Process Explorer vs Process Hacker–Part 1 of 2

Process Explorer the tool we’ve all come to love as “Task Manager on Steroids” has been for many IT pros one of the essential tools in their troubleshooting toolkit. Process Explorer was originally released in 1998 under the name NTHandlEx. Here is a screenshot of version 1.22. Notice the lack of processes in Windows NT 4.0!

image

By version 2.01 it had been renamed to HandleEx added some more process properties and kill feature.

image

It wasn’t until 16 June 2001 when Version 5.0 came out that it got renamed to Process Explorer. ( I was hoping to have a screenshot of this version as well but couldn’t find it anywhere…) In any case as of May 2011 with version 14.12 the tool has come a long way to be one of the most advanced “task manager” tools available:

image

However an open source project has been working on a competing product since 2008 known as “Process Hacker” This product now is quite mature and thought I would like to cover the differences of both products. One should note Process Hacker Target Audience is “…intended users are developers and people interested in Windows internals. This tool is NOT intended for general system optimization..”  as per the FAQ http://processhacker.sourceforge.net/faq.php

Process Explorer is available here:

http://technet.microsoft.com/en-us/sysinternals/bb896653

Process Hacker + Source Code available here:

http://processhacker.sourceforge.net/

Size & Portability

  Process Explorer Process Hacker
Single EXE for x64 & x86? Yes No
Driver Embedded in EXE Yes No
Extendable through Plugins No Yes
Requires Installation No No
Support Windows PE Yes Yes
Save Settings To USB Drive No Yes
OS Support Windows XP
Windows Vista
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2

Support x86, x64 and IA64 platforms.

For Windows 2000 support use version 12.04. (No longer on SysInternals site)

For Windows NT 4.0/Window 9x/ME support use version 11.21 (I think. But it is also no longer on SysInternals site)

Windows XP
Windows Vista
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2

Supports x86, x64. No IA64 support.

Size on Disk 3,333 KB
(additional 850 KB used at runtime when used on x64)
1,367 KB (x64)
1,158 KB (x86)
489 KB (x64 plugins)
429 KB (x86 plugins)

Memory (Private Working Set)
This is based on my Windows 7 x64 machine. Results may vary.
ProcExp64.exe 17,304 KB
plus
ProcExp.exe
1,468 KB
ProcessHacker.exe
6,024 KB

Process Explorer is a single self-contained file with both x86 & x64 versions, had IA64 support (if you care), so is a bit more convenient.

Default View

Process Hacker

Process Hacker is made up of 3 tabs:

  • Processes
  • Services
  • Network

The processes view defaults to a process tree displaying

  • Name
  • PID
  • CPU
  • I/O Total
  • Private Bytes
  • User Name
  • Description

The highlighting used can be found in Hacker | Options… menu then selecting Highlighting. The colours used by default are

image

You can see the default view here:

image

The Services tab by default displays all services (including drivers) on the system. The following info is displayed by default

  • Name
  • Display Name
  • Type
  • Status
  • Start Type
  • PID

image

Finally the Network tab which displays by default

  • Process
  • Local Address
  • Local Port
  • Remote Address
  • Remote Port
  • Protocol
  • State
  • Owner

image

Process Explorer

Process explorer by default displays less columns than Process Hacker. Process Explorer doesn’t display Private Bytes, I/O Total and Username by default. However it does display the Company Name. In addition it has a split view which is enabled by default. This shows handles used by the process, and can be switched to a DLL view if required. Process Explorer has four little graphs the top right corner for CPU, Memory and I/O – mouse over a section of these to get what process caused a spike.

Process Explorer uses the following highlight colours by default:

image

image

Summary of Default View

Process Hacker has two additional very convenient tabs – Services and Network. Process Explorer has the handy split view and graphs.

Both can expand the columns of info about processes. The total options for columns appear here. (Please let me know if you see an error, it was a lot of items to check) When I refer to task manager I refer to Task Manager in Windows 7 SP1 x64. If you are unfortunately on Windows XP you will have much worse Task Manager.

