Skip to content
WindowsHow-To July 11, 2026 4 min read

Diagnosing Live Systems with Sysinternals: Process Explorer and Autoruns

Going beyond Task Manager's basic view to actually identify what a suspicious process is doing and what's launching automatically at startup, using two of the most useful free Sysinternals tools.

Task Manager covers routine process management adequately, but for genuinely diagnosing a suspicious process, an unexplained resource spike, or unwanted software launching automatically, Microsoft’s own Sysinternals suite — specifically Process Explorer and Autoruns — provides meaningfully deeper visibility than Task Manager exposes at all.

Getting Process Explorer

Process Explorer is a free, standalone executable requiring no installation, available directly from Microsoft’s Sysinternals site — running it directly rather than installing anything is deliberately how most Sysinternals tools are designed to work, useful specifically for running on a machine you’re diagnosing without wanting to leave installed software behind afterward.

Why Process Explorer shows meaningfully more than Task Manager

Beyond basic CPU and memory figures, Process Explorer shows a process’s full command line, loaded DLLs and handles, its actual digital signature verification status, and — critically for diagnosing suspicious software — a direct VirusTotal integration that can check a running process’s file hash against VirusTotal’s aggregated scan results directly from within the tool, without needing to separately upload the file anywhere yourself.

Checking a suspicious process’s signature and origin

Right-clicking any process and selecting Properties shows its full image path, command line, and — under the Image tab — whether it carries a valid digital signature and from whom. An unsigned executable running from an unusual location (a temp directory, rather than Program Files) combined with a suspicious or generic-sounding process name is a meaningfully stronger signal worth investigating further than either detail alone.

Using the VirusTotal integration directly

Enabling VirusTotal checking (Options > VirusTotal.com > Check VirusTotal.com) adds a column showing each running process’s scan results directly, without manually uploading anything — a process showing detections from multiple engines is worth investigating immediately, while a clean result across all engines is reasonably (though not absolutely) reassuring for a process you were otherwise uncertain about.

Understanding the process tree and parent-child relationships

Process Explorer’s tree view (its default display mode) shows exactly which process launched which other process, which is genuinely useful diagnostic information Task Manager’s flat process list doesn’t convey as directly — a legitimate-looking process that was actually launched by an unexpected, unrelated parent process is a meaningful red flag that a flat list wouldn’t surface as clearly.

Getting Autoruns for startup and persistence auditing

Autoruns is Sysinternals’ comprehensive tool for seeing everything configured to launch automatically — not just the Startup folder and Task Manager’s simplified Startup tab, but every registry-based autostart location, scheduled tasks, services set to auto-start, browser extensions, and a considerable number of additional, less commonly known autostart mechanisms that malware and legitimate software alike sometimes use.

Why Autoruns matters beyond just Task Manager’s Startup tab

Task Manager’s Startup tab shows only a specific, limited subset of autostart locations. Autoruns enumerates dozens of distinct autostart mechanisms across the registry, scheduled tasks, services, and more — this comprehensiveness matters specifically because software (legitimate or otherwise) that wants to persist reliably across reboots without being obviously visible tends to use exactly the less-commonly-checked autostart locations Task Manager doesn’t surface, which is precisely why a thorough persistence audit needs Autoruns’s fuller enumeration rather than Task Manager’s simplified view.

Filtering out known-good entries to focus on what’s actually worth reviewing

Autoruns includes an option (Options > Hide Microsoft Entries, and separately verifying code signatures) to filter out signed Microsoft components, which — for a manageable-sized system — narrows the remaining list down to third-party and potentially unwanted entries considerably faster than manually reviewing every single autostart entry including well-known, clearly legitimate Windows components.

Disabling a suspicious entry without permanently deleting it

Unchecking an entry in Autoruns disables it without deleting the underlying registry key or file outright — a meaningfully safer first step than outright deletion, since it’s trivially reversible if the disabled entry turns out to have been something legitimate and necessary after all, rather than committing to a destructive removal before you’re fully certain.

Why these specific two tools, together, cover most live-diagnosis needs

Process Explorer answers “what is currently running, and is it legitimate” while Autoruns answers “what’s configured to run automatically, and where is that configuration actually coming from” — between the two, most day-to-day live-system diagnosis needs (a suspicious running process, unexplained resource usage, unwanted software launching at startup) are covered without needing to reach for more specialized or invasive tooling, and both remain free, actively maintained, and require no installation to use directly on whatever machine actually needs diagnosing.