The process_manager.exe is a command line tool for windows, that allows to interface with the processes running on the system. Via process_manager.exe, a user can:
- View all the currently running processes on the system (including processes running by SYSTEM or other users).
- Print an analysis of a single process - executable path, user running the process, memory info, DLLs loaded and more.
- Terminate a process.
In order to display the currently running processes of the system, process_manager.exe is using the active process links. The active process links is a linked list sitting in the kernel, that holds information about all the running processes on the system. Each node in the linked list represents a single process, and holds information about that process (saved in an EPROCESS structure). So, in order to display all those processes, process_manager.exe iterates over the active process links, and prints each process found in the list. The iteration is done by creating a snapshot, using the tlhelp API. This method of iterating the active process links is used also by Task manager of windows and Process Explorer of Sysinternals.
Pay attention, that hidden processes would not be detected by process_manager.exe. Hiding a process is actually removing it from the active process links. Therefore, if the process is hidden and removed from the list, process_manager.exe won't be able to find it.
Process analysis has to be called for a specific PID.
The analysis is done by uniting a group of functions, each function is responsible for different part in the analysis. The analysis includes:
- Process name.
- Process ID (PID).
- Parent process ID (PPID).
- Priority class.
- Threads amount + ID of each Thread.
- Working set in memory.
- Path to executable file of the process.
- Username of the user created the process.
- DLLs loaded by the process (full path to each DLL file).
In cases of very sensitive processes, those who are secured by the OS, the analysis might not contain all this information. Try running as administrator to overcome that, but it won't necessarily work.
Process termination has to be called for a specific PID.
Terminating a process is a very simple task, because the termination itself is executed by calling to a system API.
The windows OS differs the memory of the system between the different users, and does not allow user 1 to access the memory of user 2. Therefore, by default it is forbidden to access processes created by other users.
process_manager.exe overcomes this struggle, by using the SeDebug privilege. In short, processes has unique settings called privileges. Each privilege allows the process to execute a special act, that could not be done without the privilege. The SeDebug privilege allows a process to access memory parts of different users, including memory parts of the SYSTEM user. So, by using the SeDebug privilege, process_manager.exe can access to processes running by other users, and even processes running by SYSTEM - which all are very interesting and sensitive processes (e.g lsass.exe, wininit.exe, winlogon.exe and more).
The thing is, for getting the SeDebug privilege the process has to has admin privileges first. Which means, without running process_manager.exe as admin you won't be able to access processes created by SYSTEM of other users!. Of course it does not really affect the using of the tool - process_manager.exe does everything it offers with or without admin privileges. But, running process_manager.exe as admin will give you further information of the system's processes.
The fact that process_manager.exe allows you to terminate every process in the system, does not mean you have to do it! You certainly can, but it may lead critical errors. Terminating simple process like chrome.exe is totally safe, but when touching sensitive processes like lsass.exe... it's a bit of a problem. Terminating system processes can cause malfunctions of the OS, or total collapse of it (reboot).
You can terminate system processes and it's fine - the damage only lasts for the current OS execution, reboot the system and everything will be great! processes running in the memory, and in reboot the memory is cleaned. Just remember to take caution with this, that's all.