Process Hacker

Introduction

Process Hacker is a tool to view and manipulate processes, services and network connections. It is not intended for system optimization, and general users may find many concepts referred to unfamiliar.

System Requirements

Configuration File

The settings file for Process Hacker is stored in: [Roaming Application Data]\Process Hacker 2. This can be overridden using the -settings command line parameter.

Command Line Options

-hide
Starts Process Hacker hidden, regardless of any settings.
-installkph
Installs the KProcessHacker service.
-nokph
Disables KProcessHacker temporarily.
-nosettings
Uses defaults for all settings and does not attempt to load or save any settings.
-settings filename
Uses the specified file name as the settings file.
-uninstallkph
Uninstalls the KProcessHacker service.
-v
Starts Process Hacker visible, regardless of any settings.

Options

Process Hacker's options are accessible from the Options menu item in the Hacker menu.

General

Search Engine
This is used by the Search Online... menu item in the process and module context menus. %s is replaced by the name of the selected process or module.
PE Viewer
This is used by the Inspect menu item for modules. %s is replaced by the name of the selected module.
Max. Size Unit
Specifies the maximum unit of size; sizes which can be displayed as 1024 or less in a smaller unit will be displayed in that smaller unit, while sizes requiring a larger unit will use units up to the maximum unit specified here.
Icon Processes
The number of processes to display in the notification icon menu.
Allow only one instance
If enabled, Process Hacker will allow only one instance of itself. Any attempts to start a new instance will show the existing instance.
Hide when closed
If enabled, Process Hacker will automatically hide itself when it is closed. You can double-click on the notification icon to show Process Hacker.
Hide when minimized
If enabled, Process Hacker will automatically hide itself when it is minimized. You can double-click on the notification icon to show Process Hacker.
Start hidden
If enabled, Process Hacker will start hidden. You can double-click on the notification icon to show Process Hacker.
Collapse services on start
If enabled, Process Hacker will collapse the services.exe tree, hiding all services at startup.
Single-click icons
If enabled, Process Hacker will show/hide itself with only a single click on its tray icons. Otherwise, a double-click is needed.

Advanced

Enable warnings
If disabled, Process Hacker will not show confirmation prompts for most actions.
Enable kernel-mode driver
Some handles cannot be displayed by a user-mode program like Process Hacker; this option enables KProcessHacker which allows Process Hacker to display all handles and bypass rootkits/security software in limited ways. If enabled, it will be loaded the next time Process Hacker is started.
Hide unnamed handles
If enabled, unnamed handles will be hidden by default. This can be changed in each process properties window.
Check images for digital signatures and packing
(Recommended) If enabled, Process Hacker will check process images for digital signatures and determine whether they are packed. Note that this may cause internet access on some systems.
Resolve addresses for network connections
If enabled, host names for network connections will be retrieved.
Include CPU usage of children in collapsed processes
If enabled, processes which are collapsed will have their child processes contribute to the CPU usage shown.
Replace Task Manager with Process Hacker
If enabled, any attempt to start Task Manager will start Process Hacker instead.
History sample count
The number of samples preserved for process and system statistics. This value must be a power of two; otherwise, it is rounded up to the next power of two. Larger values will cause higher memory consumption. Increase this value if graphs cut off prematurely.

Symbols

Dbghelp.dll path
Select the path to the most recent version of dbghelp.dll you have installed on your computer. If you do not have the latest version, go to http://www.microsoft.com/whdc/devtools/debugging/default.mspx and download Debugging Tools for Windows.
Search path
Type in a symbol server path. Most users will want to use the following: SRV*C:\Users\USERNAME\Symbols*http://msdl.microsoft.com/download/symbols. This will have any needed symbols downloaded from Microsoft's symbol server to the specified directory (in bold).
Undecorate symbols
If enabled, C++ symbol names will be undecorated (unmangled). This is most useful for methods with complex signatures.

Highlighting

Highlighting Duration
This specifies the amount of time for which new and removed objects (processes, threads and services) are highlighted in a different color.
New Objects
New processes, services, threads, modules, memory regions, and handles.
Removed Objects
Terminated/deleted processes, services, threads, modules, memory regions and handles.
Own Processes
Processes running under the same user account as Process Hacker.
System Processes
Processes running under the SYSTEM user account.
Service Processes
Processes hosting one or more services.
Job Processes
Processes associated with a job object.
POSIX Processes
POSIX subsystem processes (also known as Subsystem for UNIX-based Applications).
Debugged Processes
Processes currently being debugged.
Elevated Processes
Processes running with full privileges on a computer with User Account Control (UAC) enabled.
Suspended Processes and Threads
Processes and threads which have been suspended.
.NET Processes and DLLs
Managed (.NET) processes and DLLs/modules.
Packed Processes
Processes with packed images. These processes are sometimes malicious, but normal executables are often packed to reduce their size.
GUI Threads
Threads which have made at least one GUI-related system call.
Relocated DLLs
DLLs which were not loaded at their preferred base address.
Protected Handles
Handles which are protected from being closed.
Inherit Handles
Handles which will be inherited by child processes.

