Process Hacker

Introduction

Process Hacker is a tool to view and manipulate processes and services. It can display process' threads, modules, memory regions and handles, search through process memory, and read/write memory using a built-in hex editor.

System Requirements

Configuration Files

On Windows Vista, the configuration files for Process Hacker are stored in AppData\Local\wj32. On Windows XP, they are stored in Local Settings\Application Data\wj32.

Options

Process Hacker's options are accessible from the Options menu item in the Hacker menu.

General

Update Interval
The amount of time in milliseconds between each update; i.e, when Process Hacker looks for new, modified or removed processes, services and other objects.
Processes in icon menu
The number of processes to display in the notification icon menu.
Search Engine
This is used by the Search Online... menu item in the process and module context menus. %s is replaced by the name of the selected process or module.
Require Signatures
If Verify signatures and perform additional checks is enabled, this specifies the processes that must have a valid signature. Processes with a name that is specified in this field and do not have a valid signature will be highlighted as a Packed/Dangerous Process (see Higlighting options).
Max. Size Unit
Specifies the maximum unit of size; sizes which can be displayed as 1024 or less in a smaller unit will be displayed in that smaller unit, while sizes requiring a larger unit will use units up to the maximum unit specified here.
Hide when minimized
If enabled, Process Hacker will automatically hide itself when it is minimized. You can double-click on the notification icon to show Process Hacker.
Hide when closed
If enabled, Process Hacker will automatically hide itself when it is closed. You can double-click on the notification icon to show Process Hacker.
Start hidden
If enabled, Process Hacker will start hidden. You can double-click on the notification icon to show Process Hacker.
Allow only one instance
If enabled, Process Hacker will allow only one instance of itself. Any attempts to start a new instance will show the existing instance.
Float child windows
If enabled, child windows such as process properties and the memory editor will float above the main Process Hacker window.
Scroll down the process tree at startup
If enabled, Process Hacker will scroll down the process tree to the first instance of explorer.exe running as the current user at startup.
Show user/group domains
If enabled, Process Hacker will show the domain of users and groups: user would be shown as machine-name\user.

Advanced

Enable kernel-mode driver
Some handles cannot be displayed by a user-mode program like Process Hacker; this option enables KProcessHacker which allows Process Hacker to display all handles and bypass rootkits/security software. If enabled, it will be loaded the next time Process Hacker is started.
Enable experimental features
Enables experimental features such as process protection.
Verify signatures and perform additional checks
This option affects newly created processes, and controls whether Process Hacker will attempt to verify the digital signatures of processes and detect packed images.
Replace Task Manager with Process Hacker
If enabled, any attempt to start Task Manager will start Process Hacker instead.
Warn about potentially dangerous actions
If enabled, Process Hacker will warn about certain actions to system processes.
Hide handles with no name
If enabled, unnamed handles will be hidden by default. This can be changed in each process properties window.
Hide Process Hacker network connections
If enabled, network connections made by Process Hacker will be hidden in the network connections list.
Max. Sample History
Specifies the maximum number of performance-related samples to be retained. This includes CPU, I/O and memory usage data for the system and all processes.

Highlighting

Highlighting Duration
This specifies the amount of time for which new and removed objects (processes, threads and services) are highlighted in a different color.
New Objects
New processes, services, threads, modules, memory regions, and handles.
Removed Objects
Terminated/deleted processes, services, threads, modules, memory regions and handles.
Own Processes
Processes running under the same user account as Process Hacker.
System Processes
Processes running under the SYSTEM user account.
Service Processes
Processes hosting one or more services.
Debugged Processes
Processes currently being debugged.
Elevated Processes
Processes running with full privileges on a computer with User Account Control (UAC) enabled.
Job Processes
Processes associated with a job object.
.NET Processes and DLLs
Managed (.NET) processes and DLLs/modules.
POSIX Processes
POSIX subsystem processes (also known as Subsystem for UNIX-based Applications).
Packed/Dangerous Processes
Packed images and images with invalid signatures. These processes are often, but not always malicious - normal executables are often packed to reduce their size.
Suspended Threads
Threads which have been suspended.
GUI Threads
Threads which have made at least one GUI-related system call.
Relocated DLLs
DLLs which were not loaded at their preferred base address.
Protected Handles
Handles which are protected from being closed.
Inherit Handles
Handles which will be inherited by child processes.

