Name: __________________________________

Lab#16: Process Explorer

CIT271

This lab covers Mark Russinovich & Aaron Margosis, Windows Sysinternals Administrator’s Reference,
Microsoft Press, Chapter 3. (This book is not required.)

1. Log on to your Windows 10 computer.

2. Microsoft Sysinternals are a collection of “free file, disk, process, security, and Windows
Management Tools”. Open Internet Explorer and go to http://technet.microsoft.com/en-
us/sysinternals. Click on Process Utilities. Read the description for Process Explorer. Process
Explorer is an improved Task Manager. What does the description say about Process Explorer?
Answer #A:

3. “Processes are the heart of any Microsoft Windows systems. Knowing what processes are running
at any given time can help you understand how your CPU and other resources are being used, and it
can assist you in diagnosing problems and identifying malware. … Process Explorer is the most
popular download from Sysinternals.”
4. Click on Process Explorer.
5. At the bottom of the page, click on Run Process Explorer now from Live.Sysinternals.com. Running
Process Explorer from the web site mean that you will be running the latest updated version.
6. The Tree View shows parent/child process relationships.
7. Pink processes are services. Light blue processes are running in your user account. Choose Options
| Configure Colors to see the color selections. What is the color red used for? This color appears for
one second.
Answer #B:
8. Find procexp.exe, which is running under your account. What are it’s A) PID, B) percentage of CPU
usage, C) description, and D) company name? The description and company name help in
identifying processes that are not malware.
Answer #C:

9. Choose View | Update Speed. How often is Process Explorer updated?

Answer #D:

10. Give the process tree (great grandparent, grandparent, parent, etc.) to procexp.exe.
Answer #E:

11. Open Notepad. Hover over Notepad.exe in Process Explorer. What is its path?
Answer #F:
12. The System Idle Process is used to account for when Windows is running no program code. What is
the percent of CPU time used by the System Idle Process? This will vary with each update so pick
one.
Answer #G:

13. Open WordPad. A) What is its parent process? B) What is its “Description”? C) What is its
“Company Name”?
Answer #H:

14. Services processes found under services.exe are descendants of what process?
Answer #I:

15. Right click on wordpad.exe. Choose “Kill Process”. What did Procexp ask you?
Answer #J:
16. Right click on the column header row and choose “Select Columns”. Procexp offers over 100
process attributes that can be displayed.
17. Choose “Window Status” and “Integrity Level”.
18. “Window Status” indicates whether a process responds in a timely fashion to window messages.
(Running or Not Responding).
19. A) procexp runs at what integrity level B) List any Low Integrity level processes.
Answer #K:

20. Right click on the column header row and choose “Select Columns”.
21. Remove “Window Status” and Integrity Level”.
22. Click on the Process Memory tab and choose “Page Fault Delta”. Processes often run without all of
their pages of code in memory. When the CPU access code not in memory, a page fault occurs and
the disk I/O operation is scheduled to bring this page into memory. A lot of page fault will cause a
process to run slowly.
23. The “Page Fault Delta” is the number of page faults since the last Procexp refresh.
24. What processes are experiencing page faults?
Answer #L:

25. Make sure that WordPad is open.

26. Right click on the column header row and choose “Select Columns”. Choose the Process Memory
tab.
27. Remove “Page Fault Delta”.
28. Choose the Process I/O tab. Choose “Read Bytes”, “Write Bytes”, “Delta Read Bytes”, and “Delta
Write Bytes”. Delta is any change since the last Procexp refresh.
29. What are the I/O Read Bytes for wordpad.exe?
Answer #M:
30. Right click on the column header row and choose “Select Columns”. Choose the Process I/O tab.
31. Remove “Read Bytes”, “Write Bytes”, “Delta Read Bytes”, and “Delta Write Bytes”.
32. To find process owns a window, choose the crosshair icon in the toolbar. . (It look like a bull’s eye
and is the rightmost icon.) Drag it over the WordPad Window. In Process Explorer what is the color
now of the wordpad.exe entry?
Answer #N:

33. Return to your Virtual Machine. We will now install Process Explorer and use it to replace Task
Manager.
34. Open Internet Explorer and go to http://technet.microsoft.com/en-us/sysinternals.
35. Download and unzip Process Explorer. You will need to choose a location for it.
36. Run Process Explorer to make sure it works.
37. Choose Options | Replace Task Manager.
38. Stop Process Explorer.
39. Windows+X.
40. Choose Start Task Manager. What happened?
Answer #O:
:

41. Press Ctrl+I for System Information.

42. Click on the CPU tab.
43. What is the percentage of CPU Usage?
Answer #P:
44. Open Internet Explorer. Navigate to www.nku.edu.
45. Double click on an instance of iexplore.exe in Process Explorer. A properties dialog box should open.
Click on Performance Graph tab. Mouse over the latest I/O spike. At what time did this I/O spike
occur?
Answer #Q:

46. Click on the Performance tab. What CPU Priority is iexplore.exe running at?
Answer #R:

47. Click on the Image tab. Type in a short Comment. Comments will help you keep track of what the
process is?
48. Click OK and close the dialog box. Mouse over the instance of iexplorer.exe that you have working
with. Write down all of the information that shows up as a caption.
49. Answer #S:

50. You should consider reading Chapter 3 of Window’s Sysinternals Administrator’s Reference.
51. You should considering watching the video “The Case of the Unexplained” starting at minute 10 to
learn more about using ProcessExplorer.