The total count of available columns is

  • Task Manager –30
  • Process Hacker – 42
  • Process Explorer – 77

For complex performance issues or .NET performance Process Explorer is still a must.

Feature

Task Manager

Process

Hacker

Process

Explorer

.NET JIT – % Time in JIT

No

No

Yes

.NET JIT -Methods Jitted

No

No

Yes

.NET Loading – AppDomains

No

No

Yes

.NET Loading – Assemblies

No

No

Yes

.NET Loading – Classes Loaded

No

No

Yes

.NET Loading – Total AppDomains

No

No

Yes

.NET Loading – Total Assemblies

No

No

Yes

.NET Loading – Total Classes Loaded

No

No

Yes

.NET Locks – Contentions

No

No

Yes

.NET Memory – % Time in GC

No

No

Yes

.NET Memory – Allocated Bytes/s

No

No

Yes

.NET Memory – Gen 0 Collections

No

No

Yes

.NET Memory – Gen 1 Collections

No

No

Yes

.NET Memory – Gen 2 Collections

No

No

Yes

.NET Memory – Heap Bytes

No

No

Yes

.NET Security – Runtime Checks

No

No

Yes

ASLR Enabled

No

No

Yes

Base Priority

Yes

Yes

Yes

Command Line

Yes

Yes

Yes

Comment

No

No

Yes

Company Name

No

Yes

Yes

Context Switch Delta

No

No

Yes

Context Switches

No

No

Yes

CPU Cycles

No

Yes

Yes

CPU Cycles Delta

No

Yes

Yes

CPU History

No

Yes

Yes

CPU Time

Yes

Yes (Total CPU Time)

Yes

CPU Usage

Yes

Yes

Yes

DEP Status

Yes (Data Execution Prevention)

Yes

Yes

Description

Yes

Yes

Yes

Elevation

No

Yes (This translates integrity to something like ‘Limited’ or ‘Full’

No (But you can determine via Integrity)

GDI Objects

Yes

Yes

Yes

Handle Count

Yes

Yes

Yes

I/O Delta Other

No

No

Yes

I/O Delta Other Bytes

No

No

Yes

I/O Delta Read Bytes

No

No

Yes

I/O Delta Reads

No

No

Yes

I/O Delta Total Bytes

No

No

Yes

I/O Delta Write Bytes

No

No

Yes

I/O Delta Writes

No

No

Yes

I/O History

No

Yes

Yes

I/O Other

Yes

No

Yes

I/O Other Bytes

Yes

No

Yes

I/O Priority

No

Yes

Yes

I/O Read Bytes

Yes

No

Yes

I/O Reads + Other

No

Yes

No

I/O Reads

Yes

No

Yes

I/O Write Bytes

Yes

No

Yes

I/O Writes

Yes

Yes

Yes

I/O Total

No

Yes

No

Image Path

Yes

Yes (File Name)

Yes

Image Type (64 vs 32-bit)

Yes (*32 appended to 32-bit process name on x64)

Yes (Bits)

Yes

Integrity Level

No

Yes

Yes

Kernel CPU Time

No

Yes

No

Maximum Working Set

Yes

No

Yes

Memory Priority

No

No

Yes

Minimum Working Set

No

No

Yes

Non-Paged Pool

Yes

No

No

Paged-Pool

Yes

No

No

Page Fault Delta

Yes

No

Yes

Page Faults

Yes

Yes

Yes

Page Priority

No

Yes

No

Peak Private Bytes

No

Yes

Yes

Peak Working Set Size

Yes

No

Yes

PID

Yes

Yes

Yes

Private Bytes

No

Yes

Yes

Private Bytes History

No

Yes

Yes

Private Delta Bytes

No

No

Yes

Process Name

Yes (Image Name)

