Process Hacker

Introduction

Process Hacker is a tool to view and manipulate processes, services and network connections. It is not intended for system optimization, and general users may find many concepts referred to unfamiliar.

System Requirements

Microsoft Windows XP SP2, Vista or 7 (Windows XP SP3 and Windows Vista SP1 required for certain features)

Note that some features may be unavailable on 64-bit systems. This includes:

Bypassing rootkits and security software when accessing processes, threads and other objects.
Viewing kernel pool limits
Viewing hidden processes
Changing handle attributes
Viewing kernel-mode stack traces.

Configuration File

The settings file for Process Hacker is stored in: [Roaming Application Data]\Process Hacker 2.

Command Line Options

-hide: Starts Process Hacker hidden, regardless of any settings.
-installkph: Installs the KProcessHacker service.
-nokph: Disables KProcessHacker temporarily.
-nosettings: Uses defaults for all settings and does not attempt to load or save any settings.
-settings filename: Uses the specified file name as the settings file.
-uninstallkph: Uninstalls the KProcessHacker service.
-v: Starts Process Hacker visible, regardless of any settings.

Options

Process Hacker's options are accessible from the Options menu item in the Hacker menu.

General

Search Engine: This is used by the Search Online... menu item in the process and module context menus. %s is replaced by the name of the selected process or module.
PE Viewer: This is used by the Inspect menu item for modules. %s is replaced by the name of the selected module.
Max. Size Unit: Specifies the maximum unit of size; sizes which can be displayed as 1024 or less in a smaller unit will be displayed in that smaller unit, while sizes requiring a larger unit will use units up to the maximum unit specified here.
Icon Processes: The number of processes to display in the notification icon menu.
Allow only one instance: If enabled, Process Hacker will allow only one instance of itself. Any attempts to start a new instance will show the existing instance.
Hide when closed: If enabled, Process Hacker will automatically hide itself when it is closed. You can double-click on the notification icon to show Process Hacker.
Hide when minimized: If enabled, Process Hacker will automatically hide itself when it is minimized. You can double-click on the notification icon to show Process Hacker.
Start hidden: If enabled, Process Hacker will start hidden. You can double-click on the notification icon to show Process Hacker.
Collapse services on start: If enabled, Process Hacker will collapse the services.exe tree, hiding all services at startup.
Single-click icons: If enabled, Process Hacker will show/hide itself with only a single click on its tray icons. Otherwise, a double-click is needed.
Enable process database: If enabled, Process Hacker will provide additional features but will take longer to start. Currently the only additional feature available is to mark processes as safe/unsafe.

Advanced

Enable warnings: If disabled, Process Hacker will not show confirmation prompts for most actions.
Enable kernel-mode driver: Some handles cannot be displayed by a user-mode program like Process Hacker; this option enables KProcessHacker which allows Process Hacker to display all handles and bypass rootkits/security software. If enabled, it will be loaded the next time Process Hacker is started. This currently has no effect on 64-bit systems.
Hide unnamed handles: If enabled, unnamed handles will be hidden by default. This can be changed in each process properties window.
Replace Task Manager with Process Hacker: If enabled, any attempt to start Task Manager will start Process Hacker instead.
Check images for digital signatures and packing: (Recommended) If enabled, Process Hacker will check process images for digital signatures and determine whether they are packed. Note that this may cause internet access on some systems.

Symbols

Dbghelp.dll path: Select the path to the most recent version of dbghelp.dll you have installed on your computer. If you do not have the latest version, go to http://www.microsoft.com/whdc/devtools/debugging/default.mspx and download Debugging Tools for Windows.
Search path: Type in a symbol server path. Most users will want to use the following: SRV*C:\Users\USERNAME\Symbols*http://msdl.microsoft.com/download/symbols. This will have any needed symbols downloaded from Microsoft's symbol server to the specified directory (in bold).
Undecorate symbols: If enabled, C++ symbol names will be undecorated (unmangled). This is most useful for methods with complex signatures.

