Can processes hide from Process Explorer?

Hi everyone.

Recently I've noticed some rather odd behavior in Process Explorer. There are times when, for some reason, the CPU consumption of all running programs is blank (zero, I assume, because they are idle), but the system idle process is only consuming 99.80% or so of the CPU. On other occasions, a few programs will be using 0.2% or so of the CPU, but the system idle process is using 100% of the CPU on these occasions. 

I can't quite figure out what's going on, but it seems to be a problem that only shows up when certain programs are running, like Opera 10. I'm currently running Windows 7 RTM, too, x64.

Is this just a glitch in PE? Or is it something more sinister, like a program hiding from PE and doing a poor job of masking its CPU usage?

Hello, Carbonyl.

To answer the question asked in your thread title, "Can processes hide from Process Explorer?": Yes, processes can do so. From a technical point of view this will be feasible. And it is imaginable that some malware pieces have been written in such a way as to fool Process Explorer.

Yet, the mathematical inaccuracies which you notice inside Process Explorer will more likely be brought about by mathematical inaccuracies in Process Explorer itself than by malware manipulation.

If the sum of all cpu usages plus the system idle (pseudo) process were always below 100%, then this might be a hint that an invisible process were running. Yet, you also get a sum of 100.19%, so above 100%, which is nonsense. So I tend to assume the values presented by Process Explorer are not 100% correct all the time, because the update speed is 0.5 seconds or 1 second or whatever you configured. So the list which you see is not realtime and it may cover the time span defined by the Process Explorer update speed. (Go to View => Update Speed)

Kind regards,
SvenBomwollen

Edited by SvenBomwollen - 03 October 2009 at 12:39am

Thank you both for your input on this matter.

SvenBomwollen, I completely agree about the idea of >100% CPU being nonsense. Turning up the update speed did not resolve this issue, however. Strangely, PE lists appropriate values for all CPU consumption when Opera is not running, I've found. With Opera running, this problem occurs.

Ivan, your assessment seems to be that each update polled from the system should reveal a total 100% CPU. In your opinion does this mean that something not on the PE list must be using that remaining 0.2%?

Originally posted by Carbonyl Ivan, your assessment seems to be that each update polled from the system should reveal a total 100% CPU. In your opinion does this mean that something not on the PE list must be using that remaining 0.2%?

Well, not really. I wanted to emphasize that the sum of all the % of CPU used should be 100% in each update "cycle" (the snapshot of the system/CPU used at a specific time), I mean I just wanted to say that different Update Speed settings have nothing to do with PE showing more/less CPU used than 100% (or in other words, if it's set to 1 sec. it should be 100% in each update "cycle" and similarly if it's set to 10 secs. it should be 100%), so again, that this particular setting doesn't matter here.

Originally posted by Carbonyl SvenBomwollen, these CPU readings are in fact the only signs of potential infection. I've conducted numerous scans with A/V and antimalware software (three kinds), and found nothing, leading me to suspect that if this is an infection, it must be a rootkit. Unfortunately, rootkit revealer does not function on x64 Windows 7, so I'm left to speculate based on the information I can gather otherwise.

Well, I wouldn't worry so much if I would be in your place. I mean, it's only 0.2% of CPU and above all, as you mentioned, only when Opera is running. I would rather further investigate in that direction (i.e. what's happening with "opera.exe" process; use Process Monitor if necessary). And finally, since as you said, numerous scans with (three kinds of) A/V and antimalware software found nothing... Really, I wouldn't worry so much, probably it's just a small discrepancy in PE showing the percentage used at a time/intervals (when "snapshot" is taken, as specified by Update Speed).