General Process Filtering Steps:

The most common manual technique using System Informer during screenshares is searching for specific strings within the memory of key processes. The general workflow is:

1. Locate Target Process: Identify the process you want to analyze in the main process list (e.g., explorer.exe, javaw.exe, csrss.exe, svchost.exe associated with a specific service like DPS or PcaSvc).

2. Open Properties: Right-click on the target process and select Properties.

3. Navigate to Memory: In the Properties window, click on the Memory tab.

4. Initiate String Search: Click the Strings button.

5. Configure Search Options: A configuration window will appear. Set the following:

   • Minimum length: Set this to filter out very short, usually irrelevant strings. A value of 5 or 6 is commonly recommended. Setting it too low (e.g., 3) can produce excessive noise; setting it too high might miss shorter relevant strings. (Note: Older guides might mention 4, but 5 or 6 is often better with modern systems).

   • Memory Types: Select which types of memory to scan. It's generally recommended to select Mapped and Private. The Image checkbox scans the executable's mapped image in memory; sometimes deselecting this can reduce noise from the base executable's static strings, but including it is safer initially to ensure nothing is missed.

   • Character Encoding: Ensure Extended Unicode (or similar UTF-16/wide character option) is checked to capture strings using non-ASCII characters.

   • Click OK.

6. Apply Filters: The Strings window will open, displaying found strings. Click the Filter button (often looks like a funnel).

   • Choose the filter type:

     • Contains (case-insensitive): For simple keyword searches (e.g., searching for "autoclicker", ".jar", a known cheat name).

     • Regex (case-insensitive): For pattern-based searches using Regular Expressions (e.g., finding file paths ^[A-Z]:\\.+\.exe$, specific command formats).

   • Enter your search term or regex pattern in the text box and click OK/Apply.

Important Note on User Interference: While the string search is running (especially on large processes like explorer.exe), do not allow the player to press the Escape (Esc) key. Pressing Esc can prematurely abort the filtering process, potentially causing you to miss crucial evidence. Clicking away to another window or sometimes holding the Ctrl key while the filter dialog is active can help mitigate accidental Esc presses by the user.