This module can be accessed by pressing Process manager , in the Home page.
The process list shows five columns: The Executable path column shows the full path of the process executable file. The Publisher column contains the corresponding publisher's name. Note that the publisher has not been verified yet.
The VirusTotal column shows the result of the VirusTotal analysis of the executable file. For more info, click here.
The CPU column shows per process and global processor usage. The global CPU usage is displayed in the column header. The CPU usage of each process is displayed in the respective process line.
The RAM column shows per process and global memory usage. The global RAM usage is displayed in the column header. Each process memory usage is displayed in the respective process line. Process manager shows the real amount of memory used by the process, not including the shared memory, equivalent to the Private working set column of the Windows 7's task manager.
The PID column shows the process identifier also known as PID.
The Name column shows the precess file's name. This column may be useful to sort the list's items by name.
The Parent PID comumn shows the pid of the process that created this one.
You can sort the processes by column. To do so, just press the desired column header. The items will be sorted alphabetically, or numerically, in ascending/descending order. For instance, if you click the Publisher column header, the list will be sorted by the publisher name, if you click the RAM column, the list will be sorted by process memory usage.
The Window catcher helps you to identify a process using its window as reference. You drag it over the window of another program, to identify the process that created that window.
Click the Window catcher to pick it up and, while keeping the mouse button pressed, drag it over the window you want to identify.
The associated process will be automatically selected in the Process manager's list. Additionally, the selected window will be framed with a red line, and information about the process path and ID will be displayed in a semi-transparent banner over the window's title.
Once the associated process is selected, you can use the other Process manager features to kill the process, delete its executable file, get the VirusTotal report, etc.
This feature was created mainly to easily identify and delete rogue malware, but it can also be useful for other tasks that need window - process mapping, such as identifying other malware processes through their windows.
To list all the processes, uncheck Hide critical processes. To hide the critical processes, check the same box.
Critical processes are the processes that can not be terminated without making the computer reboot.
Click the line corresponding to the process you want to manage. Right-click it to open the menu.
Alternately you can just press Ctrl+Enter to open the Process Properties dialog.
You can select several lines at once by holding the Ctrl key down while clicking the lines. When several lines are selected, the action you choose will be performed to the processes in all the selected lines.
Press Process Properties in the upper pane or in the menu (Ctrl+Enter), or double click the process line to get more information about the selected process.
A small window will popup like the picture below, with several fields containing the process ID and name, the full path of the executable file, the command line used to run it, its description, digital signature, MD5 hash and file size.
Press the Go button in the Parent process line to view information about the parent process instead.
Press the Go button in the Image path line to open the process file location.
Press the Google button to perform a google search using the file description as the keyword. To search using the file name as the keyword, use the right-click context menu, in the process list.
Press the Go to services button to jump to the Service manager. In this case, the Service manager will display a special list containing only the services running trough this process. Useful to check if a process is running as service, or manage the services running in one of the svchost.exe processes.
Press the Go to modules button to jump to the Memory modules manager. In this case, the Memory modules manager will select and expand the tree branch corresponding to this process.
Press the VirusTotal MD5 report button to get a VirusTotal report of the selected file's MD5 hash.
Press the Pause process button if you wish to pause the selected process.
Press the Resume process button if you wish to resume the selected process. Usually this should be used for processes you have previously paused.
Press the File properties button to display the selected file's properties dialog.
You can get more information on the running files by clicking the buttons on the context menu, which we'll explain later on this page.
To kill a process without deleting the executable file press the Kill process menu or just press Del. You can also press Kill process and uncheck Kill all with this path on the upper pane, but make sure that Delete parent file when killing is unchecked too, or the executable file will be deleted!
To kill all the processes with the same path as the selected one, click the menu Kill all processes with this path or just press Shift+Del. You can also press Kill process on the upper pane, and check Kill all processes with this path but, again, make sure that Delete parent file when killing is unchecked or the file will be deleted!
To kill a process and delete the executable file click the Kill process and delete file menu or press Ctrl+Del. Alternately, you can check Delete parent file when killing and press Kill process, in the upper pane
Deleted files are moved to the recycle bin, so if you make a mistake, you can always restore them from there.
