Process Hacker 2.34 out

Discussion in 'other software & services' started by mantra, Apr 25, 2015.

  1. guest

    guest Guest

    yep, my case.
     
  2. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    The latest Nightly build of Process Hacker has a nice feature which allows the settings to remain for portable setups. It can now save settings to a file, ProcessHacker.exe.settings.xml, within the same directory as Process Hacker. This is quite nice because anytime you would start PH from another directory, portable or otherwise, you would have to re-create all of your settings for it. This is quite nice! :thumb:
     
  3. guest

    guest Guest

    :thumb:

    It was indeed a major pain...
     
  4. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,092
    Location:
    Mexico
    I like pain! I love Windows!! :geek:
     
  5. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    433
  6. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Nightly builds have added the new RS3 Mitigations (previously known from EMET) from Windows Defender Exploit Guard.
    Source: https://github.com/processhacker2/processhacker/commit/78f06aa426b4db13cde5eca81ab83339ae4db44e

    Verifying Child Process Policy mitigation is very helpful to have now as well.

    At the time of writing this post, the Nightly build system has not yet built binaries to include this latest commit with RS3 mitigations. I had to compile Process Hacker myself from source. Nightly builds should be caught up soon.

    Code:
    +    PROCESS_MITIGATION_DEP_POLICY DEPPolicy; // ProcessDEPPolicy
    +    PROCESS_MITIGATION_ASLR_POLICY ASLRPolicy; // ProcessASLRPolicy
    +    PROCESS_MITIGATION_DYNAMIC_CODE_POLICY DynamicCodePolicy; // ProcessDynamicCodePolicy
    +    PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY StrictHandleCheckPolicy; // ProcessStrictHandleCheckPolicy
    +    PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY SystemCallDisablePolicy; // ProcessSystemCallDisablePolicy
    +    // ProcessMitigationOptionsMask
    +    PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY ExtensionPointDisablePolicy; // ProcessExtensionPointDisablePolicy
    +    PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY ControlFlowGuardPolicy; // ProcessControlFlowGuardPolicy
    +    PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY SignaturePolicy; // ProcessSignaturePolicy
    +    PROCESS_MITIGATION_FONT_DISABLE_POLICY FontDisablePolicy; // ProcessFontDisablePolicy
    +    PROCESS_MITIGATION_IMAGE_LOAD_POLICY ImageLoadPolicy; // ProcessImageLoadPolicy
    +    PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY SystemCallFilterPolicy; // ProcessSystemCallFilterPolicy
    +    PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY PayloadRestrictionPolicy; // ProcessPayloadRestrictionPolicy
    +    PROCESS_MITIGATION_CHILD_PROCESS_POLICY ChildProcessPolicy; // ProcessChildProcessPolicy

    All of the EMET mitigations are under Payload Restrictions (shows as follows):

    Code:
    Payload restrictions are enabled for this process.
    Export Address Filtering is enabled.
    Export Address Filtering (Plus) is enabled.
    Import Address Filtering is enabled.
    StackPivot is enabled.
    CallerCheck is enabled.
    SimExec is enabled.
    tb-mitigations.png
     
  7. iCurious

    iCurious Registered Member

    Joined:
    Aug 9, 2014
    Posts:
    17
    I can't get it to boot with windows. I even have it run as Admin, checked the reg are created, still I need to press ctrl+shift+esc.
    I'm on win10, tried all versions, including nightly.
    Any advice?
     
  8. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,809
    Do you have enabled the following options within Process Hacker?:
    ProcessHacker_Autostart.png
    Furthermore you should have the following autorun-entry (shown with Sysinternals Autoruns). Process Hacker should create it after the options are enabled:
    Autoruns_ProcessHacker.png
     
  9. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,221
    Location:
    Slovakia
    Any working link for 3.0.1022? Since the homepage's link is down and all third party sites link to it.
     
  10. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,092
    Location:
    Mexico
    Yeah,searched for 5 min. and all sites link to it. Sorry, I deleted the zipped file a few min. ago before I could see your post.
     
  11. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    4,411
    a link would be nice.
     
  12. iCurious

    iCurious Registered Member

    Joined:
    Aug 9, 2014
    Posts:
    17
    yep, same as you show it.
    Still wont start at logon unless I start it.
     
  13. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Not sure why the latest nighly hosted on appveyor is failing now to download.

    I am happy to share my compiled build which is new than the nightly anyway and contains those RS3 mitigations. Please keep in mind that my compiled build fails to load kernel driver due to digital signature issue. But you can still run normal and also as Admin and do most things.