Plotting

Use Anti-aliasing
If enabled, Process Hacker will draw graphs with anti-aliasing. This will usually consume much more system resources than normal.
Step
This option controls the distance in pixels between each data point.

Symbols

Dbghelp.dll path
Select the path to the most recent version of dbghelp.dll you have installed on your computer. If you do not have the latest version, go to http://www.microsoft.com/whdc/devtools/debugging/default.mspx and download Debugging Tools for Windows.
Search path
Type in a symbol server path. Most users will want to use the following: SRV*C:\Users\USERNAME\Symbols*http://msdl.microsoft.com/download/symbols. This will have any needed symbols downloaded from Microsoft's symbol server to the specified directory (in bold).
Undecorate symbols
If enabled, C++ symbol names will be undecorated (unmangled). This is most useful for methods with complex signatures.

Number Input

Process Hacker supports the input of numbers in various bases (including some non-standard extensions). This is allowed in: Get Function Address, Change Memory Protection, the Go To box in Read/Write Memory, and the insertion of numbers through the Utilities button.

A number is assumed to be in base 10 unless:

Process Tree

The process tree displays processes running on the system as a tree; processes started by a particular parent process are shown indented below it. Processes with a non-existent parent (where its parent has terminated) are shown on the far left. You can manipulate processes by right-clicking on them, and you can show detailed properties for a process by double-clicking it or selecting the "Properties..." menu item.

You can sort by the various columns by clicking on them - the tree view will temporarily become a flat list. You can click the same column again to sort in the reverse order, and once more to return to the tree view.

Like Process Explorer, Process Hacker shows Deferred Procedure Calls (DPCs) and Interrupts in the process tree. The only information these "processes" show is their CPU usage.

Context Menu

Warning: Manipulating csrss.exe, dwm.exe, lsass.exe, lsm.exe, smss.exe, winlogon.exe or any other system processes is not recommended and may lead to system instability or a crash.

Terminate Process(es)
Terminates the selected process(es). If KProcessHacker is enabled, Process Hacker will, except under extraordinary circumstances, be able to terminate any process, including ones protected by rootkits or security software.
Terminate Process Tree
Terminates the selected process and its descendants.
Suspend Process(es)
Suspends the selected process(es). If KProcessHacker is enabled and running on Windows Vista, Process Hacker will be able to suspend any process, including ones protected by rootkits or security software.
Resume Process(es)
Resumes the selected process(es). If KProcessHacker is enabled and running on Windows Vista, Process Hacker will be able to resume any process, including ones protected by rootkits or security software.
Restart
Restarts the selected process with the same command line arguments and working directory.
Reduce Working Set
Empties the selected process(es)' working set(s). This is a safe function; the process will eventually reclaim most of its working set.
Virtualization
Allows you to enable or disable virtualization for the selected process, if allowed.
Affinity...
Allows you to view and modify the process' CPU affinity (the CPUs on which it is allowed to run).
Create Dump File...
Allows you to create a crash dump file for the process. This operation does not actually cause the process to crash or terminate.
Terminator...
A tool which tries to terminate the selected process using many different techniques.
Detach from Debugger
Detaches the process from any debugger. This will cause any attached debuggers to stop working.
Heaps...
Shows the heaps created by the process. Note that this action causes a temporary thread to be created in the process and should be used with caution.
Inject DLL...
Allows you to select a DLL file (or any other PE image) that will be injected into the selected process. This option is only available for processes running in the same session as Process Hacker (usually processes in the same user account).
Priority
Sets the process's priority - Real Time, High, Above Normal, Normal, Below Normal, Idle. This option is not available when multiple processes are selected.
Run As
These tools require Assistant.exe (distributed with Process Hacker) to be in the same directory as ProcessHacker.exe.
Launch As User... - This allows you to run the selected process as another user.
Launch As This User... - This allows you to run a program under the selected process' user. This is useful when you want to start a program as another user but you do not have that user's password.
Search Online...
Opens the default web browser with the search engine specified in Process Hacker's options.
Re-analyze
Re-examines the process to determine if it is signed, packed, or a .NET process.
Select All
Selects all items in the list.

