Continuing from Part 1 here https://chentiangemalc.wordpress.com/2011/06/13/process-explorer-vs-process-hackerpart-1-of-2/ we will now compare more advanced features of Process Explorer & Process Hacker.
Run As Options
Both Process Explorer and Process Hacker have “Run” options. Process Explorer has “Run” and “Run As Limited User”.While Process Hacker has “Run”, “Run As Limited User”, and “Run As”
In both programs “Run As Limited User” will launch the process with “Low” integrity security level on Vista and higher.
However Process Hacker’s Run As is the most powerful with many special options…
User name can be any standard user name but also can include special accounts such as:
We can also select what “type”
Specific sessions can be targeted
as well as Desktops…
Finding Open Handles/DLLs
In Process Hacker this is found via Hacker | Find Handles or DLLs menu option, in Process Explorer it is via Find | Find Handle or DLL
Also Process Hacker allows to right click and immediately Close Handle, or double click to bring up Handle Properties. However in Process Explorer you must click the handle, which takes you to the Process List and Split View, Highlighting the selected handle which you can then perform operations on.
In the File | Shutdown menu Process Explorer offers the following
Process Hacker has options under Hacker | Computer menu adding Sleep, Hibernate and Poweroff as options:
System Information View
Process Explorer the System Information view is brought up in the same way, but it is split into 4 tabs.
Process Hacker and Process Explorer both have some configuration options. Process Hacker this is primarily found under Process Hacker | Options menu. One big advantage Process Hacker has over Process Explorer is the ability to build plug-ins to increase functionality as required.
Process Explorer’s options are all available via drop down menu:
Some Unique Process Hacker Features
Create a service…
Also under Tools | Hidden Processes a method to assist in root kit detection. (Similar to the separately available SysInternals tool rootkit revealer)
Process Context Menu Comparison
Right clicking a process produces the following context menu:
|Process Hacker||Process Explorer|
Basically we get a few additional features in Process Hacker
- Virtualization – allows us to switch on / off Process Virtualization while the process is running. I imagine the results would only be ugly, but it’s there if you want it
- Detach from debugger
- Inject a DLL
- Run As different user name
The terminator is very special, it allows us to select which method to terminate a process – or try all different methods at once! Basically those hard to kill nasty malwares you can increase your risk of terminating using this…
When I select Terminator I get a selection of options to run
Process Properties Comparison
Right clicking a process and selecting properties has the following differences:
In Process Explorer
In Process Hacker
Primary difference here is Process Hacker gives you how long ago the process was started (instead of just start date), the PEB Address, and will let you change DEP & Protection status if possible. (i.e. Protection Not Protected to Protected)
On the performance tab Process Explorer offers much more information, Process Hacker has a pretty graph.
But Process Explorer has a performance graph on a separate tab:
and Process Hacker has the details on a Statistics tab
Click details to get handle statistics
Process Explorer has Disk & Network tab, Process Hacker you must enable a plug-in to get his functionality (refer to blog on plugins mentioned at end of this post)
Both have a Threads tab
Process Hacker adds a Context Menu to each thread
Both can show the stack trace for a thread, or terminate a thread.
Process Hacker adds the nice little Analyze –> Wait like we see in Windows 7 Resource Monitor:
Process hacker also allows us to change affinity and priority on specific threads.
In Process Explorer (there is no equivalent in Process Hacker…but remember it has the overall Network tab as shown in part 1 of this blog)
The Security Tab in Process Explorer
Token tab is the most similar in Process Hacker
Environment tab in Process Explorer
Pretty much exactly same in Process Hacker
The Strings tab in Process Explorer allows both Image and Memory inspection of strings
Process Hacker uses a Memory tab instead – this can search Private memory, the image or mapped files.
It allows for editing of the memory as well
Process Hacker has some additional tabs that do not have equivalents in process explorer
Handles Tab (in Process Explorer this is available via split view)
Modules tab which is similar to split view DLL option in Process Explorer
Process Hacker and Process Explorer are essentials tools for the IT Pro and Windows Developer. While Process Explorer has an edge on troubleshooting performance Process Hacker has some advantages like more options for terminating hard-to-kill processes and identifying hidden processes that can assist when dealing with rootkits/malware, and ability to extend via plugins. Some of Process Hacker options like DLL injection, special Run As command, unloading DLLs, editing memory while process is running may be useful for experimentation purposes.
For more info on Process Hacker Plugins refer to https://chentiangemalc.wordpress.com/2011/07/03/process-hacker-plugins/