How to Find Hidden Processes on Windows with Process Explorer

What Causes This?

Hidden or suspicious processes on Windows usually come from software that starts in the background without being obvious in Task Manager. This can include legitimate apps, leftover services from uninstalled programs, malware, crypto miners, or tools that inject into other processes. In some cases, the process is not truly hidden—it is just running under a different user account, inside a service host, or buried under a parent process you would not normally inspect.

Common Symptoms

• High CPU, RAM, disk, or network usage with no clear app open
• Fans running loudly while the PC appears idle
• Unknown process names or duplicate system-looking processes
• Programs reopening after you close them
• Security warnings, pop-ups, or browser slowdowns with no obvious cause

How to Fix It Manually

1. Download and open Process Explorer

   • Go to Microsoft Sysinternals and download Process Explorer.
   • Extract the ZIP file.
   • Right-click procexp64.exe and choose Run as administrator.
   • If prompted by User Account Control, click Yes.

2. Enable better process visibility

   • In Process Explorer, click Options > Verify Image Signatures.
   • Then click View > Select Columns.
   • Under Process Image, enable useful fields like Company Name, Verified Signer, Command Line, and Image Path.
   • Click OK. This makes suspicious entries easier to spot.

3. Sort by resource usage

   • Click the CPU column to sort by processor usage.
   • Check processes using unusually high CPU when you are not doing anything.
   • You can also review Private Bytes or Working Set to find memory-heavy background tasks.
   • Look for odd names, blank publisher info, or processes running from unusual folders like AppData, Temp, or Downloads.

4. Inspect the suspicious process

   • Double-click the process to open Properties.
   • Review the Image tab for the full file path and command line.
   • Check the TCP/IP tab to see if it is making unexpected network connections.
   • Check the Strings tab for clues about what the process belongs to.
   • If the signer is missing or the path looks wrong for a Windows process, treat it as suspicious.

5. Check the parent-child process tree

   • Process Explorer shows which process launched another one.
   • Expand the tree and see whether the suspicious process started from explorer.exe, a browser, services.exe, or something unexpected.
   • Malware often hides by launching under a legitimate parent process or using a name similar to a real Windows file.

6. Search the process online and scan the file

   • Right-click the process and choose Search Online.
   • Note the exact filename and location before trusting any result.
   • You can also right-click the process, choose Properties, copy the file path, and scan that file with Microsoft Defender:
     1. Open Windows Security
     2. Click Virus & threat protection
     3. Run a Custom scan on the folder containing the file

7. Suspend or kill the process carefully

   • Right-click the process and choose Suspend first if you are unsure.
   • If the system remains stable and the process is clearly unwanted, right-click it and choose Kill Process or Kill Process Tree.
   • Do not kill core Windows processes unless you are certain what they are.

8. Stop it from coming back

   • Open Task Manager with Ctrl+Shift+Esc and go to the Startup tab.
   • Disable unknown startup entries.
   • Then press Win+R, type msconfig, and review non-Microsoft services if needed.
   • If the process keeps returning, run a full antivirus scan and uninstall the related app from Settings > Apps > Installed apps.

Fix It Automatically with Kudu

Kudu can help review what is running on your PC, flag unnecessary background activity, and make it easier to spot software that should not be there. Instead of digging through every process manually, you can use Kudu to identify problem apps and clean up startup and system clutter faster.

Download Kudu Free →