Best Windows Process Checkers that tell you if a process is safe
When you open the Windows Task Manager using the shortcut Ctrl-Shift-Esc, a mighty list of processes running on the system is presented to you (note: in Windows 8, this is only the case if you expand the manager first).
While that is helpful in determining what is running on the system or to kill a process that is no longer required, it is often difficult to tell if a process is safe or not.
It is usually not a good idea to rely on antivirus software to make those judgement calls for you. While they may pick up many malicious processes, none is perfect and the chance of malware slipping through is always present.
That leaves manual checks, for instance on Virustotal, or third-party software that provides you with those information.
This guide looks at process managers that scan processes for you to determine whether they are safe or not.
As always, we start with the requirements first.
Requirements
- The process manager needs to be free.
- The software needs to be compatible with all recent 32-bit and 64-bit editions of the Windows operating system.
- A feature to rate or scan processes needs to be integrated.
- The task manager needs to be the main program feature.
Top Process Checkers
The guide begins with short summaries of each program that made the test. After that you will find a comparison table that highlights similarities and differences between programs. Last but not least, recommendations are added to the very end of the guide.
Note: We have always downloaded and tested the portable version of a program if provided. Since we did not test installers in this case, make sure you follow the dialog carefully as installers may contain adware offers.
Anvir Task Manager Free
Note: The installer contains adware offers. Make sure you decline and uncheck those if you don't want them installed.
The free version of the Task Manager displays security ratings for each process and startup item on start. It only displayed "not available" for all entries on the other hand, and a check on another PC confirmed that.
This leaves the Virustotal option which you can use for individual processes running on the system. When selected, you are taken to the Virustotal website where results of the scan are displayed to you.
Process Explorer
Process Explorer is probably the most popular Task Manager alternative for Windows. It is a portable application that you can run from any location.
Recently support for Virustotal scans has been added to the program. Options to check individual processes or all running processes are available.
The program uses hashes by default for the checks but can upload files to Virustotal on your behalf if the hash is unknown on Virustotal.
Process Hacker
Process Hacker is an open source program for Windows that is provided as a portable version and installer. While it won't display security ratings of processes right in its interface, it supports a total of three online virus scanners (Virustotal, Jotti and Comodo's Camas) and online search on top of that.
At least on Virustotal, it will check the hash of the selected file before displaying the update prompt. All results are opened on the service's website on the other hand.
Security Process Explorer
The free program displays all running processes on startup. For each program, its name, cpu and memory usage is displayed as well with options to add more information to the table from the view menu.
Processes are rated by the software program using an internal rating system. Besides that, it is also possible to search for information on Google directly from within the interface.
System Explorer
When you start System Explorer on your system you are asked if you want to run a security check. Doing so will query an online security database to verify processes.
The program provides you with information about found threats, if any, after the scan. Here it is also possible to open a report on the System Explorer website which appears to be public and only obfuscated by url.
Security information seem to be based on an internal rating system with options to run a scan for unknown processes on Virustotal.
WinUtilities Process Security
The free task manager replacement displays security levels for each process right on start. According to the program website, the rating "is purely based on behavior and code analysis".
The main issue here is that it displays an unknown rating for many programs including popular applications such as firefox.exe, chrome.exe or excel.exe.
Comparison Table
Program Name | Security | Memory | Other |
Anvir Task Manager Free | internal rating system, individual Virustotal checks | 12.7 Megabyte | adware, Replace Task Manager, HijackThis log |
Process Explorer | Virustotal | 30.1 Megabyte | Replace Task Manager, portable |
Process Hacker | Virustotal, Jotti, Comodo Camas | 16.2 Megabyte | Replace Task Manager, portable, plugin support |
Security Process Explorer | internal rating system | 5.4 Megabyte | Replace Task Manager |
System Explorer | internal rating system | 11.1 Megabyte | Replace Task Manager, portable |
WinUtilities Process Security | internal rating system | 4.7 Megabyte |
Recommendation
It is rather surprising that only a handful of task manager alternatives offer security scans. Even more problematic than that is the fact that many rely on internal rating systems only which often fail to provide ratings for all processes running on the system.
This leaves Process Explorer as the main recommendation. While it is a bit high on the memory side of things, it is portable and its integration of Virustotal is the one that makes most sense as results are displayed internally in the program interface.
Update: Process Hacker is a close second to Process Explorer. It supports several engines and plugins, but does not offer the comfortable option to scan all processes at once right in its interface.
Now You: Have another process checker with security scan feature? Feel free to share it with everyone in the comments.
Anvir Task Manager Free is now truly free, they stopped sales in 2021. Their free software is now fully functional.
This is exactly the type of information I was looking for. Sadly it’s almost 6 years old so I’m wondering how useful it really now.
Perhaps someone who has been using one or more of the listed programs could give tell me what they think about them.
Thanks.
Nice article to read ,, Thanks! But how to identify potential bad processes?
What about Comodo Security Essentials? Contains Comodo KillSwitch (in the tools menu). Does a cloud scan on all running tasks.
I decided not to include security suites and other programs that ship with a process manager but also many other tools.
Your definition of ‘portable’ is questionable, Process Explorer for example writes everything to the registry, that hardly seems ‘Portable’ to me.
