Wednesday, April 27, 2022

Windows Sysinternals Suite: "Process Explorer" tool

Process Explorer

(I created these notes while learning about Process Explorer tool.) 



Things to cover

  • Process List
  • Process Properties
  • Process control
  • Thread details
  • Handle view & DLL view

Introduction

Process Explorer is like a "Super Task Manager".

It has a lot of general troubleshooting capabilities:

  • DLL versioning problems
  • Handle memory leaks and locked files
  • Performance troubleshooting
  • Hung processes

What is a process?

A process is an instance of a running program.

3 main components of a process:

  • A private address space allocated to that particular process and is inaccessible by other process (so that other processes can't alter the data in the memory associated with this process)
  • Open handles such as files or registry keys that the process might be accessing.
  • Security token: username, the groups that the user is a member of, and the privilege list.

What is a thread?

Execution context within a process.

Threads run, not processes. A thread shares all the address space of the process, it shares the handle table and privileges. Every process starts with one thread.

Microsoft Task Manager

[The following description is outdated but is still informative. Video: https://www.youtube.com/watch?v=YGtsMa9wbjw] The 'Applications' tab shows the visible windows. Windows doesn't have any inherent concept of 'applications' or 'tasks' (it has the concept of task in terms of scheduled tasks that the user schedules in the scheduler) but it's all processes and threads.

The 'Status' column in Applications tab: 'Running' means waiting for the window messages (like user clicks, keyboard inputs etc.) 'Not responding' means it's doing something else in the background is currently not waiting for window messages or is not able to accept window messages.

Colors

Pink processes - service hosting processes. They are background tasks that run no matter who's logged in (generally).

Blue processes - processes running as me.

Cyan processes - the process is a Windows 8 application using the new APIs.

You can go to Options > Configure Color to see all sets of colors.

Process Controls

We can do the following on the Process in Process Explorer:

  1. Set Priority
  2. Kill Process (sends a kill signal to the process through the Win32 API). In the Options menu, we have Confirm Kill, which when unchecked, won't show us a dialog box to confirm whether we want to actually kill that process.
  3. Kill Process Tree: Kills the entire tree including the parent process and it's children. The exception of this rule is, if process A starts process B and process B starts process C, and process B exits, then doing Kill Process Tree on process A won't kill process C as C is already an orphan at this point and there is no connection between A and C.
  4. Restart: This option will kill the process and restart the process with the same command line switches that were used to start that process in the first place!
  5. Suspend: suspends the threads in a process. It doesn't kill them but just puts them on pause and it can be resumed later.

The pink processes host services. We can see the services hosted by them in the Services tab of Process Properties that shows up after double-clicking on them.


Accounting for CPU Usage

Windows OS has an interrupt every 15 ms to check what's running on the system at that current moment. That 15ms interval might change depending on the system. There is a sysinternals tool to check that. It's called clockres.exe.

Some threads run in these 15ms time interval and quickly enter the Wait state during this heartbeat by Windows OS. And in that way, they never appear in the radar of CPU usage even though they are using the CPU.

So sometimes, even though the CPU usage might appear 0%, the system might be very slow and that might be because of these kinds of threads that are going below the radar.

How to catch these threads?

Windows has something called as a Context Switch counter, which is an integer assigned by the Windows kernel to the thread. Whenever a thread wants CPU time, the kernel increments this Context Switch integer.

Process Explorer takes advantage of this by comparing the Context Switch difference at each clock tick (~15ms). This is called Context Switch Delta in Process Explorer and it can be added as a column in Process Explorer.

We can compare Context Switch Delta column and the CPU column. If CPU is 0% but Context Switch Delta is higher for any process, then that process is trying to get under the radar of being accounted for using the CPU time!


(Source of the above explanation: https://youtu.be/YGtsMa9wbjw?t=3448 i.e., at around 57:28 timeline).

