The latest Nightly build of Process Hacker has a nice feature which allows the settings to remain for portable setups. It can now save settings to a file, ProcessHacker.exe.settings.xml, within the same directory as Process Hacker. This is quite nice because anytime you would start PH from another directory, portable or otherwise, you would have to re-create all of your settings for it. This is quite nice!
It has this feature for more than 5 years: http://web.archive.org/web/20110711211431/http://processhacker.sourceforge.net/faq.php
Nightly builds have added the new RS3 Mitigations (previously known from EMET) from Windows Defender Exploit Guard. Source: https://github.com/processhacker2/processhacker/commit/78f06aa426b4db13cde5eca81ab83339ae4db44e Verifying Child Process Policy mitigation is very helpful to have now as well. At the time of writing this post, the Nightly build system has not yet built binaries to include this latest commit with RS3 mitigations. I had to compile Process Hacker myself from source. Nightly builds should be caught up soon. Code: + PROCESS_MITIGATION_DEP_POLICY DEPPolicy; // ProcessDEPPolicy + PROCESS_MITIGATION_ASLR_POLICY ASLRPolicy; // ProcessASLRPolicy + PROCESS_MITIGATION_DYNAMIC_CODE_POLICY DynamicCodePolicy; // ProcessDynamicCodePolicy + PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY StrictHandleCheckPolicy; // ProcessStrictHandleCheckPolicy + PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY SystemCallDisablePolicy; // ProcessSystemCallDisablePolicy + // ProcessMitigationOptionsMask + PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY ExtensionPointDisablePolicy; // ProcessExtensionPointDisablePolicy + PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY ControlFlowGuardPolicy; // ProcessControlFlowGuardPolicy + PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY SignaturePolicy; // ProcessSignaturePolicy + PROCESS_MITIGATION_FONT_DISABLE_POLICY FontDisablePolicy; // ProcessFontDisablePolicy + PROCESS_MITIGATION_IMAGE_LOAD_POLICY ImageLoadPolicy; // ProcessImageLoadPolicy + PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY SystemCallFilterPolicy; // ProcessSystemCallFilterPolicy + PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY PayloadRestrictionPolicy; // ProcessPayloadRestrictionPolicy + PROCESS_MITIGATION_CHILD_PROCESS_POLICY ChildProcessPolicy; // ProcessChildProcessPolicy All of the EMET mitigations are under Payload Restrictions (shows as follows): Code: Payload restrictions are enabled for this process. Export Address Filtering is enabled. Export Address Filtering (Plus) is enabled. Import Address Filtering is enabled. StackPivot is enabled. CallerCheck is enabled. SimExec is enabled.
I can't get it to boot with windows. I even have it run as Admin, checked the reg are created, still I need to press ctrl+shift+esc. I'm on win10, tried all versions, including nightly. Any advice?
Do you have enabled the following options within Process Hacker?: Furthermore you should have the following autorun-entry (shown with Sysinternals Autoruns). Process Hacker should create it after the options are enabled:
Any working link for 3.0.1022? Since the homepage's link is down and all third party sites link to it.
Yeah,searched for 5 min. and all sites link to it. Sorry, I deleted the zipped file a few min. ago before I could see your post.
Not sure why the latest nighly hosted on appveyor is failing now to download. I am happy to share my compiled build which is new than the nightly anyway and contains those RS3 mitigations. Please keep in mind that my compiled build fails to load kernel driver due to digital signature issue. But you can still run normal and also as Admin and do most things. Personally compiled build from Oct 20, 2017: Link: https://mega.nz/#!W0h2xS7R!nBiaMrOOMnM0gd4KmEt_GPhrUvYs9nlMnuDlno27aYk
.1022 (last nightly) links are working OK directly from appveyor at the moment Link: https://ci.appveyor.com/project/processhacker/processhacker2/build/3.0.5549.1022/artifacts Those do not include latest commit with RS3 mitigations though.
