Steve

#TaskManager and #ProcessExplorer are dead (because they lie). Long live to @SystemInformer (and shame to #Powerpoint)

Inspired by Steve (@processhacker)’s “12 Ways to Terminate a Process,” implemented in VB.NET. 9 methods work, others need kernel access, VirtualAllocEx never finished (modern systems). Semi-abandoned repo: github.com/1d3nt/ProcTerm… Original: web.archive.org/web/2013010902…

@daaximus A function named "RunTimeSettings::IsJolt" was added to Windows Task Manager recently with a significant amount of warbird encryption/obfuscation for no reason?

Thought I'd poke around given all the OOBE hoopla (a bit overblown, upgrade to Pro), and see what was going on... opened CloudExperienceHostCommon.dll!CloudExperienceHostAPI::UtilStaticsCore::get_DisabledSkipNetwork. Microsoft always leaves surprises inside.

Yeah, @Google my primary email created in 2004 and used daily for 22 years is a bot? I'm now locked out of +450 other websites including my bank, work and github which use it for MFA and have to wait several days before a human reviews the appeal?🤔🤢

My new blog post 🥳 Improving AFD Socket Visibility for Windows Forensics & Troubleshooting It discusses the low-level API under Winsock (IOCTLs on \Device\Afd handles) and explores the workings of the new socket inspection feature in System Informer 🔥 huntandhackett.com/blog/improving…

Better socket handle visibility coming soon to @SystemInformer 🔥 When viewing a process handle table, SI will recognize files under \Device\Afd and retrieve information about their state, protocol, addresses, and more. Also works on Bluetooth and Hyper-V sockets 🤩

As promised, I've updated the blog post with details and System Informer has received a patch to account for these changes in 24H2: winsiderss.github.io/si-blog/2023/0…

Changes to cycle accounting in 24H2 ARM64: PMCCNTR_EL0 removed, multiple new branches in the accounting path, and feature flags gating idle thread changes. Working on updates to System Informer cycle-based usage on ARM64 and the blog post. winsiderss.github.io/si-blog/2023/0…

@Aiden9_ @Aiden_9 Your screenshots show Process Hacker failed with ACCESS_DENIED for MW2? How did a 15 year old game from 2009 stop PH? You can't use Process Hacker for cheating. It alerted anti-cheat via ObRegisterCallbacks and the AC blocked access by design - btw I'm the dev of PH :)

This basic software is used to help you monitor system resources, debug software and detect malware. But know when you search a little more on GOOGLE look what we can find : PROCESS HACKER is very frequently used to inject cheats on Call Of Duty (Here are several examples with cheat forums and youtube video) ALL THE EVIDENCE IN PHOTO

I got something crazy about "JvlianCodd" who beat us for the T8 in the today Cup #3 When he has done his PC Reset, in recommended which mean that this is the apps he is using frequently or atleast recently. now let see what we can do with "PROCESS HACKER 2"

So I made a thing ☺️ Converted #phnt (Native API header files from the System Informer project) to #IDA TIL, IDC. To import "phnt" types and function definitions to IDA and help with Reverse Engineering. @HexRaysSA @mrexodia Introducing #IDA_PHNT_TYPES: github.com/Dump-GUY/IDA_P…

Microsoft finally updates documentation after 20 years @MSFTCopilot

The new Token Universe v0.5 can view and edit security descriptors on 30 types of securable objects. 🔥 It also knows how to handle complex ACLs with compound and callback ACEs, mandatory and trust labels, and more. Enjoy experimenting! github.com/diversenok/Tok…

@namazso @mrexodia @timmisiak @SystemInformer InternalGetWindowIcon doesn't return the icon for packaged processes - another issue is that function always returns a icon handle (even when the window doesn't have an icon - exceeding shared desktop heap limits and preventing applications from running)

@mrexodia @timmisiak @SystemInformer tried InternalGetWindowIcon yet?

So... how does one correctly grab the icon of a window given its HWND? Online sources say to use WM_GETICON or GCLP_HICON, but neither of those work for certain packaged apps, like calculator. Kind of looks like I need to use IAppxManifestProperties to grab "Logo" from the appx

@mrexodia @timmisiak @namazso @SystemInformer Querying the icon for packaged processes requires getting the PKEY_Tile_SmallLogoPath from FOLDERID_AppsFolder (this is documented) then using an undocumented interface called IMrtResourceManager and passing the SmallLogoPath to IResourceMap_GetFilePath (returns actual filename)

@timmisiak Yeah looks like it will require a bunch of annoying code with GetPackage and PackageFullNameFromId... @namazso @SystemInformer any idea?

@masterchaerge The Windows Shell maps shared caches into each process for MRU (most recently used) and auto-complete (FileSystem etc...) and entire clipboard history (Winkey+V)... If the process is using shell functions then it'll have a copy of that cache in memory and find strings

@embee_research The System Informer/ProcessHacker nightly build uses debugger instrumentation for showing .NET assemblies instead of ETW events like other tools. It's able to show CLR modules otherwise hidden by exploits targeting ETW.

Malware Analysis Tip - Use Process Hacker to watch for suspicious .NET assemblies in newly spawned processes. Combined with DnSpy - it's possible to locate and extract malicious payloads without needing to manually de-obfuscate. 1/ #Malware #dnspy #analysis #RE

@elfchief @SystemInformer Disabling the driver limits viewing everything for system processes, limits thread stacks, limits handle info (ALPC, ETW and others), disables protection features (VSM/KDP) and higher cpu/memory use because no driver notifications and having to poll for changes to objects etc..

@processhacker @SystemInformer Very interesting. Thanks for the link! Is there a list somewhere of what features require the kernel driver? I did some searching and couldn't find that info. I did work around the problem by disabling the kernel driver and it doesn't *seem* like I'm missing anything...?

Hey @SystemInformer (and/or @processhacker), can you think of any reason having the kernel driver would break things? I have backblaze completely unable to run its subprocesses ("CreateProcess returned error code 2") if I have the driver loaded (Win10 22H2), which is... weird.

@elfchief @SystemInformer You can also follow this thread for updates: #issuecomment-1328308233" target="_blank" rel="nofollow noopener">github.com/winsiderss/sys…

@processhacker @SystemInformer Morbid curiosity, what was the problem? I saw one issue on github related to DLL injection, but I'm not sure how that'd apply here, and didn't see much else that looked like it could have been related.

@elfchief @SystemInformer It's a Windows kernel bug from multiple drivers queuing APCs are fired more than once. It needs changes from third parties and OS. We've fixed ours but can't update the driver until Microsoft fix other issues so for now you'll need to disable the driver in the options window.