HANDS-ON LAB

Lab: Windows Task Manager

Monitor Processes, Performance & Services for Security Analysis

Duration
30-45 min
Difficulty
Beginner
Environment
Windows 10/11

Lab Objectives

After completing this lab, you will be able to:

Lab Progress

0 of 5 tasks completed

1

Opening Task Manager

Pending

There are multiple ways to open Task Manager in Windows. Security professionals should know all methods.

Method 1: Keyboard Shortcut (Fastest)

Ctrl + Shift + Esc

Method 2: Right-click Taskbar

Right-click on the Windows taskbar → Select "Task Manager"

Method 3: Ctrl+Alt+Delete Screen

Ctrl + Alt + Delete → Click "Task Manager"

This method works even when the system is unresponsive.

Method 4: Run Command

Win + R → taskmgr → Enter
SOC Tip: If a user reports their computer is slow or behaving strangely, walking them through Ctrl+Shift+Esc is the fastest way to start triaging.
I successfully opened Task Manager using at least two different methods
2

Exploring the Processes Tab

Pending

The Processes tab shows all running applications and background processes with their resource usage.

Task Manager
Processes
Performance
App history
Startup
Users
Details
Services
Name CPU Memory Disk Network
Chrome (12) 15% 2,145 MB 0.1 MB/s 2.5 Mbps
System 2% 180 MB 0 MB/s 0 Mbps
svchost.exe (netsvcs) 45% 512 MB 50 MB/s 10 Mbps
Windows Explorer 1% 85 MB 0 MB/s 0 Mbps
Antimalware Service 3% 250 MB 0.5 MB/s 0 Mbps
Suspicious Indicator: In the simulation above, notice the svchost.exe with high CPU (45%), high disk (50 MB/s), AND high network (10 Mbps). This combination could indicate malware or data exfiltration.

Column Sorting

Click on any column header (CPU, Memory, Disk, Network) to sort processes by that metric. This helps identify resource hogs quickly.

Lab Question 1

On your own system, sort by CPU usage. What is the process currently using the most CPU?

I identified and sorted processes by CPU, Memory, Disk, and Network usage
3

Performance Tab Analysis

Pending

The Performance tab provides real-time graphs of system resources - essential for identifying performance issues and potential cryptomining.

Key Metrics to Monitor

  • CPU: Sustained 100% usage may indicate cryptominer or malware
  • Memory: High usage with few apps open is suspicious
  • Disk: Constant 100% could be ransomware encrypting files
  • Ethernet/WiFi: Unexpected high usage = possible data exfiltration
  • GPU: High GPU usage without games = potential cryptominer

Navigate to Performance tab on your system and observe the CPU graph for 30 seconds

Pro Tip: Click "Open Resource Monitor" at the bottom of the Performance tab for even more detailed information about which processes are using each resource.

Lab Question 2

In the Performance tab, how much RAM is currently "In use" vs "Available" on your system?

I reviewed CPU, Memory, Disk, and Network graphs in the Performance tab
4

Startup Programs Security Audit

Pending

Malware often adds itself to startup programs to maintain persistence. Regular auditing of startup items is a key security practice.

Navigate to the Startup Tab

This tab shows all programs that run automatically when you log in to Windows.

Red Flags in Startup:
  • Unknown publisher or "(Not measured)" startup impact
  • Misspelled names of legitimate programs (e.g., "Chorme" instead of "Chrome")
  • Programs with random-looking names (e.g., "a3x7k9.exe")
  • Programs running from unusual locations (Temp, AppData, Downloads)

Right-click Options

Right-click any startup item to see:

  • Disable: Prevent it from starting (doesn't delete)
  • Open file location: See where the executable lives
  • Search online: Research if it's legitimate
  • Properties: View file details and digital signature

Lab Question 3

List 3 programs in your Startup tab. For each, note the Publisher and Startup impact.

I reviewed all startup programs and identified their publishers
5

Details Tab: Deep Process Analysis

Pending

The Details tab provides the most comprehensive view of running processes, including Process ID (PID), which is critical for incident response.

Adding Useful Columns

Right-click the column header → Select columns → Add:

  • Command line: Shows full path and arguments
  • Image path name: Where the executable lives
  • PID: Process ID for correlation with logs
  • User name: Which account runs the process
SOC Investigation Tip: When investigating an alert, note the PID from Task Manager. You can correlate this with Windows Event Logs (Event ID 4688) to see when the process started and what parent process spawned it.

Right-click Investigation Options

Right-click a suspicious process:

  • Open file location: Navigate to the executable
  • End task: Terminate the process (use with caution)
  • Create dump file: Capture memory for forensic analysis
  • Go to services: See if it's tied to a service

Lab Question 4

Find the "explorer.exe" process in the Details tab. What is its PID and User name?

I added Command line and Image path columns to the Details tab
I understand how to correlate PIDs with event logs for investigation