this tool will do the job. Use it in the format pssuspend [- ] [-r] [\\RemotePC [-u OptionalUsername] [-p UserPassword]] <process name | process id> where [-r] resumes the suspended processes after they have been previously suspended.


how to manage startup programs and apps in Windows 11, but there’s actually considerably more that starts with the operating system that you might not know about. These include audio and video codecs, dynamic link libraries (DLLs), scheduled tasks, drivers, services, and more. AutoRuns lets you examine absolutely everything that starts with the PC so that if you are getting an error on startup or when a user signs in, you can find and disable the offending item (see Figure 13-18). This can often happen when a program is uninstalled incorrectly, perhaps because of an error or perhaps because it’s an older or poorly written uninstaller.

Figure 13-18. AutoRuns lets you manage every startup item on a PC

In the Options menu, you can show or hide empty locations and also Microsoft entries, as you don’t want to be disabling a part of Windows 11 when it starts up. Additionally, some useful features sit in the File menu:

  • Analyze Offline System lets you examine the Windows startup entries for an attached hard disk that’s been removed from another PC. This can be useful if you are diagnosing a PC that won’t start or that has a malware infection.
  • Save/Open lets you save the startup entries as a file that can be emailed to a support person or read and examined on another PC.
  • Compare is an option that allows you to compare the current startup entries on the PC with the saved entries from another PC.
  • Scan Options is found under the Options menu and allows you to check the database to see if any matches with known malware are found in the startup entries.

You can disable and reenable entries in the startup list by unchecking or checking their box in AutoRuns. This can be useful as opposed to deleting the entry completely.
You disable and re-enable entries from the Entry menu, in case you accidentally delete a startup entry that later proves to be necessary to the smooth operation of Windows and your installed software. Each entry in the main list is also color-coded to help you identify them more easily:

  • Yellow where a startup entry exists, but AutoRuns cannot find the installed program on your PC.
  • Green where the entry was added recently since the last time you used AutoRuns.
  • Pink where no known publisher information exists, either because the entry is not digitally signed or because no publisher information has been included with the process.
  • Purple is the Registry address of the entry.


Earlier in this chapter, I showed you some Sysinternals utilities for dealing with locked files. Handle is a Command Line utility that can provide details of which app has opened and locked a particular file or director on your PC. Use it in the format Handle <filename> with additional switches, which are detailed on the Sysinternals website being useful, such as [-u] to show the username of the person with the open file.


DLLs are files that are an essential part of Windows 10, or provided by third-party software companies, which enable apps to share functions on the PC. Back in the days of DOS, every running program had to provide its own way of managing everything, and I remember the excellent WordPerfect 5.1 word processor coming with a battery of disks that contained its own printer drivers.
DLLs took all this pain away, but knowing what’s running can be impossible without the use of a utility such as ListDLLs. This is a Command Line utility (with switches available on the Sysinternals website) that can list all the DLLs that have been loaded by an app or process or list all the processes that are accessing a particular DLL. Should you find, for example, that an app, process, or DLL is crashing, you can use this tool to see if the DLLs in use have any other dependencies which may be causing the problem. You can use it in the format ListDLLs [processname] to see what DLLs are in use by a specific process or in the format ListDLLs [-d DLLname] to see what running processes are using a specific DLL. Other useful switches, which are available on the Sysinternals website, include [-u] which will display only unsigned DLLs and [-v] which will display DLL version information.


If you are using a PC system to which Serial or Parallel devices are attached, and they’re still more common than you might think, then the Portmon utility can display all the activity for those ports. This includes successful and failed communications and the process using each port. This information can be useful in tracking down communication problems between the PC and attached devices.


ProcDump is a Command Line utility with two uses. The first of these is for monitoring an app for CPU processor spikes and reporting when a spike occurs. If you have an app that is periodically, or even regularly, using huge amounts of processor time, then ProcDump can provide valuable information about what it’s doing at the time.
The second use for ProcDump is to monitor apps when they are hung. Sometimes, you may encounter an app for which the window appears to temporarily crash. This is because the app is doing or trying to do something in the background and cannot proceed until that task is complete. In this circumstance, ProcDump can provide information on what is occurring with that app at the time. Full details of the very many switches available to use with ProcDump are available on the Sysinternals website.
In its basic format however, use it as ProcDump winword.exe (see Figure 13-19), and it will produce its output in a .DMP file. This can be read using Microsoft Visual Studio, the Windows Driver Kit (WDK), or Windows Software Development Kit (SDK), but a search online will reveal other free .dmp file readers.

Figure 13-19. ProcDump produces reports about crashed programs

Process Explorer

A Sysinternals suite contains a few highly useful tools that should be in any IT Pro’s toolkit. One of these is AutoRuns as I detailed earlier, and another is Process Explorer.
Process Explorer will tell you absolutely everything going on with running and hung processes on the PC, including their CPU, memory, and network usage, which DLLs are being used by the apps, if it’s secure or being run in a virtualized environment, the permissions different users and user groups have with the app, and more (see Figure 13-20).

Figure 13-20. Process Explorer provides a huge amount of detail on running processes

The main view of Process Explorer lists all the running processes on the PC, along with details of any subprocesses. These items are all color-coded to make them easier to identify.