A new build which includes new RS3 mitigations, is now available (Build: 3.0.1038) Btw.: this build is resetting the "Modules" settings. Culprit: "Fix process module highlighting regression" https://github.com/processhacker2/processhacker/commit/56b208f13187e67c73275eb593a94e687258da46
A very useful feature has been added to the latest nightly. Columns can now be saved as a Column set. Sometimes i temporarily needed additional columns and added them (and removed them later), which can be a time-consuming task if a lot of columns are involved. But with the new feature this can be done with ease
@mood Thanks for the heads up. This Column Sets feature is quite handy and can make specific use case scenarios much more efficient to switch between custom column sets. Very nice! By the way, an interesting post by Process Hacker developer dmex regarding shady labelling of Process Hacker by Antivirus companies. It's a relatively long post but I found it interesting. Link: https://wj32.org/processhacker/forums/viewtopic.php?f=5&t=2784#p9251
By the way, on a side note that I was intending to post a while back, I use the Nightly builds of Process Hacker quite often and ended up adding Process Hacker to the Win+X Menu for much easier access. I used Winaero's Win+X Menu Editor (https://winaero.com/comment.php?comment.news.30). Essentially I just used Win+X Menu Editor to point to the location in which I always drop/unzip the Process Hacker nightly builds. I had to create two entries: Process Hacker and Process Hacker (Admin) Although for Process Hacker (Admin), after adding it I had to manually go to: C:\Users\{user-name}\AppData\Local\Microsoft\Windows\WinX\ And for the Process Hacker (Admin) entry specifically, I had to go to Properties > Compatibility > select checkbox for "Run this program as administrator" That's it!
Some more nice, recent developments in Process Hacker Nightly builds with regard to Process Mitigations. These are all additions to the Mitigation Policies window in Process Hacker. Addition of the missing label for ASLR - Disallow Stripped Images Source: https://github.com/processhacker2/processhacker/commit/9b431bd69ee8d1ef4a425074eaf91ab1cf74a395 Addition of Operating System level Process Mitigations Loader Integrity (OS signing levels for depenedent module loads are enabled.) Module Tampering (Module Tampering protection is enabled.) Source: https://github.com/processhacker2/processhacker/commit/672659157bf8659da4a422b5faed16f6d6f0d67a Regarding the operating system level Process Mitigations Loader Integrity and Module Tampering, I honestly don't know much about them at all. My assumption is that they may be Windows 10 specific mitigations, but it would be good if someone can confirm this. They seem to be showing up for both 32-bit and 64-bit processes on my Windows 10 Pro 64-bit 1709 build. Google search does not turn up much at the moment.
After a little bit of studying, I realized that these are indeed from Windows 10 RS3 1709. Once they ran out of mitigation bits within PROCESS_MITIGATION_POLICY, they added PROCESS_MITIGATION_POLICY2 in 1709 and therefore PROCESS_CREATION_MITIGATION_POLICY2_MODULE_TAMPERING_PROTECTION_ALWAYS_ON and PROCESS_CREATION_MITIGATION_POLICY2_LOADER_INTEGRITY_CONTINUITY_ALWAYS_ON are clearly part of that. I should have noticed that earlier when I was checking the recent PH commits. Although I still have no idea what those two new operating system level process mitigations do. Something to do with DLL protection and integrity levels, but I am curious to learn more.
Btw.: I have noticed that ProcessHacker.exe is using the mitigation: Signatures restricted (Microsoft only) After some searching i have found the "announcement":
There is an interesting addition: Add "Protection" column to process tree (#221) The protection level can now be shown in an additional column. In the commit i can see: "None / Light / Full / Unknown" And the final result looks like this: Edit: The dll injection feature has been removed now (Commit) I think the reason is that VAC (Valve Anti-Cheat) caused some problems for gamers if Process Hacker is running (VAC is seeing PH as a cheat) and now this feature has been removed.