Process Hacker

Submit portable freeware that you find here. It helps if you include information like description, extraction instruction, Unicode support, whether it writes to the registry, and so on.
Message
Author
infimum
Posts: 231
Joined: Sun Mar 02, 2008 1:00 am

Re: Process Hacker

#16 Post by infimum »

computerfreaker wrote:is it acceptable in terms of telling users how to keep things as portable as possible
I think that's preferable. For example, look at the extraction instruction of AkelPad.
http://www.portablefreeware.com/?id=952

computerfreaker
Posts: 83
Joined: Sat Feb 13, 2010 9:46 pm

Re: Process Hacker

#17 Post by computerfreaker »

infimum wrote:
computerfreaker wrote:is it acceptable in terms of telling users how to keep things as portable as possible
I think that's preferable. For example, look at the extraction instruction of AkelPad.
http://www.portablefreeware.com/?id=952
Do you think I should edit the Process Hacker database entry again to make it look a bit nicer, like AkelPad's entry? The current PH entry gets the job done, but it's not as clear as AkelPad's entry.

User avatar
guinness
Posts: 4118
Joined: Mon Aug 27, 2007 2:00 am
Contact:

Re: Process Hacker

#18 Post by guinness »

Do you think I should edit the Process Hacker database entry again to make it look a bit nicer.
I think it make it alot easier for the averge user to decipher.

computerfreaker
Posts: 83
Joined: Sat Feb 13, 2010 9:46 pm

Re: Process Hacker

#19 Post by computerfreaker »

guinness wrote:
Do you think I should edit the Process Hacker database entry again to make it look a bit nicer.
I think it make it alot easier for the averge user to decipher.
Do you think the entry looks OK now?

(I've got to be careful with all these edits or I'm going to end up getting banned; unless somebody has a major objection to the way the entry looks right now, I think I'm done.)

User avatar
guinness
Posts: 4118
Joined: Mon Aug 27, 2007 2:00 am
Contact:

Re: Process Hacker

#20 Post by guinness »

I've got to be careful with all these edits or I'm going to end up getting banned.
No at all! You have made great contributions to the TPFC community. It would be petty if you were banned for improving the quality of your suggested application :)

User avatar
webfork
Posts: 10818
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: Process Hacker

#21 Post by webfork »

computerfreaker wrote:Do you think the entry looks OK now?
I added a bit more to the description drawn from the feature list on the website. I figure its incomplete if we describe it as "feature-packed" without listing any of those features.
computerfreaker wrote:I've got to be careful with all these edits or I'm going to end up getting banned
Although on some servers they come up as red flags, you will not get banned for frequent edits here on PFW. I know because I've edited PicPick like 20x and there were no issues.

-.-
Posts: 325
Joined: Mon Oct 06, 2008 4:32 pm

Re: Process Hacker

#22 Post by -.- »

i made a bat to start it with -settings settings.ini and converted it to an exe... so far it works nice and I just have it startup with windows.

since this doesnt use .net I'll switch back to it from process explorer, i find a lot more features on processhacker and i like the services tab.

edit, found kprocess in services tab, stopped/removed it from there and seems to work fine. though it wont fix stealth issue, i can leave the .sys in folder and it wont use it now :D

computerfreaker
Posts: 83
Joined: Sat Feb 13, 2010 9:46 pm

Re: Process Hacker

#23 Post by computerfreaker »

webfork wrote:
computerfreaker wrote:Do you think the entry looks OK now?
I added a bit more to the description drawn from the feature list on the website. I figure its incomplete if we describe it as "feature-packed" without listing any of those features.
Thanks for doing that! I thought about doing a feature list, but couldn't seem to get all the features summarized into a reasonably small block of text.

webfork wrote:
computerfreaker wrote:I've got to be careful with all these edits or I'm going to end up getting banned
Although on some servers they come up as red flags, you will not get banned for frequent edits here on PFW. I know because I've edited PicPick like 20x and there were no issues.
That's good to hear. I was basing my statement off this quote, which always comes up when I'm editing an entry:
Note: All edits are logged. If any member is found to abuse this privilege, inappropriate changes will be reverted and the offending member may be permanently banned.
"abusing this privilege", at least to me, means excessively using the Edit feature, hence the concern.
guinness wrote:
I've got to be careful with all these edits or I'm going to end up getting banned.
No at all! You have made great contributions to the TPFC community. It would be petty if you were banned for improving the quality of your suggested application :)
Well, I don't really believe in giving users more leeway just because they've contributed a bit. "Rules is rules", which means I really should have done a good job the first time.
-.- wrote:since this doesnt use .net I'll switch back to it from process explorer, i find a lot more features on processhacker and i like the services tab.
Yeah, the Services tab is a nice feature. I've used it a lot over the past few days; let's just say I was surprised by how many services are on this old system.
-.- wrote:edit, found kprocess in services tab, stopped/removed it from there and seems to work fine. though it wont fix stealth issue, i can leave the .sys in folder and it wont use it now :D
I'm pretty sure it'll still leave Registry traces from where the driver was installed, though. I think the only way around that is to delete (or rename) the driver before installing it, which means deleting the driver before running Process Hacker.


Incidentally, once the PortableApps.com Launcher supports handling services & drivers, we can have a truly portable version of Process Hacker complete with its driver. I know a lot of users on here don't use (or like) things from PortableApps, but I figure it's worth mentioning for those who do.

Ruby
Posts: 324
Joined: Sat Sep 05, 2009 6:35 pm

Re: Process Hacker

#24 Post by Ruby »

OK, I voted because this app really does rock!

But please do not delete 'kprocesshacker.sys', this kernel driver is what puts the hacker in Process Hacker.

There are other apps in the database that write to the same reg key, yet no special instructions like this.

