By now, most users know all about antispyware software, antivirus apps, firewalls, and other essential tools for keeping your Windows machine lean and mean. (If you don't, be sure to check out the Security section of our PC Starter Kit.)
However, when your PC slows down and the Windows Task Manager says that a process named lsass.exe or svchost.exe is using 99 percent of your system resources, how do you know whether it's a legitimate task or something more insidious? When in doubt, the best place to start is a free utility called Process Explorer, created by Mark Russinovich, whose other claim to fame is the discovery of Sony's infamous CD rootkit.
Although there is an option in Process Explorer to replace Task Manager, I don't necessarily recommend it. It depends on your own situation, but I use the two applications for different purposes. Windows Task Manager is ideal for force-quitting unstable applications or quickly checking to see which process is sucking up your CPU, while Process Explorer provides actual transparency into all of the loaded DLLs and services on your Windows machine. Also, if the Task Manager is ever targeted by malware, Process Explorer provides a more than capable backup.
By default, Process Explorer opens with your active processes displayed in a tree menu that displays the parent-child relationship, unique ID number, CPU usage, description, and company name for each process. Right-clicking on the Process Explorer toolbar and clicking "Select Columns..." lets you choose which process attributes you would like to display, including version, image path, verified signer, window title, window status, and other information. You can kill any process in your list easily, or even better, suspend them one-by-one to determine a resource thief.
The real fun starts when you activate the two-pane view by selecting "Show Lower Pane" from the View menu or hitting the shortcut Ctrl+L. When you select a specific process in the window above, the pane below will display all of the associated DLLs or "handles," which include various system items like Registry keys, files, directories, and events. You can switch between DLLs and handles via the "Lower Pane View" options in the View menu or by hitting Ctrl+D or Ctrl+H, respectively.
Process Explorer isn't the only program to help make sense of your Windows processes. Another free application from Computer Technology called PrcView (short for Process Viewer) packs a ton of info into a very compact and efficient interface. PrcView offers all of the standard process information, like memory usage, file path, ID, and username, along with some extra features like a Process Monitor that logs all start and stop events for processes since your computer's last start-up.
These DLL and handle details help decipher what each process is actually doing, although it still requires a bit of research to learn about the Registry keys and what all of the included information about each process actually means. One program that aims to add security features to the diagnostic features of a process manager is Security Task Manager, a shareware program from A. & M. Neuber.
Security Task Manager lists all of your active processes just like the other two apps, but, in addition, offers a security rating next to every process. It's not using spyware or virus definitions to classify processes--rather it's looking for a certain set of characteristics, much like spam filters do, to identify potentially dangerous items. The interface of Security Task Manager isn't as comprehensive or intuitive as Process Explorer or PrcView and it's not free, but you might find its quick security ratings valuable, especially when used in conjunction with a more robust diagnostic tool.