Have you ever tried to troubleshoot some arcane reason for why your hard drive is spinning around wildly or your CPU is maxed out all the time? Given that the foundation of the operating system is designed to get out of the way and just work for the average person, digging down deep enough to figure out what is going on can prove to be a daunting task to say the least. Makes you want to hit the bottle, doesn't it?

Fear not my friends! With a little help, and one of the best programs available we can dive in and figure out what is going on with our system. After all, isn't that what being a power user is all about? Mark Russinovich and the Sysinternals team (now part of Microsoft) have developed a FREE program called Process Explorer that is essentialy your task manager on Barry Bonds level steroids. It examines which processes are running to determine what is eating up all of your CPU cycles, and it detects which process has which file open. It also tells you about the process chain, or which processes depend on each other to run. For example, Windows Media Player may rely on a process from Divx in order to play a particular movie file.

Process Explorer is simple, elegant, and powerful. As an advanced user, you should make sure to have this program on your system. Process Explorer is composed of two windows. The top window shows a list of the currently active processes, their dependencies, properties, your CPU history, and the system's memory usage. The bottom window contains all of the nitty gritty information about a selected process or search results. I encourage you to monkey around with it, in order to get a handle on what it does, and what you are seeing.

Once you get familiar with Process Explorer, it will be much easier to figure out what's happening on your Windows PC: whether there are handle leaks or DLL version problems, and which files are open. The application won't fix errors on its own, but it will point you in the right direction.

Tips for Using Process Explorer:

• Sort by CPU usage to identify processes that may be misbehaving. You can dig down to individual threads to try to figure out why the process has become a hog. You can also suspend, rather than outright kill, a process to judge whether it is the culprit. If it isn't, resume the process and keep looking.
• Get to know what is running on your PC. The first time you launch Process Explorer, click View, then Select Columns, and make sure that Process Name and Description are checked, then check the radio boxes to add Company Name and Command Line. Click the DLL tab next and check Path; then select the Process Memory tab and check Working Set Size before clicking OK. To configure the lower pane, click View and make sure that Show Lower Pane is checked; then mouse over Lower Pane View and select DLLs.
• The following are not suspicious and should be ignored: smss.exe, winlogon.exe, services.exe, alg.exe, and lsass.exe.
• Give the list a once-over. The following are suspicious:
• • Any process running from a temporary directory (shown in the Command Line column) such as C:\Temp or C:\Windows\Temp. Similarly, if a running process references a DLL in a temp directory, that should be a red flag for you.
• • Processes with nonsensical names. This is not always a helpful guideline, but if anything looks out of the ordinary (and only your experience can guide you), then you should look into it. For example, ubyw.exe (a Trojan downloader) seems a little nonsensical to me, as does ehcftwk.exe—which seems especially suspicious because it was spawned by kwtfche.exe, aka CommonName. (CommonName is a spyware program that assigns random names to the EXE files it deploys, which is why you won't find their names or advice for dealing with them via a Web search.)
• • Processes that are typically not bad but can be used as a launchpad by malware. For example, processes such as svchost.exe and rundll32.exe can be used to load other processes. You can follow this chain by looking at the Command Line column to determine the exact application that is using these libraries to load. Anything suspiciously named or located in a temp directory warrants further analysis.
• Look at all the other applications. Everything should have a description, company name, and command line entry and makes some sense. For example, Winword.exe is made by Microsoft Corp. and runs in C:\Program Files\Microsoft Office\Office 12\WINWORD.EXE.
• Right-click on any suspicious entries and choose Properties. Does anything there look familiar or provide some key to what the process does?
• If you still think it's suspicious, right-click and select Search Online. You can identify many threats directly from this search, and it's also a good way to find removal applications or information.
• You can also right-click (unless it's a system-critical process, as mentioned above) and select Suspend to see what happens. Does the process gracefully suspend? That's good. If it doesn't suspend you may be onto something. Right-click again and select Kill Process Tree and then Kill Process. Associated processes should turn red and die. You may have to repeat these steps.
  
If you find any malware you can remove it using whatever methods or programs that you typically use. If you come across a particularly nasty piece of malware, simply enter the full name into Google and I am certain that someone will have posted how to remove it.