Process Hacker
Process Hacker is a tool to view and manipulate processes and services. It can display process' threads, modules, memory regions and handles, search through process memory, and read/write memory using a built-in hex editor.
On Windows Vista, the configuration files for Process Hacker are stored in
AppData\Local\wj32. On Windows XP, they are stored in
Local Settings\Application Data\wj32.
Process Hacker's options are accessible from the Options menu item in the Hacker menu.
%s is replaced by the name of the selected process or module.user
would be shown as machine-name\user.Process Hacker supports the input of numbers in various bases (including some non-standard extensions). This is allowed in: Get Function Address, Change Memory Protection, the Go To box in Read/Write Memory, and the insertion of numbers through the Utilities button.
A number is assumed to be in base 10 unless:
0 (zero) - octal (base 8)0x - hexadecimal (base 16)b - binary (base 2)t - ternary (base 3)q - quaternary (base 4)w - base 12r - base 32The process tree displays processes running on the system as a tree; processes started by a particular parent process are shown indented below it. Processes with a non-existent parent (where its parent has terminated) are shown on the far left. You can manipulate processes by right-clicking on them, and you can show detailed properties for a process by double-clicking it or selecting the "Properties..." menu item.
You can sort by the various columns by clicking on them - the tree view will temporarily become a flat list. You can click the same column again to sort in the reverse order, and once more to return to the tree view.
Like Process Explorer, Process Hacker shows Deferred Procedure Calls (DPCs) and Interrupts in the process tree. The only information these "processes" show is their CPU usage.
Warning: Manipulating csrss.exe, dwm.exe, lsass.exe, lsm.exe, smss.exe, winlogon.exe or any other system processes is not recommended and may lead to system instability or a crash.
TerminateProcess API function to terminate the selected
process(es).NtSuspendProcess API function to suspend the selected
process(es).NtResumeProcess API function to resume the selected
process(es).EmptyWorkingSet API function to reduce the process' working set.
This is a safe function; the process will eventually reclaim most of its working set.Assistant.exe (distributed with Process Hacker) to be in the same directory
as ProcessHacker.exe.Process Hacker supports searching using a literal string or regular expressions. To perform a search, open a Properties window for a process, select the Memory tab and select an option in the search button. A window will appear in which you can enter the data to search for. You can also control the types of memory regions to search.
In the Literal tab, there is a small button in the bottom-right which allows you to insert data in various formats.
In the search results list, double-clicking an item will open the Memory Editor with the search result highlighted.
All of these samples must have Ignore Case selected.
A valid filesystem character is [ a-z0-9`~';!@#\$%\^&\-_=+\,\.\(\)\[\]\{\}]
[a-z0-9_\-\.]+@[a-z0-9_\-\.]+\.(au|biz|ca|com|info|net|org|uk|zh)[A-Z]:\\([ a-z0-9`~'!@#\$%\^&\-_=+\,\.\(\)\[\]\{\}]*\\)*([ a-z0-9`~'!@#\$%\^&\-_=+\,\.\(\)\[\]\{\}]*)(\\)*([ a-z0-9`~'!@#\$%\^&\-_=+\,\.\(\)\[\]\{\}])+\.(bat|com|dll|exe)(file|ftp|http):///*[a-z0-9%\/ .\-_:\(\)\[\]]+The Results Window is displayed when searching for data, scanning for strings or scanning for heaps. There are five buttons at the top of the window:
>=) followed by the number. If the filter
(>=10) is applied to the Length column, all items with a
length greater than or equal 10 will be displayed.Process Hacker Copyright (C) 2008-2009 wj32 Copyright (C) 2008-2009 Dean This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>.
Process Hacker uses the HexBox component by Bernhard Elbl, licensed under the Microsoft Public License:
This license governs use of the accompanying software. If you use the software, you
accept this license. If you do not accept the license, do not use the software.
1. Definitions
The terms "reproduce," "reproduction," "derivative works," and "distribution" have the
same meaning here as under U.S. copyright law.
A "contribution" is the original software, or any additions or changes to the software.
A "contributor" is any person that distributes its contribution under this license.
"Licensed patents" are a contributor's patent claims that read directly on its contribution.
2. Grant of Rights
(A) Copyright Grant- Subject to the terms of this license, including the license conditions
and limitations in section 3, each contributor grants you a non-exclusive, worldwide,
royalty-free copyright license to reproduce its contribution, prepare derivative works
of its contribution, and distribute its contribution or any derivative works that you
create.
(B) Patent Grant- Subject to the terms of this license, including the license conditions
and limitations in section 3, each contributor grants you a non-exclusive, worldwide,
royalty-free license under its licensed patents to make, have made, use, sell, offer
for sale, import, and/or otherwise dispose of its contribution in the software or
derivative works of the contribution in the software.
3. Conditions and Limitations
(A) No Trademark License- This license does not grant you rights to use any contributors'
name, logo, or trademarks.
(B) If you bring a patent claim against any contributor over patents that you claim are
infringed by the software, your patent license from such contributor to the software
ends automatically.
(C) If you distribute any portion of the software, you must retain all copyright, patent,
trademark, and attribution notices that are present in the software.
(D) If you distribute any portion of the software in source code form, you may do so only
under this license by including a complete copy of this license with your distribution.
If you distribute any portion of the software in compiled or object code form, you may
only do so under a license that complies with this license.
(E) The software is licensed "as-is." You bear the risk of using it. The contributors give
no express warranties, guarantees or conditions. You may have additional consumer rights
under your local laws which this license cannot change. To the extent permitted under your
local laws, the contributors exclude the implied warranties of merchantability, fitness for
a particular purpose and non-infringement.
Process Hacker uses the VistaMenu and SplitButton components by Wyatt O'Day, licensed under the following terms:
Copyright (c) 2008, wyDay
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of
conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of
conditions and the following disclaimer in the documentation and/or other materials provided
with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Process Hacker uses a modified version of the Free Disassembler and Assembler by Oleh Yuschuk, licensed under the following terms:
Free Disassembler and Assembler Copyright (C) 2001 Oleh Yuschuk This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA