Process Explorer — Microsoft's Official Process Management Power Tool, the Most Famous Sysinternals Utility
In one sentence: A professional process management tool from Microsoft’s Sysinternals suite that displays all processes in a tree view with parent-child relationships — supports viewing handles/DLLs/thread stacks/network connections/GPU performance for each process. Most famous feature: finding which process is using a specific file. Completely free, no installation required.
Have You Ever Been Frustrated by “File in Use — Can’t Delete”?
Scenario 1: You try to delete a folder, and the system says “The action can’t be completed because the file is open in another program.” You close everything you can — but you still can’t delete it. You don’t know which background process is holding onto the file. Task Manager doesn’t offer a “file lock query” feature.
Scenario 2: You suspect malware is running on your system — it’s disguised as a normal process name (like svchost.exe), but its actual running path is in some strange directory. You want to see each process’s “full path” to determine if it’s suspicious.
Scenario 3: You notice your system has slowed down and want to see which specific DLLs each process has loaded — whether any program has loaded unnecessary third-party DLLs or if suspicious DLLs have been injected. Task Manager can’t show this.
Process Explorer is designed for these “file lock troubleshooting” and “deep process analysis” scenarios — its most famous feature is using “Find Handle” to quickly locate “which process is locking my file,” letting you unlock it without rebooting.
What Is Process Explorer?
Process Explorer is one of the most famous tools in Microsoft’s Sysinternals toolkit, developed by Mark Russinovich (now Microsoft Azure CTO, Sysinternals founder). It’s a direct competitor to Process Hacker and the older, more established tool.
Its core features:
- Tree View: Displays all processes in a process tree (parent-child relationships)
- Handle Search: Find which process is using a specific file — its most famous feature
- DLL/Handle Viewing: Shows each process’s loaded DLLs and open system handles
- System Performance Monitoring: Real-time CPU/memory/IO display
Process Hacker vs Process Explorer Core Differences:
| Comparison | Process Explorer | Process Hacker |
|---|---|---|
| Developer | Microsoft (Sysinternals) | Open source community |
| Signature Feature | Handle Search (Find Handle) | Force terminate, suspend process |
| Update Frequency | Slower but stable | Faster, more active |
| GPU Monitoring | ❌ No | ✅ Yes |
| Memory Editing | ❌ No | ✅ Yes |
Core Features
1. Handle Search (Find Handle) — Process Explorer’s Most Famous Exclusive Feature
This is Process Explorer’s most valuable killer feature:
Scenario: You can't delete D:\Temp\database.lock file
Action: Ctrl+F → Type "database.lock"
Result: Process Explorer tells you → "javaw.exe (PID 12345) is using this file"
Solution: Kill this process → File can now be deletedHow to use:
- Open Process Explorer (run as administrator)
Ctrl+Fto open the search box- Type part of the file name or file path
- Instantly shows which process’s which handle is using the file
- Double-click the result to locate the process → Right-click to close handle or terminate process
Practical value: When you encounter “file in use — can’t delete,” you no longer need to restart your computer or guess which program to close. Process Explorer gives you the answer in seconds.
2. Tree View — See Process Parent-Child Relationships at a Glance
Process Explorer displays processes in a tree structure by default:
Process Tree (Example):
explorer.exe (Desktop)
├── chrome.exe (Chrome launched from desktop)
│ └── chrome.exe (Chrome child process - tab)
├── cmd.exe (Command prompt)
│ └── python.exe (Python launched from command line)
└── taskmgr.exe (Task Manager opened)
services.exe (Windows Service Manager)
├── svchost.exe (Service host)
│ ├── WSearch (Windows Search service)
│ └── BITS (Background Intelligent Transfer Service)
└── spoolsv.exe (Print Spooler)The value of this view: You can immediately see “who started this process.” If a piece of malware is disguised as a normal process name (like svchost.exe) but its parent process is explorer.exe (desktop) instead of services.exe (service manager) — you can instantly tell it’s fake.
3. DLL and Handle Inspection — Looking Inside Processes
Right-click a process → Select “Properties” → View:
DLL tab:
- List of all DLLs loaded by the process
- Full path and version of each DLL (can determine if DLL is from official directory)
- DLL memory size and load address
Handles tab:
- All system object handles opened by the process
- File handles → Know which files the process is reading/writing
- Registry handles → Know which registry keys the process is accessing
- Network handles → Know if the process has open network connections
4. Performance Monitoring — More Detailed Real-Time Data Than Task Manager
Process Explorer’s main interface displays multiple performance columns by default:
| Metric | Description |
|---|---|
| CPU Usage | Real-time CPU usage per process (can show per-core) |
| Private Bytes | Physical memory exclusively used by the process |
| Working Set | Total physical memory currently used by the process |
| Virtual Size | Process’s virtual address space size |
| Handles | Number of handles opened by the process |
| GDI Objects | Graphics Device Interface object count |
| I/O Reads/Writes | Disk read/write operations of the process |
The system tray can display CPU/memory usage history charts — double-click the tray icon to see a floating window with real-time charts.