I have found a way to start the app without it creating that reg key, whether you start as Admin or not.

1. Download the ZIP package and extract to a folder of your choice.
2. Create an new file in the folder and name it 'ProcessHacker.xml' (w/o quotes)
3. Copy and Paste the code below inside this new file and run with the parameter -settings ProcessHacker.xml

Code: Select all

<settings>
  <setting name="EnableKph">0</setting>
</settings>
Process Hacker will now read/write to this file.

Should the time come when you do need to delete/terminate some low-level process here are the ways.

If running as normal user, click Hacker > Options... > Advanced and tick 'Enable kernel-mode driver'.
Click Hacker again and click 'Show Details for All Processes' this will elevate and load the driver and you're good to go.

If running as Admin, > 'Enable kernel-mode driver', you'll need to restart PH to load the driver.

With this driver loaded I was able to shut down avast! with just a couple of clicks.

Note: You can name the xml file you create anything you want as long as you pass it after the parameter -settings.

computerfreaker
Posts: 83
Joined: Sat Feb 13, 2010 9:46 pm

Re: Process Hacker

#25 Post by computerfreaker »

Ruby wrote:But please do not delete 'kprocesshacker.sys', this kernel driver is what puts the hacker in Process Hacker.
Yeah, I know, but that driver is also what takes the stealth out of Process Hacker.
Ruby wrote:There are other apps in the database that write to the same reg key, yet no special instructions like this.
What apps?
AFAIK, there are very few apps that rely on drivers to do their jobs; I know disk defragmenters do, and I know rootkit detectors/unhookers do, but I can't remember any others off the top of my head.
Ruby wrote: I have found a way to start the app without it creating that reg key, whether you start as Admin or not.

1. Download the ZIP package and extract to a folder of your choice.
2. Create an new file in the folder and name it 'ProcessHacker.xml' (w/o quotes)
3. Copy and Paste the code below inside this new file and run with the parameter -settings ProcessHacker.xml

Code: Select all

<settings>
  <setting name="EnableKph">0</setting>
</settings>
Process Hacker will now read/write to this file.

Should the time come when you do need to delete/terminate some low-level process here are the ways.

If running as normal user, click Hacker > Options... > Advanced and tick 'Enable kernel-mode driver'.
Click Hacker again and click 'Show Details for All Processes' this will elevate and load the driver and you're good to go.

If running as Admin, > 'Enable kernel-mode driver', you'll need to restart PH to load the driver.

With this driver loaded I was able to shut down avast! with just a couple of clicks.

Note: You can name the xml file you create anything you want as long as you pass it after the parameter -settings.
Nice! That disables the driver but doesn't delete it, so it can be re-enabled if necessary. That's much cleaner than my suggestion.
I'll have to see if I can summarize that so it can fit into the extraction instructions space...

Ruby
Posts: 324
Joined: Sat Sep 05, 2009 6:35 pm

Re: Process Hacker

#26 Post by Ruby »

In the Synopsis of ProcessHacker here a TPFC it states:
Full control over processes, rootkit termination, and DLL controls.
How to extract:
Delete kprocesshacker.sys
And at the Homepage of ProcessHacker:
Full control over all processes, even processes protected by rootkits or security software.
Its kernel-mode driver has unique abilities which allows it to terminate, suspend and resume all processes and threads,
including software like IceSword, avast! anti-virus, AVG Antivirus, COMODO Internet Security, etc. (just to name a few).
I don't think that for the sake of a 'stealth application' that this program should be crippled of it's full capabilities.
I think the extraction method I put together (here) is a better option for people to run this application
without deleting the driver and retaining ProcessHacker's full capabilities should they be needed.

User avatar
SYSTEM
Posts: 2041
Joined: Sat Jul 31, 2010 1:19 am
Location: Helsinki, Finland

Re: Process Hacker

#27 Post by SYSTEM »

BTW, the kernel-mode driver can also be disabled by using the command line switch -nokph.

Personally I keep the driver enabled. I find features more important than stealthability.
My YouTube channel | Release date of my 13th playlist: August 24, 2020

Ruby
Posts: 324
Joined: Sat Sep 05, 2009 6:35 pm

Re: Process Hacker

#28 Post by Ruby »

SYSTEM wrote:BTW, the kernel-mode driver can also be disabled by using the command line switch -nokph.
That's good to know.
Can it be renabled live when running with that switch?
SYSTEM wrote:Personally I keep the driver enabled.
Yeah, I keep it disabled (on flash drive) but it's there and ready to go!
SYSTEM wrote:I find features more important than stealthability.
I'm with you on this one.

User avatar
SYSTEM
Posts: 2041
Joined: Sat Jul 31, 2010 1:19 am
Location: Helsinki, Finland

Re: Process Hacker

#29 Post by SYSTEM »

Ruby wrote:
SYSTEM wrote:BTW, the kernel-mode driver can also be disabled by using the command line switch -nokph.
That's good to know.
Can it be renabled live when running with that switch?
I haven't tested.
My YouTube channel | Release date of my 13th playlist: August 24, 2020

User avatar
SYSTEM
Posts: 2041
Joined: Sat Jul 31, 2010 1:19 am
Location: Helsinki, Finland

Re: Process Hacker

#30 Post by SYSTEM »

SYSTEM wrote:
Ruby wrote:
SYSTEM wrote:BTW, the kernel-mode driver can also be disabled by using the command line switch -nokph.
That's good to know.
Can it be renabled live when running with that switch?
I haven't tested.
Well, now I have tested. At least under Windows XP SP3 re-enabling the driver requires restarting Process Hacker without the switch.
My YouTube channel | Release date of my 13th playlist: August 24, 2020

Post Reply