Process Hacker Essentials: Empowering IT Pros for Troubleshooting

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] we're going to take a look at an open source tool for troubleshooting windows it's called process hacker if you're familiar with system terminal suite and process explorer you'll feel real comfortable with this open source windows troubleshooting tool you can get here very easily by just typing in process hacker and it will take you to the sourceforge.io site that hosts their code and downloads it's written in c and there's a lot of good contributors to this open source project now under the download you can go and download the setup or the installable version of process hacker they recommend that because it's going to load a kernel mode driver and it's going to give you more access to what's going on in user mode you also have binaries for a 32-bit portable app and a 64-bit portable app so you can use those also when you download check your downloads against the hash value that they have on the download page so here i've downloaded both the installable which is setup.exe you can just right mouse click and install that i've got step-by-step instructions in the video notes if you go to the link in the video description of this video you can download those video notes and it gives you step by step on that install if you need it process hanker this is the extractable binaries for the portable app double click it and you can have the 32-bit version portable app and the 64-bit let's open up this folder now to use it you just right-mouse click on process hacker run as administrator and you're ready to use this as a portable app it does have a folder called plugins and they're just a set of dlls that add functionality and feature to this tool i went ahead and installed it so if you right mouse click on the windows icon and you go to task manager notice process hacker places your task manager so that's automatic i like that feature because i would rather use a tool like this than task manager now notice the tool is running under john's credentials so let's go to the hacker menu and come down to show details for all process this is going to bump it up to administrative rights and so now you can see both john and administrators credentials are now running this tool that's where you want to be to see the things that we want to do for troubleshooting when we're using a tool like process hacker we are looking at user mode and above this is the architectural diagram of the windows operating system we have kernel mode and a lot of components are in the kernel mode typically when we are troubleshooting we're dealing with applications and services and other things and that is found in user mode so we have all the system processes services applications and environmental subsystems all tied into user mode so this type of tool allows us to work primarily in the user mode of windows we don't have much view into kernel mode process hacker immediately shows you the windows operating system in a tree mode that means a process like service.exe which is a critical process that is responsible for all services launched in the windows operating system upon boot up all services below it are child processes there is a certain relationship between a child process and its parent the tree view allows us to see that relationship between a parent process and a child process let's look at firefox and we'll see that more clearly so i've launched firefox and now i'm going to minimize it and you can see firefox is now shown in our dashboard of process hacker i'm going to come up to the search criteria and just type in firefox so that i can eliminate all the other stuff and we can just focus in on this set of processes parent process and child processes so here you can see firefox pid 7348 is the parent to a series of child firefox processes now we don't always understand why a developer designs a application in the case of this firefox browser to take full advantage of a parent-child relationship in the case of browsers they do it primarily for sandboxing which provides isolation and better security in the case of browsers they typically put every single extension that you add to your browser in a separate child process so that again isolation if an extension crashes it doesn't crash firefox back to our main dashboard as you can see the color plays a major role in process hacker as well as process explorer let's go up to options and we'll go under highlighting and here is the color scheme and the explanation for the color scheme for process anchor they use a light i guess a teal for services so any service svchost.exe that gives you that quick visual indicator that if it's teal color then it's going to be a service so this is really helpful own processes are processes that are launched under my credentials so when i log on to this copy of windows 10 as john all of the yellow indicated processes are processes that launched under my credentials one interesting color is called the elevated process and that means if you elevate a process with administrative rights it's going to indicate it with a brown or in this case i think it's an orange color so that immediately allows you to see a process that has been elevated with administrative rights two colors that are very important to know when you're using process hacker is green and red green means that that process has launched or started and red means that process has terminated that's very important because you want to see what's going on with your operating system what is what processes are being launched and what processes are being terminated that can help a lot in troubleshooting highlight duration allows you to see the launch time and the termination time for a longer period of time i would recommend you bumping it up to about 5000 that way when an object starts a process starts it stays green for a long time that way it doesn't get past your view or you didn't pay attention to it and it launched and you never saw that action or that that termination so increase your duration highlight to about five thousand that will give you at least five seconds to view a new process and a terminator process now under the advanced tab in the options section make sure that you enable the kernel mode driver which is probably going to be your choice in the installed version of process hacker i think you have to enable that in the portable app be sure to check images for digital signatures and packing that's very important to make sure that that image and dlls and the associated files running in that process are signed under the general tab of options you can read them all and see which ones you want one i would definitely check is allow only one instance so you don't want two instances of process hacker running so that's a good one to check that just eliminates a double click by accident you've got two instances running now process hacker allows you to look at a lot of metrics in the operating system let's come up to the column section right mouse click we're going to choose a column and you can see there's just a ton of metrics that you can look at one that's very important to understand is delta notice there's a lot of delta metrics total disk total bytes delta context switch delta so you're going