So I’m a fan of Process Explorer. I think that fact is well known now. But what I think is not well known is the fact that you can configure Process Explorer as your task manager and also for symbol resolution.
The first one is pretty simple. Click options and then select Replace Task Manager. After this, try it out by selecting task manager either by right clicking on the task bar or by doing a Ctrl-Alt-Del and selecting it from there. If you want the old task manager back, just load up PE and then select Restore Task Manager.
The second trick is a bit more complicated, but I think way more cooler. One of the things that PE lets you do is not only take a look at individual processes in a hiarcharical tree, but also the individual threads in that process. Threads are the actual objects that do work on a processor. When a thread is instantiated, it has a specific purpose which is performed by calling a method within a module. Modules can be certain functions within an executable or a DLL. Do to the nature of how software works, we are only allowed to see certain properties of a thread without part of the source code. This changes slightly when you configure symbols!
Here we have standard Windows Notepad running. When you take a look at the thread, we have one thread but we can’t see what function that thread is currently in, all we have is a memory address. Often times when I'm troubleshooting, I have an errant process that is sucking up CPU time but I want to know what specifically its doing. With Symbols not configured, I can’t really tell. The screenshot below shows a correctly configured PE with symbol resolution. As you can see, instead of the memory address we actually get the function name that the thread is in. Very helpful when you’re dealing with uncooperative processes/applications.
So how do I configure symbols? First, you need to download the Windows Debugging Tools for your architecture (x86 or x64) which you can find here. You then need to install and configure PE to use the dbghelp.dll that is located in the folder where you installed the Debugging Tools (typically X:\Program Files\Debugging Tools for Windows\dbghelp.dll). Afterwards, you need to create a folder to where the symbols will be stored. I used C:\Debug_Symbols but you can use whatever name you want. And then comes the magic string.
What this string does is that it tells PE to check and save symbols it downloads to C:\Debug_Symbols and also to look towards Microsoft’s public symbols server for resolution if its not in cache. If you want to skip the whole resolution over the net and download the packages, you could also do so here.
There you have it! Detailed information on what your system is doing behind the curtain.