Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

What Program Is this Window From?

Targeting the obscure.

Sonar
(Image: askleo.com)
Use Process Explorer to identify windows or message boxes that appear without any obvious indicator of what program they're from.
There’s a window on my screen, and I can’t tell what program it’s from. Is there a way?

Yes, and it’s useful about 90% of the time.

I’ll show you how and explain why getting the answer isn’t always helpful.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Where'd this window come from?

Process Explorer, from SysInternals Tools in the Microsoft store, has a tool that will identify the specific process responsible for displaying a window. Most of the time, dragging and dropping the Process Explorer target icon onto the window in question will tell you exactly what you need to know.

Process Explorer

The utility is Microsoft’s free Process Explorer. If you haven’t already done so, install the free SysInternals Tools from the Microsoft store. After you install SysInternals Tools, Process Explorer will appear on the Start menu.

It’s a utility I use so often that I have a shortcut to it on every Windows machine I run.

Once running, what I’ll call a “sonar” or “target” icon appears in its menu bar.

Target icon
(Screenshot: askleo.com)

Right-click and hold on that icon.

Now drag and drop that “target” icon on top of the window whose owner you’re trying to identify.

Process Explorer will highlight the process that owns that window in its list of running processes.

Highlighted Process
Process Explorer highlighting the program a window belongs to. (Screenshot: askleo.com)

That’s all it takes to determine what program running on your computer is responsible for displaying the window you’re interested in. Here’s an animation of the process.

Process Explorer Target Demo
Asking Process Explorer to identify a window. Click for larger version. (Screenshot/animation: askleo.com)

Not always helpful

For many running programs, Process Explorer can tell you exactly what you need to know. Admittedly, most programs are supposed to identify themselves in their title bars, so you shouldn’t need to jump through this hoop, but not all are obvious.

The problem is when you drop the target onto a window or message box and Process Explorer highlights svchost.exe.

Service Host

As we’ve discussed before, svchost.exe, or “Service Host“, is a general-purpose program Windows uses internally to run many different (and possibly unrelated) services. Knowing that a message or window is displayed by svchost.exe is interesting, perhaps, but it doesn’t tell you which service actually caused that message to appear.

Knowing that it’s svchost and using Process Explorer to at least identify the services being provided might be enough of a clue. If not, the next step would be to search the internet for any identifying text in the message or window that you’re trying to identify, along with the keyword “svchost”.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

11 comments on “What Program Is this Window From?”

  1. Hello,I have a friend that gets a strange(to me anyway) message.when she goes to certain websites the message starts saying ” if you are hearing this message your machine has been compromised with malware and a laundry list of other things.it then says please call this number(provided) to fix the problem.we called and it is a sales pitch to drop $120 to let someone access and ”fix” the machine.I don’t think so!not on my watch anyway.question is how do I get rid of this annoyance for her?she has MSE and Malwarebytes as well as Ccleaner.I suspect it could be a startup program but I admit I could be wrong.
    is there any help out there available so when next I go there Perhaps I can rid her machine of this con?
    Thanks ahead of time.
    M

    Reply
    • That’s a very common scam. If it happens occasionally, that can simply be a deceptive add on that website. Websites often don’t have much control over who advertises on their pages. If it happens regularly, then I’d suspect “foistware”, a form of adware or other malware that usually gets onto your system when you install some other software (though it can happen in other ways as well).

      To remove it I’ll start you here: http://askleo.com/how-do-i-remove-pups-foistware-drive-bys-toolbars-and-other-annoying-things-i-never-wanted/

      Reply
      • I was by her place and computer just yesterday when it happened again,IF I knew what to look for in programs it might be helpful as stated she has both MBAM and Ccleaner.I put revo on too so if I find or know what I’m looking for I can actually remove every bit of it. been using revo for years. pup’s I’m familiar with foistware no so much.I know to uncheck things but wonder if she does since I am the only one she will let touch her machine. she just uses email and often I suspect Facebook,I told her never click anything on it and doubt she has or will. so basically back to square one unless Leo does answer and yes I have used his search in upper right but to no avail.process explorer if I could find it does not seem an option unless I know what to look for. : (

        Reply
        • You could go through the trouble of blocking the site or root of the URL but it’s going to probably be phony, come up from multiple angles and you won’t know where exactly without some hard thinking or knowledge of how it works. Sometimes you can duplicate the exploit by going through the browsing list and you’ll find the trigger, sometimes you won’t. Can you either train your virus/malware scanner to recognized this type of exploit, are there updates that might cover the problem? Do you know how to submit it to the company that made it?

          The problem is going to be that some fairly legitimate sites could be inadvertently hosting bad code and not know it and some of these exploits are stored in the cache so just clearing it regularly helps and when you see these things take over you will need to shut them down (even though it will probably mean that IE with close and restart, leaving you to reopen some sites.

          But no, you have no virus to fix, never call that number or click and they’ll practically get you to give them remote control of your computer and maybe extort you for the full use of your computer.

          The GOOD part of this is that Task Manager will open up most of the time and you can close the offenders down in your running processes. the bad part is that you may just lose valuable date you were using. You can probably live with that somewhat. They may call then DRIVE-BY exploits but you will find them saved to your cache. If you know that going to a certain site seems to trigger the attacks, let the site owner/administrator know about it. If they don’t find it on their server it could be sneaking in with ads or a specific feature.

          REPORT the issue to admin(s) and if it recurs, what triggered can help if you see the need. For now they are just messages that lock the browser up..

          Reply
          • ah ha Thanks Steve ,task manager! or better put the one that got away.I’ll check into the next time there. and look up adw cleaner too to see what’s up there.

          • Have you tried formating, reinstalling apps and restoring files?
            When i find something that even remotely smells like malware, if i can’t fix it with basic tools in a couple of hours, i’ve found that’s ussually the fastest, easyiest and most effctive solution… unless you don’t have a backup.
            And stop going to that same website… no matter what av you have

  2. The animation used in this article is very good. It clearly shows what one has to do and what should happen.
    What tool did you use to create the animation?

    Reply
    • In my case: quicktime to capture the video, and then finalcut pro to generate the gif. I believe the same can be done on Windows using Camtasia.

      Reply
  3. and for the record I have no idea if MSE has the option to scan for exploints. I wish it gave up a URL so I could hunt it down. MBAM comes up empty as well.it is just plain screwy.

    Reply
  4. Barcillo question: Have you tried formating, reinstalling apps and restoring files? in a word NO as that would mean her losing ALL her data.pictures,email, et. al and she does and has not backed anything up but will give task manager and maybe adw a shot.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.