Portable is not the same as “stealth”
Portable ( https://en.wikipedia.org/wiki/Portable_application )
Stealth: ( http://www.portablefreeware.com/faq.php#stealth )
I do agree though, that PE should/could store most of its registry entries in an ini file or something (user settings should be portable IMO). However, it is still portable (what else is it, if it’s not installed and works?) – it will run without the need for installing it, and it will work out of the box without the registry entries needing to be present (as it will use defaults). Some settings IMO should NOT be portable (such as replace task manager, or start on start up – as these should be on a system by system basis, and indeed, are more OS operational choices rather than program specific settings)
Hi admin. is there any other program like “Process Lasso” for managing and optimizing Windows processes?
I know several programs that monitor process priorities and can adjust them, but none that matches all features of Process Lasso. Check out Process Tamer: http://www.donationcoder.com/Software/Mouser/proctamer/
Proces Hacker can use VirusTotal, Virusscan.jotti.org, Camas.comodo.com, custom online search provider (default google) & can replace the task manager and the ability to use external plugins. And the best thing, it’s open souce.
That’s great. I have added it to the article.
I use
SysInternals’Microsoft’s Process Explorer with greatest satisfaction. VirusTotal checks with latest version is welcomed.Off-topic perhaps, sorry for that, but can someone enlighten me on this point:
No install, ok – When running procexp.exe, this exe unfolds according to the user’s system to a procexp64.exe when applicable.
This procexp64.exe is installed in the user’s Temp folder and is removed once Process Explorer application is closed.
1- Why not have the application include the 64-bit exe in the package ? On a 32-bit system it should then simply not be able to run. I don’t understand the pertinence of this process.
2- Am I OK if I copy the procexp64.exe while available in the Temp folder, move it to another folder (Process Explorer’s folder obviously) and then run that 64-bit cversion instead of the default all-in-one procexp.exe?
I’ve noticed another application proceeding the same way : Geek Uninstaller. Same, deploys a 64-bit exe in the temp folder then removes it. I’ve proceeded as with Process Explorer with no problem, hoping there is no “hidden” issue.
Deployment of an exe in a temp folder is not IMO a good thing, it is also characteristic of malware installation. Why do serious applications proceed this way?
Thanks!
“I don’t get your point.” – no, you don’t
“Starting an app from the temp folder is not orthodox” – rubbish! You are NOT starting it from the temp folder, it is being started by running procexp.exe (from wherever you put it). Installers, unpackers and other files use the temp directory all the time. If the 64bit process is by nature “temporary” then this is where it should be.
“Nothing elegant in having one exe deploying a 64-bit exe in a temp folder, it takes longer, it’s nonsense.” <<- what? like save yourself 0.05 of a whole second?
"Just make it two EXEs, a 32-bit and a 64-bit, both started from the same application folder : that is not elegant, it's good sense." <– clearly you missed my point. Let me be more precise – a SINGLE exe that handles both 32 + 64bit systems – a SINGLE download, a SINGLE update, a SINGLE shortcut, a SINGLE solution that eliminates end user error of the wrong version – no need for a tech to waste time and double check a client's system's architecture, or waste time selecting which of two exes .. etc etc etc. Not to mention less work (probably) by the developer (not having to maintain two exes), less hassles with bugs or dissatisfied people (because they ran or downloaded the wrong version), less downloads (saved bandwidth, as some users would have wanted both versions). And I could probably go on. The elegance lies in the simplicity of an AIO.
"Where's the problem?" – people unable to adapt, think outside the box, or understand the topic. Pretty sure Mark Russinovich knows what he's doing regards windows os vs 32/64bit.
Just gonna interject here: regardless of any problems he was trying to solve, running it from the temp folder is retarded, because if I Pin it to my taskbar I either get an extra window taking up precious task-bar real estate, or I get to delete the Pin and re-Pin it every time I open it. It’s just a hassle. It should come with an option to keep both .exes in the primary folder. For now, copying it out of the temp folder and into the primary folder seems to have solved the problem.
I understand better your point, now, Pants.
I just don’t like an executable starting from a temp folder then vanishing. As I see it a temp folder is for data. I guess you’d answer it’s for temporary data and that data includes executables.
I cannot imagine Mark Russinovich not knowing what he’s doing. I simply didn’t understand the pertinence of this way of deploying an executable. I understand better the pertinence after your explanations, but I still prefer to copy the 64-bit exe from the temp folder to the application’s folder and have it run from there, each time afterwards. Waste ot time, it’s less for the 0.5s it takes than for the waste, period. As I see it anything which is a repeated waste is to be automatized, it’s more a feeling than a theory.
Anyway, I’ve learned. Thanks for your comments.
http://forum.sysinternals.com/
I would suggest, off the top of my head, so that its an AIO (all in one) single exe for end users and admins and tech support etc. The 32bit loads and if needed then loads the 64bit version to %appdata%/local/temp. It’s an elegant solution IMO. It cleans up after itself (and even if it didn’t, it’s not like it’s leaving user data behind). Portable is one thing, 100% “stealth” is another. PE also uses registry keys (such as HKEY_CURRENT_USER\Software\Sysinternals and RunAsAdmin flags etc)
What you are saying is what is actually done. I don’t get your point.
Starting an app from the temp folder is not orthodox.
Nothing elegant in having one exe deploying a 64-bit exe in a temp folder, it takes longer, it’s nonsense.
Just make it two EXEs, a 32-bit and a 64-bit, both started from the same application folder : that is not elegant, it’s good sense.
Where’s the problem?
Process Hacker is also an awesome choice.
http://processhacker.sourceforge.net/
Great app, but it does not support security look-ups right?