Highlighting

Highlighting Duration: This specifies the amount of time for which new and removed objects (processes, threads and services) are highlighted in a different color.
New Objects: New processes, services, threads, modules, memory regions, and handles.
Removed Objects: Terminated/deleted processes, services, threads, modules, memory regions and handles.
Own Processes: Processes running under the same user account as Process Hacker.
System Processes: Processes running under the SYSTEM user account.
Service Processes: Processes hosting one or more services.
Job Processes: Processes associated with a job object.
POSIX Processes: POSIX subsystem processes (also known as Subsystem for UNIX-based Applications).
Debugged Processes: Processes currently being debugged.
Elevated Processes: Processes running with full privileges on a computer with User Account Control (UAC) enabled.
Suspended Processes and Threads: Processes and threads which have been suspended.
.NET Processes and DLLs: Managed (.NET) processes and DLLs/modules.
Packed Processes: Processes with packed images. These processes are sometimes malicious, but normal executables are often packed to reduce their size.
GUI Threads: Threads which have made at least one GUI-related system call.
Relocated DLLs: DLLs which were not loaded at their preferred base address.
Protected Handles: Handles which are protected from being closed.
Inherit Handles: Handles which will be inherited by child processes.

Graphs

Show Text: If disabled, Process Hacker will not show text representing the current usage for each graph.

Number Input

Process Hacker supports the input of numbers in various bases (including some non-standard extensions).

A number is assumed to be in base 10 unless:

It starts with 0 (zero) - octal (base 8)
It starts with 0x - hexadecimal (base 16)
It starts with b - binary (base 2)
It starts with t - ternary (base 3)
It starts with q - quaternary (base 4)
It starts with w - base 12
It starts with r - base 32

Process Tree

The process tree displays processes running on the system as a tree; processes started by a particular parent process are shown indented below it. Processes with a non-existent parent (where its parent has terminated) are shown on the far left. You can manipulate processes by right-clicking on them, and you can show detailed properties for a process by double-clicking it or selecting the "Properties..." menu item.

You can sort by the various columns by clicking on them - the tree view will temporarily become a flat list. You can click the same column again to sort in the reverse order, and once more to return to the tree view.

Like Process Explorer, Process Hacker shows Deferred Procedure Calls (DPCs) and Interrupts in the process tree. The only information these "processes" show is their CPU usage.

Process Tooltips

If you hover the mouse over a process' name, a tooltip appears with useful information:

Command Line: The command line that was used to start the process.
File Name: The file name of the process.
Known command line information: This may include Service group name for svchost.exe processes, Run DLL target file for rundll32.exe processes, and COM target for dllhost.exe processes.
Services: A list of services which the process hosts.
Notes: Signer - The process' file is digitally signed by the indicated entity.
Image is probably packed - The process' file has been determined to be packed.
Console host (Windows 7 and above only) - This is the process which hosts the console window of the process.
Process is managed (.NET) - The process uses the .NET Framework.
Process is elevated (Windows Vista and above only) - The process is running with UAC elevation.
Process is in a job - The process has an associated job.
Process is POSIX - The process is running under the POSIX subsystem.
Process is 32-bit (WOW64) (64-bit systems only) - The process is 32-bit.