Graphs

Show Text
If disabled, Process Hacker will not show text representing the current usage for each graph.

Number Input

Process Hacker supports the input of numbers in various bases (including some non-standard extensions).

A number is assumed to be in base 10 unless:

Process Tree

The process tree displays processes running on the system as a tree; processes started by a particular parent process are shown indented below it. Processes with a non-existent parent (where its parent has terminated) are shown on the far left. You can manipulate processes by right-clicking on them, and you can show detailed properties for a process by double-clicking it or selecting the "Properties..." menu item.

You can sort by the various columns by clicking on them - the tree view will temporarily become a flat list. You can click the same column again to sort in the reverse order, and once more to return to the tree view.

Like Process Explorer, Process Hacker shows Deferred Procedure Calls (DPCs) and Interrupts in the process tree. The only information these "processes" show is their CPU usage.

Process Tooltips

If you hover the mouse over a process' name, a tooltip appears with useful information:

Command Line
The command line that was used to start the process.
File Name
The file name of the process.
Known command line information
This may include Service group name for svchost.exe processes, Run DLL target file for rundll32.exe processes, and COM target for dllhost.exe processes.
Services
A list of services which the process hosts.
Notes
Signer - The process' file is digitally signed by the indicated entity.
Image is probably packed - The process' file has been determined to be packed.
Console host (Windows 7 and above only) - This is the process which hosts the console window of the process.
Process is managed (.NET) - The process uses the .NET Framework.
Process is elevated (Windows Vista and above only) - The process is running with UAC elevation.
Process is in a job - The process has an associated job.
Process is POSIX - The process is running under the POSIX subsystem.
Process is 32-bit (WOW64) (64-bit systems only) - The process is 32-bit.

Context Menu

Terminate
Terminates the selected process(es). If KProcessHacker is enabled, Process Hacker will, except under extraordinary circumstances, be able to terminate any process, including ones protected by rootkits or security software.
Terminate Tree
Terminates the selected process and its descendants.
Suspend
Suspends the selected process(es). If KProcessHacker is enabled and running on Windows Vista, Process Hacker will be able to suspend any process, including ones protected by rootkits or security software.
Resume
Resumes the selected process(es). If KProcessHacker is enabled and running on Windows Vista, Process Hacker will be able to resume any process, including ones protected by rootkits or security software.
Restart
Restarts the selected process with the same command line arguments and working directory.
Debug
Starts the debugger, specifying the selected process.
Reduce Working Set
Empties the selected process(es)' working set(s). This is a safe function; the process will eventually reclaim most of its working set.
Virtualization
Allows you to enable or disable virtualization for the selected process, if allowed.
Affinity
Allows you to view and modify the process' CPU affinity (the CPUs on which it is allowed to run).
Create Dump File...
Allows you to create a crash dump file for the process. This operation does not actually cause the process to crash or terminate.
Terminator
A tool which tries to terminate the selected process using many different techniques.
Detach from Debugger
Detaches the process from any debugger. This will cause any attached debuggers to stop working.
GDI Handles
Shows the GDI objects owned by the process.
Heaps
Shows the heaps created by the process. Note that this action causes a temporary thread to be created in the process and should be used with caution.
Inject DLL...
Allows you to select a DLL file (or any other PE image) that will be injected into the selected process. On Windows XP, this option is only available for processes running in the same session as Process Hacker (usually processes in the same user account). On Windows Vista and above, there is no such restriction.
I/O Priority
Sets the process' I/O priority.
Priority
Sets the process' priority - Real Time, High, Above Normal, Normal, Below Normal, Idle. This option is not available when multiple processes are selected.
Window
Allows you to manipulate the process' window, if one was found. If the process does not have any visible windows, the menu is disabled.
Search Online
Opens the default web browser with the search engine specified in Process Hacker's options.

