I think that's preferable. For example, look at the extraction instruction of AkelPad.
http://www.portablefreeware.com/?id=952

Do you think I should edit the Process Hacker database entry again to make it look a bit nicer, like AkelPad's entry? The current PH entry gets the job done, but it's not as clear as AkelPad's entry.

I think it make it alot easier for the averge user to decipher.

Do you think the entry looks OK now?

(I've got to be careful with all these edits or I'm going to end up getting banned; unless somebody has a major objection to the way the entry looks right now, I think I'm done.)

No at all! You have made great contributions to the TPFC community. It would be petty if you were banned for improving the quality of your suggested application

I added a bit more to the description drawn from the feature list on the website. I figure its incomplete if we describe it as "feature-packed" without listing any of those features.


Although on some servers they come up as red flags, you will not get banned for frequent edits here on PFW. I know because I've edited PicPick like 20x and there were no issues.

i made a bat to start it with -settings settings.ini and converted it to an exe... so far it works nice and I just have it startup with windows.

since this doesnt use .net I'll switch back to it from process explorer, i find a lot more features on processhacker and i like the services tab.

edit, found kprocess in services tab, stopped/removed it from there and seems to work fine. though it wont fix stealth issue, i can leave the .sys in folder and it wont use it now

Thanks for doing that! I thought about doing a feature list, but couldn't seem to get all the features summarized into a reasonably small block of text.



That's good to hear. I was basing my statement off this quote, which always comes up when I'm editing an entry:

"abusing this privilege", at least to me, means excessively using the Edit feature, hence the concern.


Well, I don't really believe in giving users more leeway just because they've contributed a bit. "Rules is rules", which means I really should have done a good job the first time.


Yeah, the Services tab is a nice feature. I've used it a lot over the past few days; let's just say I was surprised by how many services are on this old system.


I'm pretty sure it'll still leave Registry traces from where the driver was installed, though. I think the only way around that is to delete (or rename) the driver before installing it, which means deleting the driver before running Process Hacker.


Incidentally, once the PortableApps.com Launcher supports handling services & drivers, we can have a truly portable version of Process Hacker complete with its driver. I know a lot of users on here don't use (or like) things from PortableApps, but I figure it's worth mentioning for those who do.

OK, I voted because this app really does rock!

But please do not delete 'kprocesshacker.sys', this kernel driver is what puts the hacker in Process Hacker.

There are other apps in the database that write to the same reg key, yet no special instructions like this.

I have found a way to start the app without it creating that reg key, whether you start as Admin or not.

1. Download the ZIP package and extract to a folder of your choice.
2. Create an new file in the folder and name it 'ProcessHacker.xml' (w/o quotes)
3. Copy and Paste the code below inside this new file and run with the parameter -settings ProcessHacker.xml
Process Hacker will now read/write to this file.

Should the time come when you do need to delete/terminate some low-level process here are the ways.

If running as normal user, click Hacker > Options... > Advanced and tick 'Enable kernel-mode driver'.
Click Hacker again and click 'Show Details for All Processes' this will elevate and load the driver and you're good to go.

If running as Admin, > 'Enable kernel-mode driver', you'll need to restart PH to load the driver.

With this driver loaded I was able to shut down avast! with just a couple of clicks.

Note: You can name the xml file you create anything you want as long as you pass it after the parameter -settings.

Yeah, I know, but that driver is also what takes the stealth out of Process Hacker.


What apps?
AFAIK, there are very few apps that rely on drivers to do their jobs; I know disk defragmenters do, and I know rootkit detectors/unhookers do, but I can't remember any others off the top of my head.


Nice! That disables the driver but doesn't delete it, so it can be re-enabled if necessary. That's much cleaner than my suggestion.
I'll have to see if I can summarize that so it can fit into the extraction instructions space...

In the Synopsis of ProcessHacker here a TPFC it states:

How to extract:

And at the Homepage of ProcessHacker:

I don't think that for the sake of a 'stealth application' that this program should be crippled of it's full capabilities.
I think the extraction method I put together (here) is a better option for people to run this application
without deleting the driver and retaining ProcessHacker's full capabilities should they be needed.

BTW, the kernel-mode driver can also be disabled by using the command line switch -nokph.

Personally I keep the driver enabled. I find features more important than stealthability.

That's good to know.
Can it be renabled live when running with that switch?

Yeah, I keep it disabled (on flash drive) but it's there and ready to go!

I'm with you on this one.

I haven't tested.

Well, now I have tested. At least under Windows XP SP3 re-enabling the driver requires restarting Process Hacker without the switch.