Terminator tests

TP1
Terminates the process using the NtTerminateProcess function.
TP2
Uses the RtlCreateUserThread function to create a thread in the process which calls ExitProcess, terminating the process. On Vista and above, the thread calls RtlExitUserProcess.
TT1
Terminates the process' threads by using the NtTerminateThread function.
TT2
Sets the contexts of the process' threads to point to the ExitProcess function. The process will be terminated when one of the threads are context switched to.
TP1a
(Vista only.) Uses NtGetNextProcess to open a handle to the process and terminate it using NtTerminateProcess.
TT1a
(Vista only.) Uses NtGetNextThread to open a handle to each of the process' threads and terminates them using NtTerminateThread.
CH1
Uses NtDuplicateObject to close the process' handles. This method works best for complex programs.
TJ1
Creates a job, assigns the process to it, and terminates the job, terminating the process.
TD1
Creates a debug object, assigns the process to it, and closes the debug object, terminating the process.
TP3
Uses the internal kernel-mode function PsTerminateProcess to terminate the process.
TT3
Uses the internal kernel-mode function PspTerminateThreadByPointer to terminate the process' threads.
TT4
Queues a kernel-mode special asynchronous procedure calls (APCs) to each of the process' threads. This APC calls PspTerminateThreadByPointer to directly terminate the threads. This method will terminate threads hanging due to kernel-mode code, but the system may crash or freeze because kernel-mode code is not given the chance to release any resources. Use this option with extreme caution.
M1
Uses WriteProcessMemory to write random data to the process' memory, crashing the process.
M2
Uses VirtualProtectEx to prevent the process' pages from being used, crashing the process.

Process Properties

General
Displays basic information about the process and its image file. You can also view the process' PEB contents, view/change its DEP status (requires Windows XP SP3 or higher, and changing DEP status uses remote thread injection), and protect/unprotect it (requires Windows Vista).
Statistics
Displays statistics and performance information.
Performance
Displays three graphs relating to the process' performance - CPU Usage, Memory Usage, and I/O activity. You can hover your mouse over the graphs to view details.
Threads
Displays the process' threads, including their symbolic start addresses. You can click on a thread to view more information, or double-click a thread to view its call stack.
Token
Displays the process' primary token. On Windows Vista with UAC enabled, you can also click on the Linked Token... button to view the token associated with the process' token. You can also enable and disable privileges.
Modules
Displays the modules loaded by the process. Right-click a module for more options.
Memory
Displays the process' virtual memory regions. Double-click a memory region to read/write its contents, and right-click a memory region to perform other actions. You can also search memory using the search button (see below).
Environment
Displays the process' environment variables.
Handles
Displays the process' handles - resources it has opened. You can right-click a handle and close it.
Services
Displays services that are registered in the process.

Searching Memory

Process Hacker supports searching using a literal string or regular expressions. To perform a search, open a Properties window for a process, select the Memory tab and select an option in the search button. A window will appear in which you can enter the data to search for. You can also control the types of memory regions to search.

Literal Search
Allows you to enter a sequence of bytes to search for.
Regex Search
Allows you to search using regular expressions.
String Scan
Scans for strings inside the process' memory.
Heap Scan
Displays a list of heap blocks.
Struct Search
Allows you to search for addresses which match the selected struct.

In the Literal tab, there is a small button in the bottom-right which allows you to insert data in various formats.

Insert Number
This allows you to insert numbers in various formats - 8 to 64-bit, little or big endian.
Insert String
Similarly, this allows you to insert strings in various encodings - ASCII, UTF-8 to UTF-32. If a multiline item is selected, the prompt box will have a multiline textbox.

In the search results list, double-clicking an item will open the Memory Editor with the search result highlighted.

Sample Regex Searches

All of these samples must have Ignore Case selected.