Context Menu

Terminate: Terminates the selected process(es). If KProcessHacker is enabled, Process Hacker will, except under extraordinary circumstances, be able to terminate any process, including ones protected by rootkits or security software.
Terminate Tree: Terminates the selected process and its descendants.
Suspend: Suspends the selected process(es). If KProcessHacker is enabled and running on Windows Vista, Process Hacker will be able to suspend any process, including ones protected by rootkits or security software.
Resume: Resumes the selected process(es). If KProcessHacker is enabled and running on Windows Vista, Process Hacker will be able to resume any process, including ones protected by rootkits or security software.
Restart: Restarts the selected process with the same command line arguments and working directory.
Debug: Starts the debugger, specifying the selected process.
Reduce Working Set: Empties the selected process(es)' working set(s). This is a safe function; the process will eventually reclaim most of its working set.
Virtualization: Allows you to enable or disable virtualization for the selected process, if allowed.
Affinity: Allows you to view and modify the process' CPU affinity (the CPUs on which it is allowed to run).
Create Dump File...: Allows you to create a crash dump file for the process. This operation does not actually cause the process to crash or terminate.
Terminator: A tool which tries to terminate the selected process using many different techniques.
Detach from Debugger: Detaches the process from any debugger. This will cause any attached debuggers to stop working.
GDI Handles: Shows the GDI objects owned by the process.
Heaps: Shows the heaps created by the process. Note that this action causes a temporary thread to be created in the process and should be used with caution.
Inject DLL...: Allows you to select a DLL file (or any other PE image) that will be injected into the selected process. This option is only available for processes running in the same session as Process Hacker (usually processes in the same user account).
I/O Priority: Sets the process' I/O priority.
Priority: Sets the process' priority - Real Time, High, Above Normal, Normal, Below Normal, Idle. This option is not available when multiple processes are selected.
Window: Allows you to manipulate the process' window, if one was found. If the process does not have any visible windows, the menu is disabled.
Search Online: Opens the default web browser with the search engine specified in Process Hacker's options.

Terminator tests

TP1: Terminates the process using the NtTerminateProcess function.
TP2: Uses the RtlCreateUserThread function to create a thread in the process which calls ExitProcess, terminating the process. On Vista and above, the thread calls RtlExitUserProcess.
TT1: Terminates the process' threads by using the NtTerminateThread function.
TT2: Sets the contexts of the process' threads to point to the ExitProcess function. The process will be terminated when one of the threads are context switched to.
TP1a: (Windows Server 2003 and above only.) Uses NtGetNextProcess to open a handle to the process and terminate it using NtTerminateProcess.
TT1a: (Windows Server 2003 and above only.) Uses NtGetNextThread to open a handle to each of the process' threads and terminates them using NtTerminateThread.
CH1: Uses NtDuplicateObject to close the process' handles. This method works best for complex programs.
W1: Sends WM_DESTROY messages to the process' windows.
W2: Sends WM_QUIT messages to the process' windows.
TJ1: Creates a job, assigns the process to it, and terminates the job, terminating the process.
TD1: Creates a debug object, assigns the process to it, and closes the debug object, terminating the process.
TP3: Uses the internal kernel-mode function PsTerminateProcess to terminate the process.
TT3: Uses the internal kernel-mode function PspTerminateThreadByPointer to terminate the process' threads.
TT4: Queues a kernel-mode special asynchronous procedure calls (APCs) to each of the process' threads. This APC calls PspTerminateThreadByPointer to directly terminate the threads. This method will terminate threads hanging due to kernel-mode code, but the system may crash or freeze because kernel-mode code is not given the chance to release any resources. Use this option with extreme caution.
M1: Uses NtWriteVirtualMemory to write random data to the process' memory, crashing the process.
M2: Uses NtProtectVirtualMemory to prevent the process' pages from being used, crashing the process.

Process Properties

General: Displays basic information about the process and its image file. You can also view/change its DEP status, and protect/unprotect it (requires Windows Vista and above).
Statistics: Displays statistics and performance information.
Performance: Displays three graphs relating to the process' performance - CPU Usage, Private Bytes, and I/O activity. You can hover your mouse over the graphs to view details.
Threads: Displays the process' threads, including their symbolic start addresses. You can click on a thread to view more information, or double-click a thread to view its call stack.
Token: Displays the process' primary token. You can also enable and disable privileges by right-clicking on them.
Modules: Displays the modules loaded by the process. Right-click a module for more options.
Memory: Displays the process' virtual memory regions. Double-click a memory region to read/write its contents, and right-click a memory region to perform other actions. You can click the Strings... button to perform a string scan.
Environment: Displays the process' environment variables.
Handles: Displays the process' handles - resources it has opened. You can right-click a handle and close it.
Job: Displays information about the process' associated job.
Services: Displays services that are registered in the process. You can double-click a service to view and edit its properties.

