Note from the editor: Process Explorer was in version 9.25 at the time this tip was written but is now at Process Explorer Version 10.21.
- Determine which applications have open handles to devices, such as removable drives that can't be ejected or stopped. Sometimes applications create open handles on removable devices that make them impossible to eject cleanly. Process Explorer can help you get to the bottom of what's causing the problem.
For instance, if you can't eject removable drive F:, select Find | Find Handle and type F: in the Search box. On clicking Search, you'll be presented with a list of all the processes currently accessing that drive. The same goes for a file that cannot be deleted because it's "still in use." Supply the filename, and you can see which process is holding the file open.
- Add comments for a given image to prevent confusion in the future. Many application images have cryptic names, and it might not be clear what their function is. Once you find this out, you can attach a note to a given image name in Process Explorer to explain what it is. Double-click the image name, select the Image tab and under Comment, type a short explanation. These notes are ongoing throughout updates of Process Explorer.
- Drag-and-drop target to find an image. If you're not sure which application corresponds to which image in Process Explorer, click and drag the little gunsight icon on the Process Explorer toolbar, and drop it on any visible window to find out what process/image it is.
- Perform contextual Google searches on image names. Right-click on the name of an image and select Google to do a Google search on the name of the image. This is a good way to sniff out a suspicious program and see if it's malware. Note: The Google search opens in whatever browser has been set as the system default.
- Identify packed images via highlighting. Another tactic used by many malware applications is to compress the application image. Compressed images now show up with a purple highlight in Process Explorer. Use this as a hint for finding what might not be a valid application after all.
- "Verify image signatures." Enabling this -- in the program's Options menu -- ensures that when a user double-clicks on an image name, any signed binaries are double-checked against their signer. It's more likely that malware apps won't have verified signatures. Note: An unsigned app is not always a sign of malware. For instance, the Moox community builds of Firefox show up as unsigned but are valid applications.
About the author: Serdar Yegulalp is editor of the Windows Insight, (formerly the Windows Power Users Newsletter), a blog site devoted to hints, tips, tricks and news for users and administrators of Windows NT, Windows 2000, Windows XP, Windows Server 2003 and Vista. He has more than 12 years of Windows experience under his belt, and contributes regularly to SearchWinComputing.com and SearchSQLServer.com.
Click here to return to Expert picks: Favorite downloads
This was first published in November 2005