// OVERVIEW
Process Explorer is an advanced replacement for Windows Task Manager. It shows a full process tree with parent-child relationships, the DLLs each process has loaded, open handles to files/registry/network objects, CPU/memory heatmaps, and can verify digital signatures and submit hashes to VirusTotal.
It is the go-to first tool during live incident response — it answers "what is running, who launched it, and what is it doing?" within seconds of opening.
It is the go-to first tool during live incident response — it answers "what is running, who launched it, and what is it doing?" within seconds of opening.
// KEY VIEWS & COLUMNS
| Column / View | What It Shows | Why It Matters |
|---|---|---|
| Process Tree | Parent → child relationships, indented | Reveals process injection and unexpected parents (e.g. Word spawning cmd.exe) |
| Image Path | Full path to the executable on disk | Malware masquerading as svchost.exe running from Temp instead of System32 |
| Company Name | From digital signature / file metadata | Blank or "Unknown" for unsigned/unsigned-claiming malware |
| Description | File description from version info | Cross-check with expected description for that binary name |
| PID / PPID | Process and Parent process IDs | Verify parent is expected — powershell.exe parented to winword.exe is suspicious |
| Command Line | Full command including arguments | Encoded PowerShell, download URLs, LOLBin abuse visible here |
| Verified Signer | Publisher from code signature | Look for "(No signature)" or self-signed certs on system binaries |
| VirusTotal | Detection ratio via hash lookup | Options → VirusTotal.com → Check VirusTotal.com; any detections = investigate |
| TCP/IP tab | Active connections per process | Identify C2 connections, outbound from unexpected processes |
| Threads tab | Thread start addresses and modules | Threads starting in anonymous memory = injected shellcode |
// PROCESS INJECTION DETECTIONMALWARE ANALYSIS
Process injection allows malicious code to run inside a legitimate process, inheriting its trust. Process Explorer exposes several injection indicators:
DLL Injection — Lower Pane (DLL View)
A legitimate process (e.g. svchost.exe) is spawned suspended, its memory replaced with malicious code, then resumed.
DLL Injection — Lower Pane (DLL View)
; Enable: View → Lower Pane → DLLs
; Sort by "Verified Signer" column
; Look for: unsigned DLLs in system process space (lsass, svchost, explorer)
; Look for: DLLs from Temp / AppData / unusual paths
; Look for: DLLs with no description or company name
Process HollowingA legitimate process (e.g. svchost.exe) is spawned suspended, its memory replaced with malicious code, then resumed.
Indicators in Process Explorer:
- Image path and description don't match expected binary
- Working Set much larger than legitimate instances
- Threads tab shows thread start addresses in MEM_PRIVATE regions
- No icon visible (hollowed process lost the icon from the original image)
Reflective DLL Injection / Shellcode
; Look for threads starting in:
; - Regions with no associated image (shown as "" or empty module)
; - MEM_PRIVATE memory (not backed by a file)
; In Threads tab: right-click → Module → if blank, the thread runs in anonymous memory
; Use strings() on the process memory via Sysinternals Strings tool for confirmation
Parent Process Spoofing
; Legitimate pairs:
winlogon.exe → userinit.exe → explorer.exe
services.exe → svchost.exe
lsass.exe → (no children in normal operation)
; Suspicious pairs:
winword.exe → cmd.exe, powershell.exe, wscript.exe
excel.exe → mshta.exe, rundll32.exe
msiexec.exe → powershell.exe (supply chain attacks)
explorer.exe → svchost.exe (process hollowing / masquerading)
// HANDLE VIEWOPEN HANDLES
The lower pane in Handle mode (View → Lower Pane → Handles) shows every object a process holds open:
| Handle Type | Suspicious Indicator |
|---|---|
| File | Handles to LSASS memory dump files; handles to SAM / SYSTEM hive; handles to C2 staging files |
| Registry | Handles to Run keys, SAM, SECURITY hive from non-admin processes |
| Process | Handle to lsass.exe from unexpected process = credential dumping (Mimikatz) |
| Thread | Remote thread handle in another process = injection in progress |
| Mutant (Mutex) | Malware families use unique mutex names — known IOCs. Search VirusTotal for mutex strings. |
// RED TEAMATTACKER
Masquerade as svchost.exe — run payload from System32 path, copy svchost metadata. Process Explorer cross-checks image path vs expected parent (services.exe).
Inject into trusted process — lsass, explorer, svchost. Inherits trust; evades application whitelisting.
Fileless execution — inject shellcode into running process from memory; no file on disk for AV to scan.
Unique mutex names — avoid well-known mutex IOCs published for your C2 framework. Change default beacon mutex strings.
// BLUE TEAMDEFENDER
Check every svchost.exe — must be parented by services.exe; any other parent is immediate IOC.
Enable VirusTotal — Options → VirusTotal → Check. Any unsigned process with detections warrants memory dump.
Colour scheme — View → Configure Highlighting. Pink = new processes; enable highlighting to catch ephemeral executions.
Verify signatures — Options → Verify Image Signatures. Recheck all; any unsigned system binary is suspicious.
// COLOUR GUIDE
| Colour | Default Meaning |
|---|---|
| Blue (light) | New process (recently started — highlighted briefly) |
| Pink / Red | Process exiting / recently terminated |
| Green | Process running as a service |
| Purple | Packed / compressed image (PE packer detected) |
| Yellow | .NET managed process |
| Orange | Process with an associated Job object |
| Light green | Immersive process (UWP / Windows Store app) |