A valid filesystem character is [ a-z0-9`~';!@#\$%\^&\-_=+\,\.\(\)\[\]\{\}]

Email address
[a-z0-9_\-\.]+@[a-z0-9_\-\.]+\.(au|biz|ca|com|info|net|org|uk|zh)
Path name
[A-Z]:\\([ a-z0-9`~'!@#\$%\^&\-_=+\,\.\(\)\[\]\{\}]*\\)*([ a-z0-9`~'!@#\$%\^&\-_=+\,\.\(\)\[\]\{\}]*)(\\)*
Executable file
([ a-z0-9`~'!@#\$%\^&\-_=+\,\.\(\)\[\]\{\}])+\.(bat|com|dll|exe)
URL
(file|ftp|http):///*[a-z0-9%\/ .\-_:\(\)\[\]]+

Results Window

The Results Window is displayed when searching for data, scanning for strings or scanning for heaps. There are five buttons at the top of the window:

Refresh
This performs the search again.
Edit Search
This allows you to edit the search type and data associated with the Results Window.
Filter
This allows you to filter the search results, creating a new Results Window containing the matching items. To filter using a numerical relation, enter the relation (for example, greater than or equal to >=) followed by the number. If the filter (>=10) is applied to the Length column, all items with a length greater than or equal 10 will be displayed.
Intersect
This allows you to select another Results Window. It then creates a third Results Window in which the search results present in both Results Windows are displayed. This allows you to filter search results.
Save...
This allows you to save the search results to a text file.

Copyright Information

Process Hacker

      Process Hacker

      Copyright (C) 2008-2009 various authors (see README.txt for the full list)

      This program is free software: you can redistribute it and/or modify
      it under the terms of the GNU General Public License as published by
      the Free Software Foundation, either version 3 of the License, or
      (at your option) any later version.

      This program is distributed in the hope that it will be useful,
      but WITHOUT ANY WARRANTY; without even the implied warranty of
      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      GNU General Public License for more details.

      You should have received a copy of the GNU General Public License
      along with this program.  If not, see <http://www.gnu.org/licenses/>.

HexBox

Process Hacker uses the HexBox component by Bernhard Elbl, licensed under the Microsoft Public License:

This license governs use of the accompanying software. If you use the software, you
accept this license. If you do not accept the license, do not use the software.

1. Definitions
The terms "reproduce," "reproduction," "derivative works," and "distribution" have the
same meaning here as under U.S. copyright law.
A "contribution" is the original software, or any additions or changes to the software.
A "contributor" is any person that distributes its contribution under this license.
"Licensed patents" are a contributor's patent claims that read directly on its contribution.

2. Grant of Rights
(A) Copyright Grant- Subject to the terms of this license, including the license conditions 
    and limitations in section 3, each contributor grants you a non-exclusive, worldwide, 
    royalty-free copyright license to reproduce its contribution, prepare derivative works 
    of its contribution, and distribute its contribution or any derivative works that you 
    create.
(B) Patent Grant- Subject to the terms of this license, including the license conditions 
    and limitations in section 3, each contributor grants you a non-exclusive, worldwide, 
    royalty-free license under its licensed patents to make, have made, use, sell, offer 
    for sale, import, and/or otherwise dispose of its contribution in the software or 
    derivative works of the contribution in the software.

3. Conditions and Limitations
(A) No Trademark License- This license does not grant you rights to use any contributors' 
    name, logo, or trademarks.
(B) If you bring a patent claim against any contributor over patents that you claim are 
    infringed by the software, your patent license from such contributor to the software 
    ends automatically.
(C) If you distribute any portion of the software, you must retain all copyright, patent, 
    trademark, and attribution notices that are present in the software.
(D) If you distribute any portion of the software in source code form, you may do so only 
    under this license by including a complete copy of this license with your distribution. 
    If you distribute any portion of the software in compiled or object code form, you may 
    only do so under a license that complies with this license.
(E) The software is licensed "as-is." You bear the risk of using it. The contributors give 
    no express warranties, guarantees or conditions. You may have additional consumer rights 
    under your local laws which this license cannot change. To the extent permitted under your 
    local laws, the contributors exclude the implied warranties of merchantability, fitness for 
    a particular purpose and non-infringement.

VistaMenu and SplitButton

Process Hacker uses the VistaMenu and SplitButton components by Wyatt O'Day, licensed under the following terms:

Copyright (c) 2008, wyDay
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted 
provided that the following conditions are met:

    * Redistributions of source code must retain the above copyright notice, this list of 
    conditions and the following disclaimer.
    * Redistributions in binary form must reproduce the above copyright notice, this list of 
    conditions and the following disclaimer in the documentation and/or other materials provided 
    with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER 
IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.