Process Explorer vs Process Hacker

Many people sooner or later come up with the idea that the standard Windows process manager is very weak in functionality. The search begins for alternatives, which basically immediately end upon the discovery of Process Explorer by Mark Russinovich. So Habr even advises this program.

What can I say? Of course, Process Explorer is a good program. However, not ideal. It is to the peak of its non-ideality that there is not only a free, but also a free alternative - Process Hacker . And now we will examine in detail and point by point why Process Hacker is not just “slightly better”, but better by an order of magnitude, better so much that it translates an advanced user program into the tool class of a system programmer or administrator.

Terms


For the sake of reducing the number of letters, I will call Process Explorer (from Mark Russinovich) - PE , and Process Hacker (from the community) - PH .

Opensource


I am not a furious fan of free software: if a proprietary program does what I need, but a free program does not, then the first is better. However, other things being equal (and in this case PH is definitely no worse), free software gives more room for maneuver. PH lives on Sourceforge with all its attendant benefits, a very lively forum, and frequent releases.

Installation


Both programs are most conveniently used as portable versions.
PE requires you to read and accept the license.
PH just starts and runs.

Update


PE cannot check for updates
PH can check for updates


Tray icons


Both programs have it. By default, PE shows there only the CPU load in User Mode. By default, PH shows CPU utilization in both UserMode and Kernel Mode.
One can argue about the style of the color scheme, but personally, the red color on the black background (for PH ) is more noticeable than the light green on white (for PE ).


At PE, you can enable up to 7 tray icons with different useful information.
At PH, you can include up to 8 tray icons with different useful information.

Notification of processes \ services \ drivers


Absolutely irreplaceable thing in PH is notifications about start / stop / installation of services and drivers. When developing such software, the “install, start, check, stop, delete” cycle has to be done 20 times a day - and with PH you immediately see whether it’s going well or not, there’s no need to go into the “Services” or “Device Manager”, click there "Update", wait for changes.


Context menu of tray icons


Both programs allow you to open the main window through the context menu of the tray icon, restart / shut down the computer, and open the system information window. But PH still allows you to manage the above notifications and a dozen processes (from the top CPU load).


System information


The System Information windows in both programs are very similar in both functionality and design. PE splits information into tabs, PH - opens tabs by clicking on the diagrams in the main window. PH shows a little more information (processor name, total physical memory, etc.).

Main window


The program interfaces look quite similar: the process tree both there and there.



We note, however, the nuances.

Coloring

  1. Coloring is in both programs, but if in PE it is in columns, then in PH - in rows. As a result, in PH it is convenient to gaze horizontally to trace all the data of one process, and in PE - vertically the use of a resource by different processes in a vertical direction. (upd: in the comments they suggest that this is configured in PE)
  2. The coloring setting is both there and there, but if PE sets the colors for 8 types of processes, then in PH - for 16 (plus some options such as the duration of the highlighting process).



Selection of process information bars

A roughly equal number of parameters for both programs. For PE they are grouped, for PH - alphabetically. As a result, if you know the exact name of the parameter, it is faster to find it in PH , if only what area it touches (memory, disk, network) is faster in PE . In addition, we must admit that PE knows more about the internal parameters of .NET processes ( PH also goes in this direction, there is a special plug-in for .NET counters)

Filter by process name

No in PE
Yes in PH , supports keywords for searching certain types of processes



Toolbar Performance Charts

There is in PE
No in PH
This is the rare case when something is in PE and not in PH . However, let’s see how they look:
There are no signatures, there are no axes, with a cursory glance nothing is clear. To obtain meaningful information, you still need to open the system information window, but there PH is already ahead in terms of information.

"Run as ..."


In PH there is a very necessary menu item "Run as ...". Since the item disappeared in the context menu of Windows Explorer, giving way to “Run as administrator” it was sorely lacking.
In PE, this item is not.


The Find Handles or DLLs Window


Please note that in PE there are buttons “Search” and “Cancel”. In PH - only Find. This is because PE can look for a very long time and sometimes the search really needs to be canceled. PH searches just instantly. He does not need a Cancel button.



Window search


PE allows you to click on the button with the image of the target to find the process by its window.
PH allows you to find not only the process, but also the thread responsible for processing messages to this window. In addition, the found window can be immediately closed with one button.


In fairness, I must admit that the PE icon is better (similar to the corresponding icon in Spy ++)

Process context menu options





We will not dwell on general possibilities, we will only look at what is in PH and not in PE :
  • Opening the binary storage location by Ctrl + Enter (in PE, too, but 2 clicks further on in the process properties window)
  • Sending an executable to Virustotal
  • Detach from debugger - useful when Visual Studio is attached to the process, which is “suspended” and you want to kill it without closing the process
  • Process info windows: GDI Handles, Heaps, Unloaded Modules, WS Watch, Windows
  • Terminator - the ability to kill a process in 17 different ways. It is interesting to observe the correct completion of your program.
  • Inject DLLs: a very useful thing when testing the injection of all kinds of hooks. In fact, it allows you to do without your own injector at the testing stage, to write only the injected library itself. To test theories and research is an extremely useful thing.


Services and Drivers


PE believes that his business is just ordinary processes.
PH is an extremely convenient tool for working with services and drivers.



On the special Services tab of the main window, you can view the list of processes and drivers, their status, you can stop them, start, delete, view and change their properties.
An extremely useful tool for a system programmer under Windows (especially in conjunction with the ability to enable notifications for changes in the list of services for the tray icon). And in the Tools menu, you can create a new service.

Network and disk activity of processes


PE allows you to view the network and disk activity parameters of the process, allows you to see the overall performance of disk and network subsystems.
In addition to the above, has two extremely useful tabs “Network” and “Disk” in the main window, showing the general network and disk activity of the processes.
In fairness, we must admit that in modern versions of Windows, something similar (although not so convenient) shows the regular Resource Monitor tool.

Modular architecture


PE is an integral and indivisible
PH modular, supports plugins (and a significant part of the functionality described here is implemented by plugins).



Process Information Window


The grouping of information by tabs in the programs is slightly different, it is difficult to compare “head-on”.



In general, we can say that the amount of information provided and ease of use are approximately the same. However, there is an archival detail: PE in this window sometimes lies. Moreover, as I suppose, not because of bugs, but for marketing reasons (and this is generally worthless). I examined this question in detail here in this topic , to whom it is interesting - you can familiarize yourself.

DLL Information Window


Both programs allow you to view the list of DLLs in the process address space. PE shows them at the bottom of the main window (when the corresponding panel is turned on), PH shows them in a tab in the process information window. By double-clicking on the library, information on it is displayed both there and there.



And here we see again why PE is just an application utility for an advanced user, and PH is a programmer’s tool. If the PE shows only general information about the library and a list of lines in it, then PH shows a complete list of imported and exported features. For this, separate disassemblers are no longer needed!

A moment of healthy criticism


Let's not fall into idolatry and see what is better in PE :
  • there is a bottom panel where DLLs or handles can be displayed, if only this information is of interest - in PE it is one click less
  • you can save and load a set of columns with information about the processes, useful when periodically working on different types of software. PH also allows you to do this, but only through command-line options , which is not so convenient
  • in the process information window there is a Strings tab that allows you to view the lines used in the process. PH also allows you to get this information, but not so clearly (memory blocks on the Memory tab)


conclusions


As you yourself might have noticed, PH is the case when, in general, a good program was taken and made even better, friendlier and more useful. The direction of development of PH was set by the community, children's bugs were quickly fixed, emphasis was placed on the usefulness of the tool not only for the ordinary user, but also for the programmer with a system administrator.

Useful utility, use on health.