Terminator tests

TP1
Terminates the process using the NtTerminateProcess function.
TP2
Uses the RtlCreateUserThread function to create a thread in the process which calls ExitProcess, terminating the process. On Vista and above, the thread calls RtlExitUserProcess.
TT1
Terminates the process' threads by using the NtTerminateThread function.
TT2
Sets the contexts of the process' threads to point to the ExitProcess function. The process will be terminated when one of the threads are context switched to.
TP1a
(Windows Server 2003 and above only.) Uses NtGetNextProcess to open a handle to the process and terminate it using NtTerminateProcess.
TT1a
(Windows Server 2003 and above only.) Uses NtGetNextThread to open a handle to each of the process' threads and terminates them using NtTerminateThread.
CH1
Uses NtDuplicateObject to close the process' handles. This method works best for complex programs.
W1
Sends WM_DESTROY messages to the process' windows.
W2
Sends WM_QUIT messages to the process' windows.
TJ1
Creates a job, assigns the process to it, and terminates the job, terminating the process.
TD1
Creates a debug object, assigns the process to it, and closes the debug object, terminating the process.
TP3
Uses the internal kernel-mode function PsTerminateProcess to terminate the process.
TT3
Uses the internal kernel-mode function PspTerminateThreadByPointer to terminate the process' threads.
TT4
Queues a kernel-mode special asynchronous procedure calls (APCs) to each of the process' threads. This APC calls PspTerminateThreadByPointer to directly terminate the threads. This method will terminate threads hanging due to kernel-mode code, but the system may crash or freeze because kernel-mode code is not given the chance to release any resources. Use this option with extreme caution.
M1
Uses NtWriteVirtualMemory to write random data to the process' memory, crashing the process.
M2
Uses NtProtectVirtualMemory to prevent the process' pages from being used, crashing the process.

Process Properties

General
Displays basic information about the process and its image file. You can also view/change its DEP status, and protect/unprotect it (requires Windows Vista and above).
Statistics
Displays statistics and performance information.
Performance
Displays three graphs relating to the process' performance - CPU Usage, Private Bytes, and I/O activity. You can hover your mouse over the graphs to view details.
Threads
Displays the process' threads, including their symbolic start addresses. You can click on a thread to view more information, or double-click a thread to view its call stack.
Token
Displays the process' primary token. You can also enable and disable privileges by right-clicking on them.
Modules
Displays the modules loaded by the process. Right-click a module for more options.
Memory
Displays the process' virtual memory regions. Double-click a memory region to read/write its contents, and right-click a memory region to perform other actions. You can click the Strings... button to perform a string scan.
Environment
Displays the process' environment variables.
Handles
Displays the process' handles - resources it has opened. You can right-click a handle and close it.
Job
Displays information about the process' associated job.
Services
Displays services that are registered in the process. You can double-click a service to view and edit its properties.

Find Handles or DLLs

This tool allows you to find handles, DLLs and mapped files matching the specified name. The entered string can be a substring of an object name. The search is not case-sensitive. Note that this window only allows you to close handles. If you wish to "unlock" a file which is loaded as a DLL or mapped, you must open the properties window for the relevant process, select the Modules tab, right-click the relevant item, and select Unload.

