Process Explorer: A Comprehensive Guide to Analyzing Windows Processes

Introduction / Why This Is Needed

Process Explorer is an advanced tool from Sysinternals (now part of Microsoft) that provides detailed information about all running processes, threads, loaded libraries (DLLs), and handles in the system. Unlike the standard Task Manager, it shows the process tree (which process spawned another), allows you to find which specific process is locking a file or folder, and displays real-time resource usage (CPU, memory, GPU, disk) in graphical form.

After completing this guide, you will be able to:

• Find and terminate a "hung" or malicious process.
• Diagnose memory or handle leaks.
• Identify which program is using a specific file or port.
• Examine the command line and environment of any process.

Requirements / Preparation

1. Operating System: Windows 10, Windows 11, or Windows Server 2016 and newer.
2. Access Rights: Viewing information about processes of other users and system services requires administrator privileges. Always run procexp.exe via "Run as administrator".
3. Dependencies: Some features (e.g., displaying digital signatures) require .NET Framework 4.0 or higher (usually already installed on modern Windows).
4. Antivirus: Some antivirus programs may mistakenly flag Process Explorer as potentially unwanted software (PUP) because it integrates deeply into the system. Add it to your exclusions if you are confident in your download source (only from the official website).

Step 1: Download and Launch Process Explorer

1. Open your browser and go to the official Sysinternals download page:
   https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer
2. In the "Download Process Explorer" section, download the ZIP archive (e.g., Procexp64.zip for 64-bit systems).
3. Extract the archive to a convenient folder, for example C:\Tools\ProcessExplorer\.
4. Locate the procexp.exe (or procexp64.exe) file. Right-click it and select "Run as administrator". This is critical for proper functionality.

# Alternative way to launch from PowerShell/CMD with admin rights:
Start-Process "C:\Tools\ProcessExplorer\procexp64.exe" -Verb RunAs

After launching, you will see the main window with the process table.

Step 2: Explore the Main Interface

The main Process Explorer window is divided into several parts:

• Toolbar: Buttons for search (Ctrl+F), filtering, refreshing, saving, etc.
• Tree View of Processes: Each process is shown as a row in a table. The "Parent" column shows the PID of the parent process, visualizing launch chains. For example, explorer.exe is often the parent of many user applications.
• Color Coding:
  • Green — Process launched by you (the current user).
  • Pink — Windows service.
  • Blue — Process running under another user's context (e.g., SYSTEM).
  • Purple — A process that has one or more Microsoft-signed DLLs loaded.
• Status Bar: At the bottom of the window, it displays the total number of processes, CPU, and memory usage in the system.

👉 Tip: Customize the displayed columns to suit your needs. Right-click any column header → "Select Columns...". For diagnostics, be sure to add these columns: Command Line (full launch command), Verified Signer (who signed the binary), GPU, and GPU Usage.

Step 3: Use Handle and DLL Search

This is the most powerful function in Process Explorer for resolving lock issues.

1. Press Ctrl+F or go to menu Find → Find Handle or DLL....
2. In the dialog that opens, enter:
   • A file or folder name (e.g., config.json or C:\Temp\) to find which process has it open.
   • A DLL name (e.g., vcruntime140.dll) to see which processes use a specific library.
   • A process name (e.g., chrome.exe) to see all its open handles.
3. Click Search. Results will appear at the bottom. Double-clicking a result will jump to the corresponding process in the main window and highlight the relevant handle in its properties.

# Example: If you cannot delete a folder because it's "in use by another program",
# search for the folder's name in Process Explorer. You will see the process locking it.
# The results will look something like:
# chrome.exe (PID 12345) - Handle: 0x1a4c - C:\MyFolder\somefile.tmp

Step 4: Analyze Process Properties for In-Depth Diagnostics

To get exhaustive information about a specific process:

1. Find the needed process in the main list (you can sort by CPU or memory).
2. Double-click it or select the process and go to Process → Properties.
3. Review the tabs:
   • Image: Path to the executable, developer company, digital signature.
   • Performance: Real-time graphs of CPU, memory, disk, and network usage. Useful for spotting "resource-hogging" processes.
   • Threads: List of all process threads. You can see thread start addresses and CPU time consumed by each. Useful for debugging multithreaded applications.
   • Handles: The key tab. List of all open system objects (files, registry keys, events, mutexes, etc.). If a process is "stuck" waiting on a resource, look here. Filter the list by type (File, Key, Event).
   • DLLs: All loaded libraries with versions and paths. Helps find version conflicts (e.g., when an old DLL is in C:\Windows\System32 but an application expects a newer one from its own folder).
   • Security: Information about the process's security token: user groups, privileges (SeDebugPrivilege, etc.).

Step 5: Practical Example — Find a Process Locking a File

Scenario: You cannot delete the file C:\Data\report.docx; the system says "The action can't be completed because the file is open in another program."

Solution with Process Explorer:

1. Launch Process Explorer as an administrator.
2. Press Ctrl+F.
3. In the search field, enter report.docx or part of the path C:\Data\.
4. Click Search.
5. In the results, you will see something like:

   WINWORD.EXE (PID 5420) - Handle: 0x1b8 - C:\Data\report.docx
   

6. Double-click this line. Process Explorer will switch to the WINWORD.EXE (PID 5420) process and open its Handles tab, highlighting the found handle.
7. Now you know the culprit. You can:
   • Close the handle manually (right-click the handle → Close Handle). Caution! This may cause data loss in the owning application (Word).
   • Politely terminate the process (WINWORD.EXE), if acceptable (via the process context menu → Kill Process). Save documents in other Word windows first.
   • Simply close the document in Word itself, if it is open.

Verification of Results

You have successfully mastered Process Explorer if you can:

• Distinguish a system process from a user process by color and tree.
• Find a process's PID by its name or part of its command line.
• Use Ctrl+F to determine which process holds a specific file, folder, or registry key.
• Open a process's properties and read the Handles and DLLs tabs for diagnostics.
• Identify a "resource-hogging" process by the graphs on the Performance tab.

Potential Issues

Bonus Tip: For continuous monitoring, you can use Process Explorer in Task Manager replacement mode. In the Options menu → Replace Task Manager, enable this feature. Now pressing Ctrl+Shift+Esc will open Process Explorer.