    Personally compiled build from Oct 20, 2017:
    Link: https://mega.nz/#!W0h2xS7R!nBiaMrOOMnM0gd4KmEt_GPhrUvYs9nlMnuDlno27aYk
     
  14. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
  15. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,221
    Location:
    Slovakia
    Thanks. :thumb:
     
  16. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,809
  17. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,809
    A very useful feature has been added to the latest nightly.
    Columns can now be saved as a Column set.
    Sometimes i temporarily needed additional columns and added them (and removed them later), which can be a time-consuming task if a lot of columns are involved.
    But with the new feature this can be done with ease :thumb:
    Process Hacker_Column Set.png
    Process Hacker_Column Set_Organize.png
     
  18. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,092
    Location:
    Mexico
  19. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @mood Thanks for the heads up. This Column Sets feature is quite handy and can make specific use case scenarios much more efficient to switch between custom column sets. Very nice! :thumb:

    By the way, an interesting post by Process Hacker developer dmex regarding shady labelling of Process Hacker by Antivirus companies. It's a relatively long post but I found it interesting.
    Link: https://wj32.org/processhacker/forums/viewtopic.php?f=5&t=2784#p9251
     
  20. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    By the way, on a side note that I was intending to post a while back, I use the Nightly builds of Process Hacker quite often and ended up adding Process Hacker to the Win+X Menu for much easier access. I used Winaero's Win+X Menu Editor (https://winaero.com/comment.php?comment.news.30).

    Process Hacker WinX.png


    Essentially I just used Win+X Menu Editor to point to the location in which I always drop/unzip the Process Hacker nightly builds.

    I had to create two entries: Process Hacker and Process Hacker (Admin)

    Although for Process Hacker (Admin), after adding it I had to manually go to:
    C:\Users\{user-name}\AppData\Local\Microsoft\Windows\WinX\

    And for the Process Hacker (Admin) entry specifically, I had to go to Properties > Compatibility > select checkbox for "Run this program as administrator"

    That's it! :thumb:
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,193
    Location:
    The Netherlands
    Does indeed sound like a handy function, Process Explorer could use this also.
     
  22. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Some more nice, recent developments in Process Hacker Nightly builds with regard to Process Mitigations. These are all additions to the Mitigation Policies window in Process Hacker.


    Addition of the missing label for ASLR - Disallow Stripped Images
    Source: https://github.com/processhacker2/processhacker/commit/9b431bd69ee8d1ef4a425074eaf91ab1cf74a395


    Addition of Operating System level Process Mitigations
    • Loader Integrity (OS signing levels for depenedent module loads are enabled.)
    • Module Tampering (Module Tampering protection is enabled.)
    Source: https://github.com/processhacker2/processhacker/commit/672659157bf8659da4a422b5faed16f6d6f0d67a

    Regarding the operating system level Process Mitigations Loader Integrity and Module Tampering, I honestly don't know much about them at all. My assumption is that they may be Windows 10 specific mitigations, but it would be good if someone can confirm this. They seem to be showing up for both 32-bit and 64-bit processes on my Windows 10 Pro 64-bit 1709 build. Google search does not turn up much at the moment.
     
  23. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    After a little bit of studying, I realized that these are indeed from Windows 10 RS3 1709. Once they ran out of mitigation bits within PROCESS_MITIGATION_POLICY, they added PROCESS_MITIGATION_POLICY2 in 1709 and therefore PROCESS_CREATION_MITIGATION_POLICY2_MODULE_TAMPERING_PROTECTION_ALWAYS_ON and PROCESS_CREATION_MITIGATION_POLICY2_LOADER_INTEGRITY_CONTINUITY_ALWAYS_ON are clearly part of that.

    I should have noticed that earlier when I was checking the recent PH commits.

    Although I still have no idea what those two new operating system level process mitigations do. Something to do with DLL protection and integrity levels, but I am curious to learn more.
     
  24. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,809
    Btw.: I have noticed that ProcessHacker.exe is using the mitigation: Signatures restricted (Microsoft only)
    After some searching i have found the "announcement":
     
  25. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,809
    There is an interesting addition: Add "Protection" column to process tree (#221)
    The protection level can now be shown in an additional column. In the commit i can see: "None / Light / Full / Unknown"
    And the final result looks like this:
    ProcessHacker_Protection_1.png
    ProcessHacker_Protection_2.png
    ProcessHacker_Protection_3.png

    Edit
    : The dll injection feature has been removed now :cautious: (Commit)
    I think the reason is that VAC (Valve Anti-Cheat) caused some problems for gamers if Process Hacker is running (VAC is seeing PH as a cheat) and now this feature has been removed.
     
    Last edited: Jan 7, 2018
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.