There is a pseudo-process created by Mark Russinovich in Process Explorer called Interrupts. This is not a real process running on the OS but just added by the developer of ProcExp to the process list. The Context Switch Delta for this "process" is actually the number of times the interrupt has occurred and not the number of times the thread has run. It's just to get an idea of how many times the hardware interrupts are being called. By moving the mouse very swiftly, we can observe that the Context Switch Delta increases significantly.

To know which device drivers are causing the interrupt, we need some other tools and that info cannot be viewed in ProcExp. (Some tools mentioned in the video are kernrate. An API was added in Windows XP SP2 which also helps in keep track of the interrupts. But turning on the tracing features slows down the PC as the kernel needs to write every CPU interrupt to the memory. Some other tools for doing this are tracelog.exe and tracerpt.exe).

Multi-component Processes

Also, please note that if you want to view the parent-child tree in process explorer, you need to click on the 'show process tree' icon in the top toolbar.

We can view the function call stack of each thread in threads tab. We need to view that list from bottom to top. If a process has a lot of threads doing various things, then we can view what each thread is doing and how much CPU each thread is consuming and by viewing the call stack, we can get an idea about why that thread is consuming CPU. And we can try to suspend or kill that thread.


When we click on the 'Stack' button, we'll see the function call stack:

Hung Processes

Again, to get to know why the process has hung, we need to look at the thread call stack. We can also create a memory dump of the process by right-clicking on the process and creating the dump and opening the dump file in Windbg.

Open Files & Handles

We can view the handle table of the process by selecting a process and opening the lower pane (select the process and click on the lower pane icon in the top toolbar of the ProcExp).

This lower pane window shows all kinds of open objects related to that table like open files, open sockets, and various other Windows objects.


We can even select more columns in this lower pane!

We can also search for Handles from the search option in the toolbar (the binocular icon) and if something is found, and by double-clicking on that handle in the search result, it opens the corresponding entry in the lower pane.

Why examine open handles?

  • Solve file locked errors (for example, if you want to delete a file but you get an error saying a process has opened it. If you want to eject a flashdrive but get an error saying a process is using it etc. You can just search for the drive letter in ProcExp using binocular icon and get which process has opened which file on that flashdrive.)
  • Understand app resources like files, registry keys etc.

DLL View

To get the DLL View in the lower pane, click on View -> Lower Pane View -> DLL View

It shows more than just loaded DLLs. 


It includes .exe and any "memory mapped files" (i.e., files on the harddisk opened by processes and those are mapped to the memory for high speed access of the file content).

Malware Detection

Identifying potentially malicious processes:

  1. Check for company name and description
  2. Image path
  3. Verify signature (you can do that for all processes automatically by going to Options -> Verify Image Signatures)
  4. Look at the parent process.

Investigating unknown processes:

  1. Look at the Handle table for file or Registry Key handles
  2. Packed Images (exe files that are compressed or encrypted) (shows with purple color in ProcExp)
  3. Strings (can inspect strings in both the image and memory). (Here "image" is the exe file on disk). You can get the Strings in Process Properties (double-click on any process and you'll get that window).
  4. Look at the DLLs and you can also do a signature verification on the DLLs
  5. Look at the Autoruns sysinternals utility to find out the autoruns and if there are any malicious processes set to autorun on system startup or logon.

ProcExp doesn't tell us how the images have been configured to run on a system. A malware would like to have itself launched everytime we boot the system, logon to the system, launch certain applications etc. That's where we can use Autoruns.exe tool from sysinternals.

System Information

We can also view System information in ProcExp in View -> System Information option.

Image Hijack

When we select 'Replace Task Manager' in ProcExp (Options -> Replace Task Manager), ProcExp does something called as Image Hijacking where it edits the registry keys in such a way that whenever we wanna launch taskmgr.exe (i.e., the task manager exe), ProcExp executable will be launched.

We can view this info in Autoruns.exe in the Image Hijack tab to see what images have been hijacked.

at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)