Glossary

Affinity: The set of processors on which a thread or collection of threads (process) is allowed to execute on.
ALPC: Asynchronous Local inter-Process Communication. A replacement for LPC introduced in Windows Vista.
ALPC Port (Object): An ALPC object that can be opened in order to communicate with another process.
Child Process: A new process started by an existing one.
Command Line: A string describing a program to start and any parameters to pass to it. Examples: C:\Windows\notepad.exe C:\Windows\win.ini, cmd /TF0
Commit: A committed page or memory region contains actual data. Compare with reserve.
Context Switch: The act of switching a processor to run another thread. Since processors can only run one task at a time, context switching gives the illusion of multi-tasking.
Data Execution Prevention: The Windows implementation of NX (No eXecute) technology, designed to prevent the execution of data regions as code. This can prevent certain types of software attacks.
Directory (Object): A "directory" in the NT object manager. These have nothing to do with files and folders, although through the object manager all kinds of objects are accessed, including the file system and registry.
DLL: An executable image which can be loaded by processes. Through this mechanism, code and resources may be shared. Note that the file extension ".dll" is not required; processes can load images with any extension.
Driver: An executable image which can be loaded into and executed in kernel-mode. This provides drivers with low-level access to the system. This is required for hardware drivers and security software, but is a mechanism through which most rootkits take control of a computer.
Elevation (UAC): Under UAC, a process which is elevated has full administrative rights to system resources.
Environment Variable: A variable accessible to processes describing the operating system environment. Environment variables are normally inherited by child processes.
EtwRegistration (Object): An object used by Event Tracing for Windows.
GDI: Graphics Device Interface. This is a system which provides basic graphics support for programs.
GDI Handles/Objects: GDI allows programs to create drawing-related objects such as Bitmaps, Brushes, and Palettes.
Handle: A reference to a shared operating object or resource, e.g. a handle to an event, file or process.
Handle leak: Occurs when a program does not release its handles, leading to increased consumption of resources and even crashes.
Heap: A process-managed structure from which memory can be allocated. Since pages can only be allocated in large chunks, using a heap will reduce wastage of memory for small allocations.
Image: A "package" containing executable code.
Interrupt: An event, usually signaled by hardware, that is handled by the operating system through a interrupt handler.
Key (Object): A registry key.
Kernel: A collection of code that manages system-wide resources such as I/O, processes and threads, and security. System calls are also handled by the kernel.
Kernel-mode: A processor mode in which code can access hardware directly and access all memory. For example, when a system call is made, the processor switches to kernel-mode in order to perform an action on the requester's behalf. When the system call finishes, it switches back to user-mode and the requester continues normal execution.
Kernel-mode thread: A thread that runs solely in kernel-mode. These are usually worker threads that carry out delayed operating system tasks. Most kernel-mode threads are contained in the System process, but csrss.exe also runs kernel-mode threads.
LPC: Local inter-Process Communication (not Local Procedure Call). A Windows NT mechanism which enables processes to communicate with each other. Primary consumers are system services and RPC.
LUID: Locally Unique IDentifier. A value which is unique on the local system until it is rebooted.
Module: See DLL.
Mutant (Object): A mutex object. Win32 calls these objects mutexes, while in the Native API they are called mutants.
Page: A block of memory, 4 kB in size on x86 and AMD64 processors.
PEB: Process Environment Block. The PEB contains a variety of data used by the process.
Privilege: A privilege belonging to a process. It can be enabled or disabled, and certain system calls require the presence of specific privileges to work.
Process: A collection of threads along with virtual memory, handles and other resources.
Protection (DRM): Process and thread protection introduced in Windows Vista, designed to enhance support for digital restrictions management. Examples of processes protected by this mechanism include System and audiodg.exe.
Reserve: A reserved page or memory region does not contain data and has not been allocated storage in physical memory. Reserving pages is commonly done to ensure a certain amount of contiguous address space is available without actually allocating storage. Compare with commit.
Section (Object): A block of memory that can be mapped into a process' address space. The data for this block of memory can be temporary ("backed" by the pagefile) or can come from a file ("backed" by a file, i.e. file mapping). Win32 calls these objects "file mappings".
Service: A operating system managed program which runs in the background. They can be in shared processes (in svchost.exe instances), in separate processes, or drivers loaded into kernel-mode space.
SID: Security IDentifier. A unique identifier assigned to security-related objects such as users and groups.
String: A sequence of characters - text.
System Call: A request that is made by a thread to the kernel to perform a task on the thread's behalf. This done because most threads run in user-mode and are unable to access hardware directly. See kernel-mode.
System Thread: See kernel-mode thread.
Thread: A unit of execution belonging to a process, running code concurrently. Most threads run in user-mode, but some are kernel-mode threads.
TmEn (Object): Enlistment objects (for the transaction manager).
TmRm (Object): Resource Manager objects (for the transaction manager).
TmTm (Object): Transaction Manager objects. These have an associated log file.
TmTx (Object): Transaction objects (for the transaction manager).
User Account Control: Refers to restrictions on normal processes preventing them from modifying system-wide files and settings. Processes which are elevated have full administrative access to system resources.
Virtualization (UAC): A technology which redirects writes to the file system and registry for processes which are not elevated.
Working set: The collection of pages recently referenced by a process. These pages are in physical memory, while other pages may be in the pagefile.
WOW64: A technology which enables 32-bit programs to run on 64-bit Windows systems.