If UVK doesn't manage to delete a file immediately, the access to the file will be blocked, and it will be deleted on the next system reboot. A message box will prompt you to reboot immediately or manually later.
Before deleting a file, UVK always checks its digital signature, and if you're about to delete a file digitally signed by Microsoft, a message box will popup as shown in the image below.
This security feature is intended to prevent deleting system files by mistake, so when you got this message, you should click No, unless you know exactly what you're doing.
This software was created to delete virus, not system files, so, in a case like this one, if you press Yes, you're at your own risk. We won't be responsible for what may happen to your computer.
Note: This feature is provided for convenience, and should be used with caution. While it may be very useful, for instance to remove an infected folder directly from the process manager, it can also cause damage if you remove a folder essential to the system. UVK will automatically check if the selected folder is a critical system directory, and in that case it will not allow you to remove it, but it is impossible to check every directory in your hard drive. Use this feature at your own risk.
This feature will move the parent directory of the selected process(es) to the recycle bin. Any processes whose executable files reside in the same directory or sub-directories of the selected process will be closed before deleting the folder.
To use this feature, right-click the desired process in the list and select Delete parent directory. If you are sure you want to delete the parent directory of the selected process, press Yes, in the confirmation message box.
You don't know what "Parent directory" means? Well let's say you select the C:\Program data\abcde\fgh.exe process. In that case the parent directory of this process is C:\Program data\abcde. If you delete a good folder by mistake, you can restore it from the recycle bin.
UVK allows you to kill all the non critical processes, to stop the malware activity or free resources. The processes are filtered by their paths, meaning that only the real critical system processes will be ignored.
To use this feature, click Kill all in the upper pane, or in the context menu. A dialog box will be displayed, similar to the one in the screenshot below:
Select the desired option in the left pane.
If you select Kill all non trusted processes, UVK will verify the digital signatures of the executable files of the processes to kill. If the signer is part of an internal trusted signers list, the process will not be killed. The list includes some trusted publishers like Microsoft, Google, Mozilla, Opera, Hewlett Packard, Acer, etc.
If you select Kill all non signed processes, then all processes which executable files are not digitally signed will be killed.
If you select Kill all non system processes, then all processes which executable files are not genuine system protected files will be killed.
If you select to Kill all non critical processes, then all non critical processes will be killed. Critical processes are the ones that can not be killed without making the system automatically reboot.
If you click Close/Cancel, the operation will be canceled, and no processes will be killed.
UVK will also ignore (not kill) the process names you specify in the text box placed in the right pane of the dialog box. Add the desired process names, on per line.
If you want to add process names that are currently running, press the Add... button. the text box will be replaced with a check mark list containing all the running process names, as shown in the picture below.
Tick the check boxes next to the process names you want to ignore, and press Add/Close.
After building your ignore list, you may want to save it for the next times you use this feature. To do so, press the Save button.
Press Kill processes if you want to start terminating the processes, or Close/Cancel if you just wanted to create you ignore list.
To get more information about a process executable file, right-click the corresponding line.
A menu with several options will be displayed. The first five options, we have already explained.
Pause selected process (Shift + P) or
Resume selected process (Shift + R):
Thes two menu items let you easily pause a process or resume a previously paused one.
Google file name (Ctrl+G):
Makes a quick google search using the process's name.
Go to modules (Alt+M):
This option will jump to the Memory modules manager. In this case, the Memory modules manager will select and expand the tree branch corresponding to the first selected process.
Verify file signature (Alt + V): This option verifies the selected processes' executable files signatures, and displays the results in a dialog box.
Open file location (Ctrl+L)
This option will open an Explorer window on the path where the file is located and select it.
File properties (Ctrl+P)
Clicking this menu item will open the file properties dialog box, allowing you to get more information about the file.
Refresh now (F5): Manually update the list of processes.
VirusTotal report (Ctrl+M):
Get the VirusTotal report of the selected file(s).
Update VirusTotal results (Ctrl+U):
Update the results in the VirusTotal column.