Yes

Yes

Relative Start Time

No

Yes

No

Session ID

Yes

Yes

Yes

Start Time

No

Yes

Yes

Threads

Yes

Yes

Yes

Total CPU Time

No

Yes

No

Tree CPU Usage

No

No

Yes

User Name

Yes

Yes

Yes

User CPU Time

No

Yes

No

USER Objects

Yes

Yes (User Handles)

Yes

Verification Status

No

Yes, shows “Trusted” if signed by trusted publisher otherwise “Not Trusted”

No

Verified Signer

No

Yes

Yes

Version

No

Yes

Yes

Virtual Size

Yes (Commit Size)

Yes

Yes

Virtualized

Yes (User Account Control UAC Virtualization)

No

 

Yes

Window Status

Yes (via Applications Tab)

Yes

Yes

Window Title

Yes (via Applications Tab)

Yes

Yes

Working Set Size

Yes

Yes

Yes

WS Private Bytes

Yes (Private Working Set)

Yes (Private WS)

Yes

WS Shareable Bytes

No

Yes (Shareable WS)

Yes

WS Shared Bytes

No

Yes (Shared WS)

Yes

In addition in Process Explorer you can configure items for the bottom pane split view. Process Hacker can also show this information but requires you to open the properties of a process first.

For DLLs both can add the following columns:

Feature

Process Hacker

Process Explorer

Description

Yes

Yes

Version

Yes

Yes

Time Stamp

No

Yes

Name

Yes

Yes

Path

Yes (File Name)

Yes

Company Name

Yes

Yes

Verified Signer

Yes

Yes

Verification Status

Yes

No

Image Base Address

No

Yes

Base Address

Yes

Yes

Mapped Size

No

Yes

Mapping Type

No

Yes

WS Total Bytes

No

Yes

WS Private Bytes

No

Yes

WS Shareable Bytes

No

Yes

Size

Yes

No

Image Type (64 vs. 32-bit)

Yes (Type)

Yes

Load Count

Yes

No

ASLR Enabeld

No

Yes

In Handle view the following columns can be added:

Feature

Process Hacker

Process Explorer

Type

Yes

Yes

Name

Yes

Yes

Handle Value

Yes

Yes

Access Mask

No

Yes

File Share Flags

No

Yes

Object Address

No

Yes

Process Explorer Handle View

image

Then clicking on the handle…

image

Process Hacker Handle View

Importantly Process Hacker displays EtwRegistration handles, which Process Explorer ignores.

image

Then clicking on handle…Process hacker adds the Granted Access with an explanation in English. (This was available in process explorer column view, but just as a number) The properties button will take you to the file/registry key in question depending on the handle type.

image

Process Explorer DLL View

image

image

Clicking a DLL brings up the following:

image

image

Process Hacker DLL View

Process Hacker brings an “Unload” option while almost certain to introduce instability, interesting option to play with in any case, and useful in some malware scenarios. The main item we miss here from Process Explorer is Image & Memory string search.

image

We also have Inspect option:

image

image

image

 image

So this brings to the end Part 1 of Process Explorer vs Process Hacker.

To summarize:

  • Both are powerful troubleshooting tools
  • Process Explorer has edge for performance troubleshooting and .NET performance
  • Process Explorer can display much more details about process
  • Process Explorer’s split-view makes it easier when viewing Handles & DLL info
  • Process Hacker’s Network & Services tabs are very convenient for services, drivers and high-level network analysis.
  • Process Hacker has more process highlighting options
  • Process Hacker can unload DLLs from a running process

In other words: I still need to keep both, they don’t exactly replace each other. The biggest disadvantage for Process Hacker in corporate environments is the name “Hacker” will probably freak out management. Just let me open “Process Hacker” to fix your issue…(manager: should I be calling FBI???)

Stay tuned for Part 2 next week when will look at the more advanced options in both programs…

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in SysInternals, Troubleshooting, Windows 7 and tagged . Bookmark the permalink.

16 Responses to Process Explorer vs Process Hacker–Part 1 of 2

  1. Dan says:

    Wow! Excellent and very thorough comparison! Just what I was looking for. I’m still not sure what I/O total is a measure of. (was Googling that when I came upon your article, wondering what the differences were between PE and PH). Anyway, Thank you!!!