5. Signature Verification — Determine If a Process Is From Official Sources
Right-click a process → Select “Verify Image Signature”:
- Process Explorer checks the digital signature of the .exe or DLL file
- If it shows “Verified” → The file is from official channels and hasn’t been tampered with
- If it shows “Unable to verify” → Could be an unsigned file or an invalid signature
This is a quick way to determine “Is this process a legitimate Windows process?”
Professional Media and User Reviews
| Source | Review |
|---|---|
| TechRadar | ”Process Explorer is an indispensable tool for power users — the ‘find handle’ feature alone makes it worth keeping on every Windows PC” |
| PCWorld | ”The gold standard for process management on Windows — Mark Russinovich’s masterpiece remains essential after 20+ years” |
| How-To Geek | ”If you’ve ever been frustrated by ‘file in use’ errors, Process Explorer is the tool that ends that frustration instantly” |
What Real Users Say
“Process Explorer’s handle search has saved me countless times. During development, I often encounter ‘file in use — can’t generate’ — Ctrl+F, search the file name, find the process, kill it, regenerate. Whole process in 10 seconds. Previously I had to restart my computer, sometimes multiple times a day.” — Backend Developer, Zhihu
“When investigating malware, Process Explorer’s tree view is especially useful. Once I saw svchost.exe with a parent process of explorer.exe — that’s wrong, normal svchost should have services.exe as its parent. Traced it and found a Trojan disguised as a system service.” — Security Researcher, V2EX
Competitor Comparison
| Dimension | Process Explorer | Process Hacker | System Task Manager |
|---|---|---|---|
| Price | Fully Free | Fully Free | Built-in Free |
| Developer | Microsoft (Sysinternals) | Open Source Community | Microsoft |
| Handle Search | ✅ Signature Feature | ❌ No | ❌ No |
| Tree Process View | ✅ Yes | ✅ Yes | ❌ Flat list |
| DLL/Handle Details | ✅ Per process | ✅ Per process | ❌ No |
| Digital Signature Verification | ✅ Exclusive | ❌ No | ❌ No |
| Force Terminate Process | ❌ No | ✅ Yes | ❌ No |
| Suspend/Resume Process | ❌ No | ✅ Yes | ❌ No |
| GPU Monitoring | ❌ No | ✅ Supported | ⚠️ Win11+ |
| Portable Version | ✅ Yes (Recommended) | ✅ Yes | N/A |
Recommendations:
- File lock investigation → Process Explorer (handle search is its unique killer feature)
- Force kill stuck processes + GPU monitoring → Process Hacker (stronger force terminate and suspend)
- Use both: Process Explorer for file locks, Process Hacker for process management/GPU
Download & Installation Guide
Official Download
Process Explorer is part of the Sysinternals suite, distributed through Microsoft’s official channels:
| Channel | Download Link | Notes |
|---|---|---|
| Microsoft Official (Recommended) | learn.microsoft.com/sysinternals/downloads/process-explorer | Direct download procexp.exe |
| Sysinternals Suite | Download entire suite | Includes Process Explorer and 60+ tools |
Safety reminder: Process Explorer is a free tool released by Microsoft. No installation required — run directly. Download a ZIP archive, extract it, and run
procexp64.exe(64-bit system). A EULA will appear on first run — click “Agree.” This is a one-time prompt.
Usage Tips
- Run as administrator: Right-click → Run as administrator to see all processes (including system processes)
- Replace Task Manager: Options → Replace Task Manager → Then Ctrl+Shift+Esc opens Process Explorer
- Color coding: Process Explorer uses colors to distinguish processes (pink = Windows Update, purple = services, blue = current user processes, gray = suspended processes)
FAQ
Q: How do I use Process Explorer’s handle search?
A: Ctrl+F to open the search box → Type part of the file name → Results appear instantly. Double-click a result to jump to the process. Right-click on the process → Close Handle to release the handle (without killing the entire process).
Q: Which should I choose, Process Explorer or Process Hacker? A: If you only install one: choose Process Explorer (Microsoft official, handle search is irreplaceable). If you install both: Process Explorer for file lock investigation, Process Hacker for forceful management. Both are free and complementary.
Q: Can Process Explorer shut down Windows Update processes? A: Technically yes (right-click → Kill Process), but it’s not recommended. Forcefully killing system processes may cause system instability. If Windows Update is using too many resources, use the system’s “Pause updates” feature instead.
Q: Does Process Explorer need to be installed? A: Not at all. It’s portable software — download the ZIP, extract it, and run procexp.exe (32-bit) or procexp64.exe (64-bit). To remove it, simply delete the folder. This is the consistent style of Sysinternals tools.
Process Explorer is the process tool that solves your biggest pain point — the first thing everyone thinks of when encountering a “file in use — can’t delete” error. Its handle search feature may be modestly named (“Find Handle”), but its real-world value makes it the most valuable tool for Windows system administrators.