As of this week, Process Explorer is now at version 10.2, and I wanted to provide a quick rundown of the new features and some ways it can be used to improve security.
- Service permissions viewing and editing lets you inspect and change the permissions for running services. Many services throw failures because of unexpected permissions problems, so this is yet another way to debug that particular issue -- by seeing permissions in situ. You can also audit running services to determine if something is not supposed to be there -- for instance, a service that has been silently injected as part of an attack on a system.
- Show New Processes option re-centers the display to show newly-launched processes in the Process window, so you can watch new processes being launched in a "hands-off" fashion. If you believe that illicit processes are being launched silently through some innocuous behavior (for instance, as part of a malware attack), this is a handy way to determine if it's true.
- Many other DLL options are available, such as the ability to show pagefile-backed / unnamed sections in the DLL view; consolidated searching for DLLs and handles; more details in the DLL Properties dialog; optional highlighting for packed DLLs; DLLs that host SvcHost processes are shown in the Services tab along with regular services. You can use the "Verify" button in the DLL's Properties pane to determine if the image's signature matches its manufacturer -- one way to determine if a given component has been compromised with a bogus version. (Note that not all components are signed, but many crucial ones will be.)
- My personal favorite new feature: The File menu now has a Runas command to let you quickly launch a process under different credentials. For quick access to running something in reduced privileges, the File menu also has a Run As Limited User function. You can perform quick-and-dirty "sandboxing" of applications this way, so if you have suspicions about an application you could run it in a constrained way first.
- Support for 64-bit, both Itanium and AMD64 processors, and a signed 64-bit x64 driver for Windows Vista. Depending on which operating system you're running, you'll want to download the appropriate binary. If you want to "back-port" PE to Windows 9x/ME, there's a version for that as well. Also included are Vista-specific data such as the integrity level and virtualized processor information. If you're running Vista in beta form, try PE on it; it'll make for a nice way to get that much more familiar with the underpinnings of the OS.
- There is more detailed I/O and memory-history information in the I/O/memory/CPU graphs.
- Data from the Process, DLL and Handle views can all be copied easily to the Clipboard.
- Handle view now has file object share flags, which indicate what available actions can be performed on a file that has been opened by a given process.
Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!
This was first published in August 2006