to see a lot of metrics that are based on delta gotta understand that so let's take a look at what does delta mean so if i go up to process hacker and i click on the view menu and i come down to refresh interval you can see i can choose the time that it will refresh the display every one second every below normal every two seconds every five seconds and every 10 seconds so i have control over the refresh rate of the display that's going to impact those delta measurements so if i have it set on one second every one second i'm going to refresh the display and i'm measuring a metric that's delta it's going to be measured in change per second that's what delta means change per second if i change my refresh rate to 2 seconds then it's going to be change or delta per every 2 seconds if i change my refresh rate to five seconds then every delta measurement will be however whatever i'm measuring per five seconds so that's very helpful as we investigate performance anytime it's a delta measurement it's based on your refresh rate so it's very important to know what your refresh rate is you also have the option of disabling automatic refresh and then anytime i hit f5 it will refresh based on my desire now why would i use a refresh rate based on when i decide if i'm dealing with an incredibly slow system and i'm trying to troubleshoot them and i'm trying to troubleshoot the problem process hacker is impacting my system again it's already slow and i'm running process hacker and it's already impacting the problem and in many cases to lighten the impact of process hacker as i'm troubleshooting this incredibly slow system i can actually get rid of the automatic refresh and refresh when i want it skews my measurements a little bit but it may be enough to where process hacker is not impacting the system any more than it has to process hackers dashboard is very flexible you can go to any column and click at the top and you can sort so you can sort by user name you can sort by private bytes which is your virtual memory or you can sort by working set which is how much met physical memory that process is using so you can go to any column sort just by clicking the top of the column now if you want to go back to where you were the original state just right mouse click and just reset your store and you're back to that tree view processor hacker has enormous amount of metrics that you can look at so i'm went up to the column right mouse collect choose column and you can see there's just an enormous amount of metrics that you can add to your dashboard and observe now the search feature up here is extremely powerful for troubleshooting let's say i'm troubleshooting processes that have launched after i log on and are causing me trouble and i want to get rid of all the other processes except those that were launched upon my logon and i can come over to the username and see that john is associated with some of these processes so i'm going to come up here and type john and i know that every process that's left in the dashboard was launched upon john logging on because he's the username the credentials that actually allow that process to start so now i can quickly find all the processes that are a part of john's on now i can drill down that helps me get rid of all the other processes and focus on those processes that were created during john's log on process hacker has a series of tabs process services network and disk let's take a look at services now they did the developers added both drivers and services so when you see a name where you have a square by that name a square icon that's actually a service if you see a name and a icon a gear icon that's actually a driver now you don't have full control over all of these drivers and services but one thing that's really nice about them is you can right mouse click and you can open the registry where the registry keys related to that driver or service are found that's extremely helpful now if you go to the network tab a lot of nice things first of all you see a good view of anything that's connected to your processes via the network and you can see ip addresses if you scroll down here here's a list of ip addresses here that were connected to through searchapp.exe it will indicate the pid if there's a pid related to that as well as the tcp udp port number but i can right mouse click on this ip address and use the tools i can ping it i can do a trace route who is and a path ping i can also copy that remote ip address and do a little research on that ip address if i feel like it's malware you can also look at each process and come over here to see the firewall status of that process to see are there restrictions are there no restrictions so that's also a very helpful feature let's move on to the tab that's disk when you first click on it nothing is there but the longer you leave it open and active the more things populate in this disk display so just leave it here and let it go and it will populate and show you a good view of what's going on with your disk read write and activity on your disk drives so here i've let it run for a while and you can start seeing the page file dot syst the read rate the write rate you can look at all the various processes and their pids you can look at what they're writing to what file so this is very nice you can really get a good idea of what's going on in terms of what is the operating system writing to not only in rates but also what file is being written to now under disk there's a couple things that we really can take advantage of the search feature as we're looking at disk one if you want to take a look at prefetch this allows you to see your disk caching system if you'll notice the directory here is prefetch this is actually your disk caching system so if you want to see what's going on this is something you normally don't see and is not only exposed but here's a great example of seeing your disk caching system another is what's going on with your registry files so i'm going to type in config and because i know that my registry keys are all in the config folder you can see the path has config and sure enough i see my system registry hive i see my software registry hive i can come down here and see my sam registry hive so i can see what's going on with my registry which we know is being read and written to on a very high rate if you'll notice also i have like under the config i have config.log 2 log 1. remember these are transaction logs that are put in place to protect your registry hives so should something happen it can recover pretty accurately as to the state when your system crashed or something dramatic happened and you can recover your registry if you'll notice we don't have a lot of problems with registry corruption like we did in 95 and 98 and those early days of windows a lot of that comes from these transaction logs next we'll go to system information and we can pull up cpu memory io gpu disk and network these are very helpful this is very similar to what we see in process explorer it gives us a lot of information how many processes how many threads how many handles what's our uptime context switch delta remember that's per second how many times the processor executes threads per second which would be delta interrupts delta per second when we hit our memory