How to find source process of unknown popup in Windows 7

40

12

A random popup appears in Windows 7 titled as Information with a progress bar and a clock. The window sometimes says Please wait a moment..., and the progress bar moves very slowly and disappears.

enter image description here

I don't know the source of this popup. I tried to search regarding this popup on the Internet, and some people had this problem. It also has a question on Yahoo! Answers, but everyone told to scan for malware and viruses.

Is there any way to know the source process for this window/popup?

  • The task manager shows nothing about this window
  • The only tasks that are running are Google Chrome, etc.
  • Right-click and left-click does not work on this window or its title bar.

krgaurav

Posted 2015-02-23T20:51:47.673

Reputation: 511

Question was closed 2017-01-22T19:31:47.107

2Since you accepted an answer, can you tell what process it was and if it was malicious ? Thanks. – None – 2015-02-24T15:24:09.263

1This quickly resembles the window that showed when you were mounting a drive using Daemon tools. – Ismael Miguel – 2015-02-24T15:43:40.617

It was not any malicious software but Zemana Antilogger Free. Reinstalling the software solved the issue(For now atleast). – krgaurav – 2015-02-24T17:18:50.560

1

That looks like it was made with Delphi, using this tool for their exceptions: http://madshi.net/madExceptDescription.htm.. This is the same tool we use for our exception handling where I work. if it was popping up randomly it means the program was getting bugs

– Sentient – 2015-02-25T19:41:10.853

Answers

80

You can identify the application by getting Process Explorer tool from Microsoft SysInternals.

At the toolbar, locate and use the following tool:

enter image description here

If you drag & drop it over unknown window, its process will become highlighted in the list.

What you can do then is to right-click that process and select Check VirusTotal to see whether the image is valid and well-known.

You can also double-click the process to learn about its EXE path, parent process or company who created it.

miroxlav

Posted 2015-02-23T20:51:47.673

Reputation: 9 376

Works usually. I managed to get one to say csrss.exe this way. – Joshua – 2015-02-23T22:25:40.533

1@Joshua That is the process that started the command. Sometimes you find things like dllhost.exe /start c:/evil/file/here.exe or similar. The example given is just an example, but it happens a lot. The /start part is mockup. When you see it in the task manager, it is simply a dllhost.exe process running. You need to see the full command. – Ismael Miguel – 2015-02-24T15:39:48.807

I'm pretty sure the arguments to the session of csrss.exe that is running the currently logged in session aren't of much use. – Joshua – 2015-02-24T17:38:05.710

2Process Hacker can do this too, and is much more actively maintained. It has every feature of Process Explorer that I know of and then some (speaking as a long term Process Explorer user frustrated with lack of progress). – RomanSt – 2015-02-25T01:59:02.907

Asked: 2015-02-23T20:51:47.673

Viewed: 9 820 times

Active: 2015-02-23T22:04:57.173