Process Explorer vs Process Hacker

Sooner or later, many people have the idea that the standard Windows process manager is quite weak in terms of functionality. Begin the search for alternatives, which are basically right there and end when you discover Process Explorer from Mark Russinovich. So Habr even advises this program.

What can I say? Of course, Process Explorer is a good program. However, not ideal. It is in the peak of its imperfection that there is not only a free, but also a free alternative - Process Hacker . And now we will examine in detail and point by point why Process Hacker is not just “slightly better”, but better by an order of magnitude, better so much that it translates a program for an advanced user to a system programmer or administrator’s tool class.

Terms

For the sake of reducing the number of letters, I will call Process Explorer (from Mark Russinovich) PE , and Process Hacker (from the community) PH .

Opensource

I am not a vehement fan of free software: if a proprietary program does what I need, and free does not, then the first is better. However, other things being equal (and in this case PH is definitely not worse), free software gives more room for maneuver. PH lives on Sourceforge with all the benefits, a very lively forum and frequent releases.
')

Installation

Both programs are most conveniently used as portable versions.
PE requires you to read and accept the license.
The PH just starts up and runs.

Update

PE cannot check for updates.
PH can check for updates.

Tray Icons

There are both programs. By default, PE shows there only CPU loading in User Mode. By default PH shows CPU utilization in both UserMode and Kernel Mode.
One can argue about the style of the color scheme, but for me personally, red on a black background (at PH ) is more noticeable than light green on white (at PE ).


Up to 7 tray icons with various useful information can be enabled for PE
Up to 8 tray icons with various useful information can be enabled for PH

Notification of processes \ services \ drivers

Absolutely indispensable thing in PH - notifications about starting / stopping / installing services and drivers. When developing such a software, the “install, run, check, stop, delete” cycle has to be done 20 times a day - and you can immediately see from PH , whether it is successful or not, there is no need to go into “Services” or “Device Manager”, press there is a "refresh", wait for changes

Context menu of tray icons

Both programs allow you to open the main window through the context menu, restart / shut down the computer, open the system information window. But PH still allows you to manage the above-mentioned notifications and a dozen processes (from the top CPU load).

System information

The System Information windows in both programs are very similar in both functionality and design. PE splits tab information; PH opens tabs by clicking on charts in the main window. PH shows a little more information (processor name, total physical memory, etc.).

Main window

The program interfaces look quite similar: the process tree is both there and there.



Note, however, the nuances.

Coloring

1. Coloring is in both programs, but if it is in PE in columns, in PH it is in rows. As a result, in PH it is convenient to follow with a glance horizontally all the data of one process, and in PE - vertically using a resource by different processes. (upd: comments suggest that this is configurable in PE)
2. Coloring settings are both there and there, but if PE colors are configured for 8 types of processes, then in PH - for 16 (plus some options such as the duration of the process lighting).

Selection of process information bars

Approximately equal number of parameters for both programs. In PE, they are divided into groups, in PH - alphabetically. As a result, if you know the exact name of the parameter - it is faster to find it in PH , if only for which area it relates (memory, disk, network) - faster in PE . In addition, we must admit that PE knows more about the internal parameters of .NET-processes ( PH also goes in this direction, there is a special plug-in for .NET counters)

Filter by process name

No to PE
Available in PH , supports keywords for searching certain types of processes.

Performance charts on the toolbar

There is in PE
Not in PH
This is the rare case when there is something in PE and not in PH . Let's see, however, how they look:



No signatures, no axes, with a quick glance, nothing is clear. To get meaningful information, you still need to open the system information window, but there PH is already ahead in terms of information.

"Run as ..."

In PH there is a very necessary menu item "Run as ...". Since in the context menu of Windows Explorer, this item has disappeared, giving way to “Run as administrator”, it is very lacking.
PE does not have this item.

Window "Find Handles or DLLs"

Please note that in PE there are “Search” and “Cancel” buttons. In PH , only Find. This is because PE can look oh-oh-oh for a very long time and sometimes the search must be canceled. PH is looking for just instantly. He does not need the "Cancel" button.

Window search

PE allows you to click on the button with the image of the target to find the process by its window.
PH allows you to find not only the process, but also the thread that is responsible for processing messages for this window. In addition, the found window can be immediately closed with one button.


To be fair, we must admit that the PE icon is better (similar to the corresponding icon in Spy ++)

Process context menu features

We will not dwell on the general possibilities, we will look only at what is in PH and not in PE :

• Opening a binary storage location by Ctrl + Enter (in PE too, but 2 clicks further in the process properties window)
• Sending an executable to Virustotal
• Detach from debugger - useful when a Visual Studio is attached to the process, which “hangs” and you want to kill it without closing the process.
• Process information windows: GDI Handles, Heaps, Unloaded Modules, WS Watch, Windows
• Terminator - the ability to kill a process in 17 different ways. It is interesting to observe the correctness of the completion of its program.
• Inject DLLs: a very useful thing when testing the injection of any hooks. In fact, at the testing stage, it is possible to do without our own injector, to write only the injected library itself. To test theories and research - a very useful thing.

Services and drivers

PE believes that its business is just normal processes.
PH is an extremely convenient tool for working with services and drivers.



On the Services tab of the main window, you can view the list of processes and drivers, their status, you can stop them, start, delete, view and change their properties.
An extremely useful tool for the system programmer under Windows (especially with the ability to enable notification in the tray icon for a change in the list of services). And in the Tools menu, you can create a new service.

Network and disk activity processes

PE allows you to view the parameters of the network and disk activity of the process, allows you to see the overall performance of the disk and network subsystems.
PH except for the above, in the main window has two extremely useful tabs "Network" and "Disk", showing the total network and disk activity of processes.
To be fair, we must admit that in modern versions of Windows something similar (although not so convenient) is shown by the regular Resource Monitor tool.

Modular architecture

PE integral and indivisible
PH is modular, it supports plugins (and much of the functionality described here is exactly what the plugins implement).

Process Information Window

The grouping of information on tabs in programs is slightly different, it is difficult to compare head-on.



In general, we can say that the amount of information provided and usability are about the same. However, there is a crucial detail: PE in this window sometimes lies. And, as I suppose, not because of bugs, but for marketing reasons (and this is no good at all). I analyzed this question in detail in this topic , who are interested - you can read it.

Dll info window

Both programs allow you to view a list of DLL in the address space of the process. PE shows them at the bottom of the main window (when the corresponding panel is turned on), PH shows them in a tab in the process information window. With a double click on the library, both there and there information about it is displayed.



And here we again see why PE is just an application utility for an advanced user, and PH is a programmer’s tool. If PE shows only general information about the library and a list of strings in it, then PH shows the full list of imported and exported functions. To do this, no longer need separate disassemblers!

Minute of healthy criticism

We will not fall into idolatry and see what's better in PE :

• there is a lower panel where DLLs or handles can be displayed, if only this information is of interest - in PE there is less than one click to it
• you can save and load a set of columns with information about the processes, useful for occasional work on different types of software. PH also allows you to do this, but only through command line parameters , which is not so convenient.
• in the process information window there is a Strings tab that allows you to view the strings used in the process. PH also allows you to get this information, but not so clearly (memory blocks on the Memory tab)

findings

As you yourself might have noticed, PH is the case when, in general, and so a good program was taken and made even better, more friendly and more useful. The direction of the development of PH was set by the community, children's bugs were quickly fixed, the emphasis was placed on the utility of the tool not only for the ordinary user, but also for the programmer with a sysadmin.

The utility is useful, use on health.