Can processes hide from Process Explorer?

Originally posted by Carbonyl Below: Note that all processes are inactive, but the system idle process reads ~99.8%. The other ~0.2% of the CPU is unaccounted for. ... Below: Process Explorer is now active, but the system idle process reads 100.00%, meaning that the total CPU pool is now greater than 100%.

Well, I don't think that you explained the issue poorly, not at all... The screenshots only confirm what you've said in the first/initial post. Anyway, I have no explanation for this.

The only thing that my eyes caught (and which seems interesting) is that in the first screenshot (the capture of one "state") it is displayed 99.81% of CPU for "System Idle Process" (and no other process consuming the remaining %), while in the second screenshot (the capture of next "state" I assume) it's displayed 0.19% of CPU used by Process Explorer (and 100% for "System Idle Process").

I mean, the interesting thing to me is that 0.19% from the second screenshot is exactly the number which you get if you subtract 99.81% from 100%. So it looks like as if the second screenshot shows the "procxp64.exe" process's CPU usage that Process Explorer should display in the previous "update".

Originally posted by Carbonyl I remember seeing links to files that seemed to be stored locally (i.e. URL contained in the link seemed to point to file://255.255.255.255/etc/ when I hovered my mouse over it - the path was nonsense, pointing toward folders that don't exist on the machine. That same path was observed even on an OSX machine, where it made even less sense).

Yeah, I remember it too, though I remember it pointing to a file on local hard-disk (e.g. "file://C:/Program Files/etc/"), so that's why the path seemed nonsense to you because it was pointing toward folders on poster's hard-disk (and not yours), so that's why they (i.e. folders from that path) don't exist on your machine.

Originally posted by Carbonyl  Off topic aside to anyone who has viewed this page: A cursory google search of some of the names spewed in roshan's post indicate a link to malware (msohtmlclip items). Clicking his links is probably a bad idea - and I'm not sure if by viewing his message and this page that infection can be transmitted. Edited because the post in question was removed. Thank you very much to the moderator who took care of that, though I'm still not sure what it was!

Well, as far as I can tell (I actually remember that post from an e-mail message from Sysinternals Forums that I am getting), it was indeed a post with/containing a link to some malware.

Cheers, Ivan

Thanks for the heads up about Process Monitor, Ivan. I'd not seen that program, and it looks like once I learn how to use it, it'll help me get to the bottom of this.

As an aside, I hope someone can make sense out roshan's bizarre and suspicious post (XSS attempt?).

Edited by Carbonyl - 05 October 2009 at 5:02pm

Originally posted by Carbonyl SvenBomwollen, these CPU readings are in fact the only signs of potential infection. I've conducted numerous scans with A/V and antimalware software (three kinds), and found nothing, leading me to suspect that if this is an infection, it must be a rootkit. Unfortunately, rootkit revealer does not function on x64 Windows 7, so I'm left to speculate based on the information I can gather otherwise.

Well, I wouldn't worry so much if I would be in your place. I mean, it's only 0.2% of CPU and above all, as you mentioned, only when Opera is running. I would rather further investigate in that direction (i.e. what's happening with "opera.exe" process; use Process Monitor if necessary). And finally, since as you said, numerous scans with (three kinds of) A/V and antimalware software found nothing... Really, I wouldn't worry so much, probably it's just a small discrepancy in PE showing the percentage used at a time/intervals (when "snapshot" is taken, as specified by Update Speed).

Originally posted by Carbonyl Ivan, your assessment seems to be that each update polled from the system should reveal a total 100% CPU. In your opinion does this mean that something not on the PE list must be using that remaining 0.2%?

Well, not really. I wanted to emphasize that the sum of all the % of CPU used should be 100% in each update "cycle" (the snapshot of the system/CPU used at a specific time), I mean I just wanted to say that different Update Speed settings have nothing to do with PE showing more/less CPU used than 100% (or in other words, if it's set to 1 sec. it should be 100% in each update "cycle" and similarly if it's set to 10 secs. it should be 100%), so again, that this particular setting doesn't matter here.