In many instructions regarding the removal of Adware, Malware and other unwanted software from a computer, there is a clause about the need to check running Windows processes for suspicious ones among them after using automatic malware removal tools. However, it is not so easy for a user without serious experience with the operating system to do this – the list of executable programs in the task manager can tell him little.
The free CrowdStrike CrowdInspect utility, designed specifically for this purpose, which will be discussed in this review, can help in checking and analyzing running processes (programs) of Windows 11, 10, 8 and Windows 7 and XP. See also: How to get rid of ads (AdWare) in the browser.
Using CrowdInspect to Analyze Running Windows Processes
CrowdInspect does not require installation on a computer and is a .zip archive with a single executable file, crowdinspect.exe, which, when run, can create another file for 64-bit Windows systems. The program requires an Internet connection.
At the first start, you will need to accept the terms of the license agreement with the Accept button, and in the next window, if necessary, configure integration with the VirusTotal online virus scan service (and, if necessary, disable the upload of previously unknown files to this service, mark “Upload unknown files”).
After clicking “OK”, an advertising window of the paid CrowdStrike Falcon protection tool will open for a short period of time, and then the main window of the CrowdInspect program will open with a list of processes running in Windows and useful information about them.
First, information on important columns in CrowdInspect
- Process Name is the name of the process. You can also display the full paths to executable files by clicking the “Full Path” button in the main menu of the program.
- Inject – check for code injection by the process (in some cases it can show a positive result for antiviruses). If a threat is suspected, a double exclamation mark and a red icon are displayed.
- VT or HA – the result of checking the process file in VirusTotal (the percentage corresponds to the percentage of antiviruses that consider the file dangerous). The latest version displays the HA column and analyzes using the Hybrid Analysis online service (possibly more efficient than VirusTotal).
- MHR is the result of checking in the Team Cymru Malware Hash Repository (base of checksums of known malware). Displays a red icon and a double exclamation mark if the process hash is in the database.
- WOT – when the process connects to sites and servers on the Internet, the result of checking these servers in the Web Of Trust reputation service
The remaining columns contain information about the Internet connections established by the process: connection type, status, port numbers, local IP address, remote IP address, and the representation of this address in DNS.
Note: You may notice that one browser tab appears as a set of a dozen or more processes in CrowdInspect. The reason for this is that it displays a separate line for each connection established by a single process (and a normal site opened in a browser forces you to connect to many servers on the Internet at once). You can disable this type of display by disabling the TCP and UDP button in the top menu bar.
Other menu and control elements:
- Live / History – switches the display mode (in real time or a list that displays the start time of each process).
- Pause – pause the collection of information.
- Kill Process – Kill the selected process.
- Close TCP – Close the TCP/IP connection for the process.
- Properties – open a standard Windows window with the properties of the process executable file.
- VT Results – open a window with scan results in VirusTotal and a link to the scan result on the site.
- Copy All – copy all the information about active processes presented to the clipboard.
- Also, for each process, by right-clicking the mouse, a context menu with basic actions is available.
I admit that by now more experienced users have thought: “a great tool”, and beginners have not quite understood what is the use of it and how it can be used. Therefore, briefly and as simply as possible for beginners:
- If you suspect that something bad is happening on your computer, and the computer has already been scanned by antivirus and utilities like AdwCleaner (see Top malware removal tools ), you can look into Crowd Inspect and see if there are any suspicious background programs running on Windows.
- Processes with a high percentage red mark in the VT column and/or a red mark in the MHR column should be considered suspicious. You are unlikely to see red icons in Inject, but if you see them, also pay attention.
- What to do if the process is suspicious: view its results in VirusTotal by clicking the VT Results button, and then clicking on the link with the results of scanning the file with antiviruses. You can try searching for the file name on the Internet – common threats are usually discussed on forums and support sites.
- If as a result it is concluded that the file is malicious, try to remove it from startup , remove the program to which this process belongs, and use other methods to get rid of the threat.
You can download Crowd Inspect for free from the official website https://www.crowdstrike.com/resources/community-tools/crowdinspect-tool/ (after clicking the download button, on the next page you will need to accept the license terms by clicking Accept to start downloading).