Process Hacker

Process Hacker is a feature-packed tool for manipulating processes and services on your computer.

Key features of Process Hacker:

  • A simple, customizable tree view with highlighting showing you the processes running on your computer.
  • Detailed performance graphs.
  • A complete list of services and full control over them (start, stop, pause, resume and delete).
  • A list of network connections.
  • Comprehensive information for all processes: full process performance history, thread listing and stacks with dbghelp symbols, token information, module and mapped file information, virtual memory map, environment variables, handles, …
  • Full control over all processes, even processes protected by rootkits or security software. Its kernel-mode driver has unique abilities which allows it to terminate, suspend and resume all processes and threads, including software like IceSword, avast! anti-virus, AVG Antivirus, COMODO Internet Security, etc. (just to name a few).
  • Find hidden processes and terminate them. Process Hacker detects processes hidden by simple rootkits such as Hacker Defender and FU.
  • Easy DLL injection and unloading - simply right-click a process and select “Inject DLL” to inject and right-click a module and select “Unload” to unload!
  • Many more features…

System Requirements

  • .NET Framework 2.0
  • Microsoft Windows XP SP2 or above, 32-bit

Looks like a cool tool. Especially to see things that gets hidden by rootkits makes it very valuable.

I installed it on Win 7 beta and it blue screened when starting the application. It generated error 0x000000F7 for spsys.sys.

Windows 7 support is experimental. Did you get it to work on XP or Vista?

Do you have UAC enabled on Windows 7? If it is, did Process Hacker BSOD your machine the first time it ran under a limited user? Could you reproduce the BSOD and send me the crash dump?

What’s the difference with Process Explorer or Process Monitor from sysinterals?

No offense but looking at the features, it looks like a clone to me (minus the portability since it needs .NET)?

Why should I use Process Hacker? Why not Process Explorer or some other program? Process Hacker offers some pretty unique features, like an awesome run-as tool and the ability to protect and unprotect processes. Process Explorer is (now) owned by Microsoft, and they obviously don't want to provide a tool which lets users bypass their own Digital Restrictions Management.

Source: FAQ - Process Hacker

Maybe if you could provide a example I could understand better. Thanks.

Process Hacker was directly inspired by Process Explorer - that’s why it looks so similar. You could say it’s a clone, except with many more features :). For example, it can find and terminate hidden processes. It can terminate all processes, including ones protected by rootkits and even CIS (someone recently posted about it here in the vulnerability research section). Maybe if you try it out you’ll find out what the features are… ?

I have just installed it on XP sp3 1 min. ago.

It can terminate all processes, including ones protected by rootkits and even CIS (someone recently posted about it here in the vulnerability research section)

Right, I have read the thread. I will need a refresh since I can’t recall if it killed the GUI or the service? OOB I have noticed when you pause a process, there is no indication (color change) that the process has been paused, otherwise, yes, the functions and the GUI experience improved comparing to process explorer. I will give it a deeper look. I am usually very supportive to open-source projects. What’s the schedule for Vista 32/64?

an awesome run-as tool and the ability to protect and unprotect processes. Process Explorer is (now) owned by Microsoft, and they obviously don't want to provide a tool which lets users bypass their own Digital Restrictions Management.

I still don’t understand the above quote. Could you give me an example of a process you need to run-as to bypass DRM. For me DRM is audio/video related and run-as implies non administrative rights.

PS: if you rather provide information directly on sourceforge, just let me know and I will log-in to ask my questions. Thanks

wj32, I see that Process Hacker can also protect processes from being manipulated by other programs. But I remember, in that thread about Process Hacker in Leak Testing/Attacks/Vulnerability Research forum you said that it is next to impossible to cuff any code loaded at the kernel level from doing what it wants. Then shouldn’t Process Hacker’s protection be bypassed if a kernel level program attempts to tamper with a program protected by it?

With .NET we have strict performance limitations. Even looping through the threads of each process to find out if the process is suspended will cause the CPU usage to be unacceptably high (i.e. around 0.5% more). Process Hacker runs on Vista 32-bit. 64-bit is coming - another developer just joined who is in the process of porting it to 64-bit.

EDIT: Process Hacker kills both the GUI and the service. Contrary to what panic posted (or at least implied), they are protected in the same way and can be terminated easily (with PH).

I’ll just give a brief intro to so-called “protected processes” on Vista. Because of pressures from Hollywood and Big Content, Microsoft decided to implement a mechanism on Vista where certain processes could be marked as protected. For example, try viewing information for audiodg.exe in Process Explorer; you won’t get much. If a process is protected, other processes can only get basic information about it and terminate it. They cannot do anything else, including reading/writing memory or injecting code. This is to prevent people from hacking into audiodg.exe and “stealing” Big Content’s precious media.

Process Hacker allows you to toggle the protected status of processes. That’s it.

Thanks to wj32 for the explanation of the protected processes

Version is available:

Changelog: * NEW/IMPROVED: * KProcessHacker can now perform process memory reading/writing by itself and does not require MmCopyVirtualMemory * KProcessHacker can now bypass all handle-opening protections * Experimental process protection feature * Ability to set handle flags such as protect-from-close and inherit * Better highlighting * Terminator test: TD1 (debugs a process and closes the debug object) * Terminator test: TT3 (TT1 is now completely user-mode) * Shows function file and line numbers where available * Icon updating is now done on the shared thread to avoid the GUI blocking when explorer.exe is suspended or is hanging
  • FIXED:
    • #2785648 - “cursor down crashes PH”
    • #2790404 - “System.InvalidOperationException”
    • Incomplete or inaccurate thread call stacks
    • Windows 7 BSOD
    • Crash upon executing terminator test M1
    • Unexpected actions being performed when a key was pressed in
      the memory and handle lists
    • Changed I/O tray icon tooltip from ROW to RWO
    • Corrupted usernames
    • .NET processes getting recognized as packed
    • Start times like “20 centuries ago”
    • Unable to change service configurations
    • “Access denied” when changing DEP status or unloading a module
      on Windows XP

I installed it on Win 7 RC (7100) and it gave a blue screen as soon as I started up the application. It was 0X50, PAGE_FAULT_IN_NONPAGED_AREA with notification of kprocesshacker.sys.

Find attached the minidump.

[attachment deleted by admin]

Hi Eric,

Windows 7 support is experimental. You could try reporting the bug here:

Click on “Add new”, fill in the form and upload the minidump. :slight_smile:

Well, Windows 7 is a moving target - it hasn’t even been released yet. PH’s driver relies on so many undocumented aspects of the kernel, and it’s very hard to fix BSODs when MS keeps on changing the Windows 7 kernel. I’ll make sure PH works perfectly on Windows 7 when it comes out, though.

For the meantime, you can disable the driver by running PH as a limited user (or did you turn UAC off?) and deselecting “Enable kernel-mode driver” in Options > Advanced.

Version that should be fixed (MAY still BSOD, please give feedback):

I installed and started up the app and another BSOD here on Win 7 RC. It was 0XF7 regarding srv2.sys.

You can use the download link of the PM I sent for the the previous error for the new minidump plus system files.

Thanks for all the invaluable testing - I’ve added you to the About box :slight_smile: Here’s a new version:

It has the same version number? It is a different version though?

Once it won’t crash on me I will be able to check the About box to see my name…:wink:

Yes, it’s a new version. It should be fixed now… have you tried it?

I just tried it and another blue screen occured on start up. It was 0XF7 with no name or file mentioned. In the general story it started with “a driver has overrun a stack based buffer”.

You can use the same link from my PM again to download the mindump plus system files.