Tip:Sometimes, Process Explorer can fail to run, reporting an "Unable to extract 64-bit image. Run Process Explorer from a writeable directory" error. Should you encounter this, navigate to your AppData\Local\Temp folder by typing %tmp% into the Start Menu or the breadcrumb bar in File Explorer, right-click the procexp64 app, and run it as an Administrator from there.

  • Purple processes, which in our case include the malware, are files that may be compressed (also called packed), which for legitimate applications can help them to use less memory, but in the case of malware can also help to hide the code from your anti-malware scanner. Looking at the purple-colored files should be your first step.
  • Red processes are ones that are currently existing (being stopped).
  • Green processes have been freshly run (also known as spawned).
  • Light blue processes are those run by the same account that started Process Explorer.
  • Dark blue processes are ones that have currently been selected by yourself in Process Explorer.
  • Pink processes are running Services on the PC, such as the common svchost.exe, which is a Windows system process that can host one or more other services where they share a process to reduce overall resource usage on a PC.

You can perform actions on processes such as killing them; killing the process tree, which will also shut down any dependent processes; restarting the process; and suspending it. This last option is useful where you are troubleshooting a process, and shutting it down will generate an error or cause something else to stop working.
Additionally, you can set the affinity of the process, meaning you can determine what physical and virtual processor cores are available to it, and its processing priority.
Under both the Process and the Options menus, you can check processes against the database at the website if you suspect a running process might be malware.
You can double-click a process to open its properties panel where a great deal of information and control can be found. Under the Image tab, for example, you can see the path and, if appropriate, the autostart entry for the process, which could be a Registry entry (see Figure 13-21).

Figure 13-21. Detailed information about processes is available

Additionally, under the Security and Environment tabs, you can see technical information about the process, including which users and user groups have permissions to access and run the process.
The remaining properties tabs will provide live information about the process, such as its CPU, memory, GPU (Graphics Processor), and networking activities and usage.

Process Monitor

Another of the highly useful tools in the Sysinternals suite is Process Monitor. This utility is incredibly useful when diagnosing and troubleshooting many types of problems on a PC, including hung apps and app dependencies, malware infections, misconfigured software, deleted files and Registry keys, and more besides (see Figure 13-22).

Figure 13-22. Process Monitor is highly useful for seeing what’s happening on a PC

Process Monitor details, in real time, every running process and service on the PC, with information about every operation they are performing, every Registry key they have open or have access to, and whether the actions they are taking are successful or are reporting an error.
Perhaps you are looking for the dependencies for malware that has infected a PC. You can use Process Monitor to identify all of the Services, DLLs, and Registry keys associated with the core malware app. You can also use Process Monitor to check the dependencies for any running app on the PC, to see what files and keys are associated with it. All of this information can come in handy when diagnosing problems with apps and Windows features, because you can see at a glance what’s happening, if the tasks performed have been successful or not, or if essential Registry keys, DLLs, or Services are missing or reporting an error.
Additionally, you can filter the view to narrow the information displayed to a subset of the full available information. If a file is locked on the PC and unable to be deleted, moved, copied, or even opened, you can also see what process is currently using and has locked the file, so that the process can be closed or terminated. Perhaps most usefully, you can set Process Monitor to record every operation at boot time, and this data can then be exported to be read later in a variety of formats, including CSV and XML files.
You can double-click any process or Registry key to see additional details about it including used memory addresses, called DLLs, and any command line switches it has been run with (see Figure 13-23). You can also see which user or system account on the PC has run the process.

Figure 13-23. Process Monitor provides extensive information

When you are troubleshooting and diagnosing a process activity that has failed, such as the memory buffer overflow error seen in Figure 13-24, you can get the exact time and day of the failure and see technical details about it.

Figure 13-24. You can get technical details on process failures


ShellRunas is another Command Line utility, but one that allows you to launch an app or process under the sign-in credentials of a user other than the one who is already signed in to the PC. Use it in the format ShellRunAs /reg to add this functionality to the rightclick context menu in File Explorer with more switches available on the Sysinternals website.


PCs don’t just hold running apps and processes in memory; they also save some memory to disk in the form of virtual memory, known as the Paging File in Windows.
VMMap allows you to view the physical and virtual memory usage of a specific process (see Figure 13-25). If an app or process is hogging memory, this utility can provide detailed information on how much memory and what memory types are being used.

Figure 13-25. VMMap allows you to view Page File use for a process


After two chapters about troubleshooting and diagnosing problems with processes and services, it’s fairly clear that there’s an awful lot that can be done to keep programs and software running smoothly on a PC and to keep the PC stable in the event of a program crashing or being incorrectly uninstalled.
Microsoft’s Sysinternals suite in particular is extraordinarily useful in this regard, especially with AutoRuns, Process Explorer, and Process Monitor, all of which we’ll look at in more detail when we examine how to remove malware infections in next.
In the next chapter, we’ll look at more Sysinternals tools as part of how to configure, diagnose, and troubleshoot networking problems on a PC as, let’s face it, our PCs are pretty much a piece of junk if they can’t get access to network shares, cloud services, and the Internet.