Skip to content

1

Jump to bottom
Виктор edited this page Feb 5, 2019 · 2 revisions

Go to TOC

Process Hacker: about and common question for installation, settings and used.

ATTENTION!

  • Since v2.39, Windows XP/Vista support is complete, for these OS's use v2.38.
  • It is strongly recommended that you carefully review the documentation in to WiKi, the archive "Process_Hacker-bin.7z" and on the project site.

Features of installing and setting Process Hacker:

General:

  • Work Process Hacker in compatibility with previous versions OS will lead to unreliable information output!
  • Some plug-in features depend on the OS version - see instructions in Plug-ins: install default locations page and if there is a record like "only for Windows ..." then the plug-in is required this version of the OS and its correct operation in other versions OS is not guaranteed!
  • Users are strongly advised not to include the use of kernel level driver (see Privileged functions:) because this dramatically reduces the level of OS security.
  • All the settings of Process Hacker and its plug-ins are stored in XML files "%APPDATA%\Process Hacker\settings.xml", and for Portable mode "ProcessHacker.exe.settings.xml" in the Process Hacker directory. Entries in Registry for drivers, services and integration in the OS are created only by your team.
  • My assembly differs from Nightly builds by including it in it experimental plug-ins of Plugins-Extra group and absence of EDS in EXE/DLL modules (this is done specifically for localization), as well as automatically set the startup parameters of KProcessHacker3. There are no other differences in it.
  • If necessary, you will be prompted at the end of the installation restart the OS - execute it or the driver KProcessHacker3 will not be able to restart.

Manage settings:

  • Access to the Process Hacker settings is done through the menu "Hacker - Options", "Hacker - Plugins ..." and "Hacker - Options - Show advanced options - Advanced" (v3.0.5478.951, this flag is always reset, call the settings editor).
  • An example of the "ProcessHacker.exe.settings.xml" settings can be used to restore functionality use initial configuration Process Hacker.
  • By default, the Firewall Monitor plug-in is disabled.
  • For non-official assemblies in the settings editor, set the value "EnableKphWarnings=0", and if the KProcessHacker3 (when working in a limited account, it is needed to access processes running from other users), then on behalf of Administrator in the CMD console, run the following command:
taskkill /IM ProcessHacker.exe /FI "STATUS eq running" && sc stop KProcessHacker3 && reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\KProcessHacker3\Parameters" /v "SecurityLevel" /t REG_DWORD /d 0 /f && sc start KProcessHacker3

Then you can start the LV with the rights of a normal user by including in its settings Enable kernel-mode driver (or in the settings editor set "EnableKPH = 1").

Using the mechanisms of explicit and implicit binding, Windows first searches for "known DLLs" such as Kernel32.dll and User32.dll. Windows then searches for the DLLs in the next sequences:

1. The directory in which the executable module of the current process is located. 2. Current directory. 3. Windows system directory. The path to this directory is retrieved using the GetSystemDirectory function. 4. Windows directory. The path to this directory is retrieved using the GetWindowsDirectory function. 5. Directories specified in the PATH environment variable.

Note:

The LIBPATH environment variable is not used.

and also see MSDN article Dynamic-Link Library Search Order.

  • User-defined settings are saved until all settings by clicking the "Reset" button in the "Options..." window or deleting configuration files "%APPDATA%\Process Hacker\settings.xml" (for normal installation) or "ProcessHacker.exe.settings.xml" (for portable mode only).
  • The "Hacker - Options - General - Start hidden" option is added to the v3.0.5478.951 and becomes available when the checkbox "Hacker - Options - General - Start when I log on" is set [x].
  • In v3.0.0 (r455), the paths for storing settings and the key name have changed autostart from "Process Hacker 2" to "Process Hacker" to provide the possibility of parallel running versions v2.x and v3.x. The installer is takes into account, therefore unnecessary folders to you in the start menu and on disks, and as well as autorun entries in "HKCU ... Run" delete yourself! When updating an existing Process Hacker installation "usernotes.xml" and "settings.xml" is automatically copied to "%APPDATA%\Process Hacker" directory.
  • Starting from v3.0.5695.1168 the parameter names in the settings editor window sorted alphabetically to *.settings.xml this sorting rule is not is applicable.
  • By default, the Cache download directory is located in the "%LOCALAPPDATA%\Process Hacker", but you can change this directory to settings editor to "LocalCachePath" value to any other discretion.
  • Since version v3.0.5469.942 in the distribution kit during the build automatically added empty files "ProcessHacker.exe.settings.xml" and "usernotesdb.xml" (0 bytes), both that it's worth backing up your configs to avoid overwriting them.

Process filters:

  • For a list of available filter processes in the search dialog, see file "process_searchbox_filter.txt" (applicable only in the dialog search in the Process panel).

On-line virus scan:

  • To work OnlineCheck plug-in in the menu "Hacker - Options - OnlineCheck" option "Enable VirusTotal scanning" and in the "Tools" menu "Online Check" checkbox "Enable VirusTotal scanning" then necessarily restart Process Hacker.
  • If in the column "VirusTotal" write "VirusTotal disabled" or there empty, then nothing prevents you to send a file to it through contextual menu "Send to ..." process.

Work with the geolocation database:

  • The flag in the Networks panel indicates which country the IP was allocated, but this does not mean that the host is there.
  • To install (update) the database MaxMind GeoLite2-Country (DB is updated on the first Tuesday of each month) open the menu item "Tools - Network Tools - GeoIP database update..." and there successively press the button "Download" and after 6 - 8 seconds after downloading the "Restart" database.
  • By default the database "GeoLite2-Country.mmdb" is searched in the directory "%APPDATA%\Process Hacker", but you can change this directory to value of the "ProcessHacker.NetworkTools.GeoDbPath" configuration files "settings.xml" ("ProcessHacker.exe.settings.xml") or through editor settings for any other at your discretion.
  • When installing Process Hacker, the MaxMind GeoLite2-Country database is installed only if the file "GeoLite2-Country.mmdb" (downloaded separately) found in the same directory from where the installer is running.

Work with removable media (Portable mode):

  • When using Process Hacker with removable media, it is recommended use relative paths for GeoLite2-Country.mmdb and the Cache directory.
  • Starting with v3.0.5467.940, the file "usernotesdb.xml" will be used if necessary automatically created when you add a custom comment or the completion of Process Hacker.

Working with sets of process tree columns:

  • Process Tree Column Set is stored in the parameter "ProcessTreeColumnSetConfig" located in the file "*.settings.xml", their management is in the View menu and is available from v3.0.5639.1112.

Privileged functions:

  • The default security level for the KProcessHacker driver is set equal to 2 (it is checked EDS files Process Hacker, see the notes.txt in the archive for details).
  • The menu item "Tools - Hidden processes" is added to v3.0.5378.851, to enable it, you need to change the setting value of "Hacker - Options" check "Show advanced options [x]", go to "Advanced" tab, change "HiddenProcessesMenuEnabled" setting (v3.0.5478.951) from 0 to 1 and restart the Process Hacker.
  • The module unloading function works only on Windows XP - 7. On Windows 8 - 10 this feature is not available.
  • Batch jobs (the tooltip will be "Process is in a job") are always defined, but in order for properties the Job tab appears, you need to have the driver run KProcessHacker3 and in the Process Hacker options on the "General" tab you should check "Enable kernel-mode driver".

Go to TOC

Clone this wiki locally