Copyright Information

Process Hacker

      Process Hacker

      Copyright (C) 2009-2010 wj32 and various authors

      This program is free software: you can redistribute it and/or modify
      it under the terms of the GNU General Public License as published by
      the Free Software Foundation, either version 3 of the License, or
      (at your option) any later version.

      This program is distributed in the hope that it will be useful,
      but WITHOUT ANY WARRANTY; without even the implied warranty of
      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      GNU General Public License for more details.

      You should have received a copy of the GNU General Public License
      along with this program.  If not, see <http://www.gnu.org/licenses/>.

MD5

Process Hacker uses a MD5 implementation licensed under the following terms:

MD5 hash implementation and interface functions
Copyright (c) 2003-2005, Jouni Malinen 

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License version 2 as
published by the Free Software Foundation.

SHA

Process Hacker uses a SHA implementation licensed under the following terms:

Copyright 2004 Filip Navara
Based on public domain SHA code by Steve Reid 

This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.

This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
Lesser General Public License for more details.

You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA

PCRE

Process Hacker uses Perl-Compatible Regular Expressions licensed under the following terms:

PCRE is a library of functions to support regular expressions whose syntax
and semantics are as close as possible to those of the Perl 5 language.

Release 8 of PCRE is distributed under the terms of the "BSD" licence, as
specified below.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:

    * Redistributions of source code must retain the above copyright notice,
      this list of conditions and the following disclaimer.

    * Redistributions in binary form must reproduce the above copyright
      notice, this list of conditions and the following disclaimer in the
      documentation and/or other materials provided with the distribution.

    * Neither the name of the University of Cambridge nor the name of Google
      Inc. nor the names of their contributors may be used to endorse or
      promote products derived from this software without specific prior
      written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.

Mini-XML

Process Hacker uses Mini-XML licensed under the following terms:

The Mini-XML library and included programs are provided under the
terms of the GNU Library General Public License (LGPL) with the
following exceptions:

    1. Static linking of applications to the Mini-XML library
       does not constitute a derivative work and does not require
       the author to provide source code for the application, use
       the shared Mini-XML libraries, or link their applications
       against a user-supplied version of Mini-XML.

       If you link the application to a modified version of
       Mini-XML, then the changes to Mini-XML must be provided
       under the terms of the LGPL in sections 1, 2, and 4.

    2. You do not have to provide a copy of the Mini-XML license
       with programs that are linked to the Mini-XML library, nor
       do you have to identify the Mini-XML license in your
       program or documentation as required by section 6 of the
       LGPL.