    • thanks. you can find description for items in performance monitor (permon.msc) help file:

      I/O Reads – The rate at which the process is reading bytes from I/O operations. This counter counts all I/O activity generated by the process to include file, network and device I/Os.
      I/O Writes – The rate at which the process is writing bytes to I/O operations. This counter counts all I/O activity generated by the process to include file, network and device I/Os.
      I/O Other – The rate at which the process is issuing bytes to I/O operations that do not involve data such as control operations. This counter counts all I/O activity generated by the process to include file, network and device I/Os.

      I believe I/O Total is I/O Reads+I/O Writes

  2. Young Dragon says:

    I keep hearing “.NET” is bad to have on my computer. Can you please tell me why that is so, or is it OK to have on computer. Honorable thank you… Chentiangemalc

    • There is nothing wrong with having .NET on your computer. .NET is a framework like Java that can make application development easier. You must have .NET installed to run any .NET application, which is common for Windows apps, and in Windows 7 some built in utilities require it. Do you know what reasoning is being used to recommend removal?

  3. Young Dragon says:

    Here is just one example I find on the Internet, when putting into Google “Do I really need .net framework?”

    Read this, (just one site out of thousands that came up) from peoples comments about .net. This is from the website at ask-leo.com (tell me what you think after reading)

    Leo,

    First of all, you risk nothing by removing .NET – if you find that it is needed, then re-installing it is easy and straightforward.

    It comes down to whether you know or care about what is running on your computer. If you are the sort of person who doesn’t, by all means install every version of .NET in creation and set Windows Windows patches to “Star Trek mode” (automagically download and install patches). Or better yet, get a Mac.

    If, like me, you prefer to make the decisions about what gets to live on your Hard Disk, then .NET is a disaster. I have one program that uses .NET 2.0. I have no problems with that; but when patching 2.0 adds 3.0 and 3.5 – neither of which I need – without my permission, I take great exception to Microsoft’s Cavalier behavior.

    My problem is not about whether or not people need .NET; it is that MS is using a “patch” to install versions of .NET that I neither need nor want.
    Posted by: Wizard Prang at April 27, 2011 12:24 PM

    I still want to know how to uninstall the .NET Framework 2.0. I only installed it a couple of days ago when I was told I needed it for a program I purchased. I got rid of the program, now I want to get rid of the rest. I know I don’t need it, because everything worked just fine before I downloaded it…better actually. I’m not a techie, so I’d appreciate some clear steps as how to proceed.
    Posted by: mjg at June 7, 2011 9:07 AM

    @MJG
    To turn .NET 2.0 off, Open the Control Panel, select Programs and Features or Add/Remove Programs (depending on which version of Windows your are using). Then select features from the left hand side of the Window. Scroll down and uncheck the .NET 2.0 checkbox.
    Posted by: Mark J at June 7, 2011 11:35 AM

    at least one early version of .net was impossible to uninstall. it also corrupted my os. i tried several times to find a manual uninstall procedure and ended up reformatting my hard drive instead. ever since then i have refused to install any application that uses .net. unfortunately .net is neither secure nor is it a cross-platform development standard. my understanding is that it is mainly a set of libraries to allow programmers to more easily access the existing windows libraries. libraries to access libraries… as such there is no reason to even install the .net libraries in the client at all since an application written in .net amounts to interpreted code that could just as easily be compiled to access the non-.net libraries directly instead. could there be any clearer admission of incompetence? no wonder each version of .net is unique and not backward compatible. nobody really knows what windows bloatware even consists of let alone how to use it ‘properly’ anyway, so it is understandable that it would take multiple tries to develop a consistent ‘user interface’ for developers. all .net does is allow a programmer to use windows without having to learn about all its arcane idiosyncracies – some of them are allegedly deliberately undocumented to discourage independently written freeware by small developers. windows is still a prime candidate for a(nother) total rewrite, similar to the introduction of nt, which me may witness before the decade is out. maybe some day someone will design a microsoft operating system from a logical specification with a consistent architecture based on standard practices rather than just hacking code until it evolves into something that sort of works well enough to be beta tested in a version 1.0 on an unwary public. the only good thing about windows is plug and play and as hardware standards coalesce that advantage gets smaller all the time… but if they were to start over with something that resembles the .net sdk as the primary programmers interface standard maybe it could be made compatible with cross-platform standards too such as (real) java and (real) c and (real) xml/html instead of the microsoft nonstandard version… and what is with this visual basic anyway? who programs in basic for goodness’ sake? that is like playdough
    Posted by: mimeo at June 17, 2011 2:41 AM