Glossary

Affinity
The set of processors on which a thread or collection of threads (process) is allowed to execute on.
ALPC
Asynchronous Local inter-Process Communication. A replacement for LPC introduced in Windows Vista.
ALPC Port (Object)
An ALPC object that can be opened in order to communicate with another process.
Child Process
A new process started by an existing one.
Command Line
A string describing a program to start and any parameters to pass to it. Examples: C:\Windows\notepad.exe C:\Windows\win.ini, cmd /T:F0
Commit
A committed page or memory region contains actual data. Compare with reserve.
Context Switch
The act of switching a processor to run another thread. Since processors can only run one task at a time, context switching gives the illusion of multi-tasking.
Data Execution Prevention
The Windows implementation of NX (No eXecute) technology, designed to prevent the execution of data regions as code. This can prevent certain types of software attacks.
Debug Object (Object)
An object which a debugger can attach to processes to facilitate debugging.
Directory (Object)
A "directory" in the NT object manager. These have nothing to do with files and folders, although through the object manager all kinds of objects are accessed, including the file system and registry.
DLL
An executable image which can be loaded by processes. Through this mechanism, code and resources may be shared. Note that the file extension ".dll" is not required; processes can load images with any extension.
Driver
An executable image which can be loaded into and executed in kernel-mode. This provides drivers with low-level access to the system. This is required for hardware drivers and security software, but is a mechanism through which most rootkits take control of a computer.
Elevation (UAC)
Under UAC, a process which is elevated has full administrative rights to system resources.
Environment Variable
A variable accessible to processes describing the operating system environment. Environment variables are normally inherited by child processes.
Event (Object)
A type of object used for synchronization.
Event Pair (Object)
A type of object used for synchronization, containing two events, "high" and "low".
EtwRegistration (Object)
An object used by Event Tracing for Windows.
File (Object)
An object which supports common operations such as read, write and I/O control. This can refer to a file or directory in an actual file system, and also devices.
GDI
Graphics Device Interface. This is a system which provides basic graphics support for programs.
GDI Handles/Objects
GDI allows programs to create drawing-related objects such as Bitmaps, Brushes, and Palettes.
Handle
A reference to a shared operating object or resource, e.g. a handle to an event, file or process.
Handle leak
Occurs when a program does not release its handles, leading to increased consumption of resources and even crashes.
Heap
A process-managed structure from which memory can be allocated. Since pages can only be allocated in large chunks, using a heap will reduce wastage of memory for small allocations.
I/O completion (Object)
An object to which packets of information about completed I/O can be queued.
Image
A "package" containing executable code.
Interrupt
An event, usually signaled by hardware, that is handled by the operating system through a interrupt handler.
Job (Object)
A process group. Restrictions can be placed on processes in a job, and statistics are collected for the group.
Key (Object)
A registry key.
Kernel
A collection of code that manages system-wide resources such as I/O, processes and threads, and security. System calls are also handled by the kernel.
Kernel-mode
A processor mode in which code can access hardware directly and access all memory. For example, when a system call is made, the processor switches to kernel-mode in order to perform an action on the requester's behalf. When the system call finishes, it switches back to user-mode and the requester continues normal execution.
Kernel-mode thread
A thread that runs solely in kernel-mode. These are usually worker threads that carry out delayed operating system tasks. Most kernel-mode threads are contained in the System process, but csrss.exe also runs kernel-mode threads.
LPC
Local inter-Process Communication (sometimes mistakenly referred to as Local Procedure Call). A Windows NT mechanism which enables processes to communicate with each other. Primary consumers are system services and RPC.
LUID
Locally Unique IDentifier. A value which is unique on the local system until it is rebooted.
Module
See DLL.
Mutant (Object)
A mutex object. Win32 calls these objects mutexes, while in the Native API they are called mutants.
Page
A block of memory, 4 kB in size on x86 and AMD64 processors. Every page can have its own attributes, such as its protection (read, write, execute).
PEB
Process Environment Block. The PEB contains a variety of data used by the process.
Privilege
A privilege belonging to a process. It can be enabled or disabled, and certain system calls require the presence of specific privileges to work.
Process
A collection of threads along with virtual memory, handles and other resources.
Protection (DRM)
Process and thread protection introduced in Windows Vista, designed to enhance support for digital restrictions management. Examples of processes protected by this mechanism include System and audiodg.exe.
Reserve
A reserved page or memory region does not contain data and has not been allocated storage in physical memory. Reserving pages is commonly done to ensure a certain amount of contiguous address space is available without actually allocating storage. Compare with commit.
Section (Object)
A block of memory that can be mapped into a process' address space. The data for this block of memory can be temporary ("backed" by the pagefile) or can come from a file ("backed" by a file, i.e. file mapping). Win32 calls these objects "file mappings".
Semaphore (Object)
A type of object used for synchronization.
Service
A operating system managed program which runs in the background. They can be in shared processes (in svchost.exe instances), in separate processes, or drivers loaded into kernel-mode space.
SID
Security IDentifier. A unique identifier assigned to security-related objects such as users and groups.
String
A sequence of characters - text.
System Call
A request that is made by a thread to the kernel to perform a task on the thread's behalf. This done because most threads run in user-mode and are unable to access hardware directly. See kernel-mode.
System Thread
See kernel-mode thread.
Thread
A unit of execution belonging to a process, running code concurrently. Most threads run in user-mode, but some are kernel-mode threads.
Timer (Object)
A type of object used for synchronization.
TmEn (Object)
Enlistment objects (for the transaction manager).
TmRm (Object)
Resource Manager objects (for the transaction manager).
TmTm (Object)
Transaction Manager objects. These have an associated log file.
TmTx (Object)
Transaction objects (for the transaction manager).
Token (Object)
An object which describes security attributes such as the user, groups and privileges.
User Account Control
Refers to restrictions on normal processes preventing them from modifying system-wide files and settings. Processes which are elevated have full administrative access to system resources.
Virtualization (UAC)
A technology which redirects writes to the file system and registry for processes which are not elevated.
Working set
The collection of pages recently referenced by a process. These pages are in physical memory, while other pages may be in the pagefile.
WOW64
A technology which enables 32-bit programs to run on 64-bit Windows systems.