tab we see a great deal about our commit charge which is our virtual memory our physical memory paging our page faults how many times does the memory manager pull memory out of ram into the virtual memory and back again so we can see that kind of information some of the true capabilities of a tool like this come when you begin to examine each process so let's say for example i'm troubleshooting openofficewriter i want to really dig into the images that are running the process and the threads what's going on with this say it's slow or it's freezing or locking up any one of those things and we want to investigate this application one thing we're going to do is take advantage of our search i'm going to minimize that and just put s what i did was i just used the search criteria to isolate the processes that are related to this particular application now i can go to let's say i want to start with the parent i can right mouse click you can see there's a lot of things i can do i can get gdi handles which is your graphical elements i can inject dlls i'm not sure why you would want to inject a dll into a process if there's any developers that watch this video and you do understand i would love you to put some comments into this this video section page priority if i want to flush out what's in ram that that process is using i can say reduce working set if you look up here in working set watch what happens when i click on that let me refresh it you can see it just blew out everything in in memory took whatever was in memory and pushed it out and it will again come back now we can see that it's starting to come back it's starting to pull things out of virtual memory back into ram which it should that's way memory manager works but if i want to get in here and look at this process i can go into properties and here's where there's tremendous power i can see all the threads that run in that process i can see their thread id i can see are they impacting the cpu is it a particular thread that's really impacting the cpu i can look at the performance of that process all by itself i can look at statistics in terms of cpu memory io so i really can delve in and see what's going on i can see how many handles it's got 156 handles gdi user handles so these are all graphical elements registry keys files folders etc that's typically what handles are we can look at in the general tab here i can actually see was there commands switches arguments added to the executable that launched this process i can see the directory that it came from i could see when it started what date i can see the basic address the parent process which is explorer so there's a lot of really really cool things i can also look at any of the security mitigation policies if i click on details i can see this is the address space layout randomization and your data execution protection so those are two security measures that are being implemented with this process i can look at memory and i can also go in and look at strings so i could go in and look at strings any kind of strings and this is unicode and i could search for any particular type of so let me go up here and do a if i can search that executable or that process for say http is there any and there was there was none so you can use this to start search for strings and you can see the various unicode text strings that are actually embedded in memory in this executable so it's pretty interesting mr vanderbilt why would i want to search unicode strings in memory of an image well if you're hunting down malware that's one of the reasons why you would want to do that another powerful feature of search in process hacker is the ability to do what's known as regular expressions or regex search this is a very powerful search methodology and it does include that regular expressions under modules you can see all the dlls that are running in this process if i click on handles i can actually see the directories files registry keys that are actually being used and sometimes locked by the process if i feel like i'm dealing with malware i've got a process that is suspicious this particular process right here and i would like to send the image to a virus scanner online virus scanner and i'm going to go ahead and click it's going to upload that image and it's going to display as it runs that image that is located on our machine it now takes it to this online virus scanner and allows us to scan it against a variety of antivirus scanners and it gives us some information about that is this a suspicious process so i can do this also with this tool so hopefully in this quick overview of process hacker you've seen some of the features functionality you may want to take this out for a spin and just play with it it does have some unique features that are not included in a tool like process explorer it is actively updated and developed so it's a great tool if you want to play with something besides process explorer when you watch a video like we just presented on a very complex tool like process hacker or in the case what you're looking at right now process explorer there are going to be many of you who are realizing you need to know more about windows so that you can leverage these tools for a thorough understanding of windows and really how to use this kind of software utility to help you troubleshoot and solve problems better i'm going to include four videos that i have done on the fundamentals of windows and i will have a list of them in the video description i encourage you take a look at those those are well worth your time looking at they will also each include video notes and [Music] keep on powerpoints me [Music] [Applause] [Music] [Applause] me [Music] [Music] you
Info
Channel: TechsavvyProductions
Views: 12,337
Rating: undefined out of 5
Keywords:
Id: hZTN6KHnEvE
Channel Id: undefined
Length: 24min 40sec (1480 seconds)
Published: Thu Jul 07 2022
Related Videos
OpenSSH for Windows: The IT Admin's Key to Remote Management
TechsavvyProductions
15K
Detect Hackers & Malware on your Computer (literally for free)
John Hammond
289K
Cracking the Code: Dive Deep into Windows Registry
TechsavvyProductions
78K
Cybersecurity Expert Demonstrates How Hackers Easily Gain Access To Sensitive Information
Dr. Phil
3.2M
Finding Malware with Sysinternals Process Explorer
Professor K
58K
Converting a Lenovo Chromebook to Linux: Lenovo N42
TechsavvyProductions
44K
How to know if your PC is hacked? Suspicious Network Activity 101
The PC Security Channel
1.1M
Windows Product Key Recovery 101: A Step-by-Step Guide
TechsavvyProductions
61K
How to not get hacked: real example
The PC Security Channel
383K
40 Windows Commands you NEED to know (in 10 Minutes)
NetworkChuck
3.2M
Free Security Tools Everyone Should Use
The PC Security Channel
1M
THIS Is What a Jailbroken PS5 Looks Like
Dammit Jeff
1.7M
How to tell if your PC is Hacked? Process Forensics
The PC Security Channel
488K
Ubuntu vs Linux Mint - Which is right for you?
ITPro
532K
Stop Windows Spying
The PC Security Channel
471K
What Is Single Sign-on (SSO)? How It Works
ByteByteGo
547K
Signs Your PC Has Been Hacked
Britec09
70K
Are You Tired Of Windows Spying On You?
CyberCPU Tech
80K
New Method For Windows 11 Unsupported PCs (Easiest Yet)
CyberCPU Tech
424K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.