    • 1) You risk nothing by removing .NET

      While partially true, you also gain nothing except possibly several hundred MB of disk space by removing it. (This may be an issue for some, but should be rare with cheap disk these days) You won’t see any overall system performance improvement by removing it.
      By removing .NET any application requiring .NET will not work. In Windows 7 if you remove .NET you will actually break some internal programs such as Media Centre, Event Viewer and PowerShell. In addition Microsoft Office’s Business Contact Manager requires .NET. Not to mention my favorite twitter app http://www.metrotwit.com

      2) As for causing OS corruption I really have never seen this caused by .NET. In these cases it is probably a factor of other combined issues that the person believes is related to .NET. It would really take a specific case to analyze to see if it’s related to .NET. If you go around hacking the registry and modifying system files you could corrupt .NET. If you have clean install OS, install other applications + .NET I would think it is extremely unlikely to see such corruption.

      3) Advantage of having .NET – any application that requires it will work straight away, without having the hassle of installing it. Just having it on your disk takes up space, but doesn’t affect system performance.

      • Tim McLinn says:

        Thanks for the info. Just as an experiment, I used a utility from one of the “how do I get rid of .net?” websites. It did a thorough remove of .net from my Vista OS. So far, all is running as smooth as a cue ball. Will keep you posted…

  4. dmex says:

    We saw your blog and wj32 decided to add a .NET performance plugin for showing this data ;)

    We also didn’t like the number of red boxes in the feature comparison :P so the 2.19 release of Process Hacker should resolve most of these.

    @Tim
    Removing .NET is unnecessary, disables some important system tools (like the Windows Firewall with Advanced Configuration, backup utilities…) and is irrational… Anyone who recommends removing it has zero understanding of the run-time.

  5. potato says:

    Hi !

    The last time you made the comparison of the two excellent tools was 2 years ago.

    A lot of things have changed.

    Would you be interested in making a new feature-by-feature comparison of the two packages ?

    Yes, PH now runs on 32 and 64 bits.

  6. gmaran23 says:

    I reblogged this post. First time saw the reblog option and I was temped to click to actually have a copy of this post in my blog. I always knew there were some subtle differences between processhacker and processexplorer. First time I had hands on process hacker it almost looked to me as a spoof of proceesexplorer..

    but then there was this instance where I was trying to kill a virus that had Terminate Process rights set to Deny and processexplorer failed even to display the Security Permissions for that process. But right click terminate via ProcessHacker did the job!

  7. Jim Burd says:

    Nice pair of articles. Thanks for putting it all together!
    You mentioned you didn’t have a copy of Process Explorer v5.0 to do a screenshot of it. I have a copy of v5.23, and at least one copy of versions 8 through 15. (I usually keep an archive copy of the last release of each version.) If you’re interested in getting an older version, you can contact me at chentiangemalc (at) jimburd.com.
    Cheers!

  8. Julian says:

    Thank you buddy, very useful article!

  9. Joe says:

    Hello.
    How can I know what application is locking a file or using it or writing it?

    For example sometimes you want to modify a pdf file and you can’t do it because it’s being used and locked by another program (that doesn’t allow other to do it at the same time).
    In such cases how (with process hacker or explorer) I know from the file path what process is locking it?. Or what process is just using that file, reading or writing?
    Thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s