Until my recent discovery of Process Hacker, I assumed that Process Explorer was the best Task Manager alternative. However, in some areas, the Open Source tool Process Hacker is more than a match for Microsoft’s Sysinternals tool. The user interfaces of both tools look quite similar. As in Process Explorer, you can add additional columns to view more details of running processes on a Windows machine. Unfortunately, Process Hacker doesn’t allow you to view DLL and handle information in the lower pane like Process Explorer.
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
- Automatically mount an NVMe EBS volume in an EC2 Linux instance using fstab - Mon, Feb 21 2022
To access such data, you have to open the process’s properties. Process Explorer (left hand) and Process Hacker (right hand) differ here (see screenshot). I am missing the open TCP/IP connections in Process Hacker’s process properties. However, the main user interface has an extra tab that lists all processes with their open network connections.
Process Hacker’s capabilities are far superior to Process Explorer’s when it comes to searching of data in the memory the process occupies. The tool gives a good overview of the process’s memory usage, and it supports literal search (hex code), string search, regular expressions and more. Another nice feature is Process Hacker’s ability to find hidden processes. This feature enables you to track down some simple rootkits. For this, Process Hacker attempts to open PIDs sequentially from 8 to 65536. This will show not only hidden processes but also terminated processes that are still referenced by other processes.
But Process Hacker’s real strength comes to light when you have to manipulate, that is “hack” processes. The process’ context menu lists all the available functions. If you compare it to Process Explorer’s context menu (right hand), you have to admit that Process Hacker (left hand) has quite a few additional features to offer here (see screenshot). Most noteworthy are Reduce Working Set (empties the selected process working set), virtualization (virtualizes registry and system folder), Create Dump File (dumps the process’s memory contents), Inject DLLs, and Terminator.
The last feature deserves a more detailed explanation. You can terminate processes with Process Hacker the soft way (as in Process Explorer and Task Manager) by letting Windows send a terminate signal to the process. However, sometimes this doesn’t work, especially when the process hangs. The Terminator feature does something different, though. It uses a couple of uncommon techniques to get rid of a rebellious process. For example, it can terminate all the process’s threads, close the process’s handles, and terminate the process in kernel mode (see screenshot for a complete list).
The authors claim that the Terminator feature gives you full control over processes that are protected by rootkits and security software. They named a few applications that can’t be killed with Task Manager but can with Process Hacker. One of them is AVG, the antivirus software. I tried the Terminator with AVG, but Process Hacker failed to terminate the process under Vista. Perhaps AVG has modified their antivirus software in the meantime. By the way, to use the Terminator feature, you have to enable the kernel mode driver in the advanced options. And, of course, you must run Process Hacker as an administrator (elevated).
I haven’t covered all of Process Hacker’s features. If you try the tool, I recommend having a look at the (sparse) manual. The only real downside of Process Hacker is that it is relatively unstable. It crashed several times on my Vista box. It is interesting to note that I wasn’t able to kill the hanging Process Hacker process from a second instance of the tool. However, I am sure there are cases where Process Hacker succeeds in killing protected or hanging processes where Process Explorer fails. This is the main reason why I will keep Process Hacker in my toolbox. I would just be very careful if you run a it a server environment.