Process Explorer vs Process Hacker–Part 2 of 2

Continuing from Part 1 here https://chentiangemalc.wordpress.com/2011/06/13/process-explorer-vs-process-hackerpart-1-of-2/ we will now compare more advanced features of Process Explorer & Process Hacker.

Run As Options

Both Process Explorer and Process Hacker have “Run” options. Process Explorer has “Run” and “Run As Limited User”.While Process Hacker has “Run”, “Run As Limited User”, and “Run As”

In both programs “Run As Limited User” will launch the process with “Low” integrity security level on Vista and higher.

However Process Hacker’s Run As is the most powerful with many special options…

image

User name can be any standard user name but also can include special accounts such as:

image

We can also select what “type”

image

Specific sessions can be targeted

image

as well as Desktops…

image

Finding Open Handles/DLLs

In Process Hacker this is found via Hacker | Find Handles or DLLs menu option, in Process Explorer it is via Find | Find Handle or DLL

The main difference here is Process Hacker includes in the handle ID in the results.image

image

Also Process Hacker allows to right click and immediately Close Handle, or double click to bring up Handle Properties. However in Process Explorer you must click the handle, which takes you to the Process List and Split View, Highlighting the selected handle which you can then perform operations on.

Shutdown

In the File | Shutdown menu Process Explorer offers the following

image

Process Hacker has options under Hacker | Computer menu adding Sleep, Hibernate and Poweroff as options:

image

 

System Information View

Process Hacker’s system information view is found via View | System Information menu item or hitting Ctrl+Iimage

Process Explorer the System Information view is brought up in the same way, but it is split into 4 tabs.

image

image

image

image

Configuration Options

Process Hacker and Process Explorer both have some configuration options. Process Hacker this is primarily found under Process Hacker | Options menu. One big advantage Process Hacker has over Process Explorer is the ability to build plug-ins to increase functionality as required.

image

image

image

image

image

image

Process Explorer’s options are all available via drop down menu:

image

image

Some Unique Process Hacker Features

Create a service…

image

image

Also under Tools | Hidden Processes a method to assist in root kit detection. (Similar to the separately available SysInternals tool rootkit revealer)

image

 

Process Context Menu Comparison

Right clicking a process produces the following context menu:

Process Hacker Process Explorer
image

Under Miscellaneous:

image

image

Basically we get a few additional features in Process Hacker

  • Virtualization – allows us to switch on / off Process Virtualization while the process is running. I imagine the results would only be ugly, but it’s there if you want it
  • Detach from debugger
  • Inject a DLL
  • Run As different user name
  • Terminator…

The terminator is very special, it allows us to select which method to terminate a process – or try all different methods at once! Basically those hard to kill nasty malwares you can increase your risk of terminating using this…

When I select Terminator I get a selection of options to run

image

Process Properties Comparison

Right clicking a process and selecting properties has the following differences:

In Process Explorer

image

In Process Hacker

image

Primary difference here is Process Hacker gives you how long ago the process was started (instead of just start date), the PEB Address, and will let you change DEP & Protection status if possible. (i.e. Protection Not Protected to Protected)

On the performance tab Process Explorer offers much more information, Process Hacker has a pretty graph.

Process Explorer

image

But Process Explorer has a performance graph on a separate tab:

image

Process Hacker

image

and Process Hacker has the details on a Statistics tab

image

Click details to get handle statistics

image

Process Explorer has Disk & Network tab, Process Hacker you must enable a plug-in to get his functionality (refer to blog on plugins mentioned at end of this post)

image

Both have a Threads tab

Process Explorer

image

Process Hacker

image

Process Hacker adds a Context Menu to each thread

image

Both can show the stack trace for a thread, or terminate a thread.

image

Process Hacker adds the nice little Analyze –> Wait like we see in Windows 7 Resource Monitor:

image

Process hacker also allows us to change affinity and priority on specific threads.

TCP/IP tab

In Process Explorer (there is no equivalent in Process Hacker…but remember it has the overall Network tab as shown in part 1 of this blog)

image

The Security Tab in Process Explorer

image

Token tab is the most similar in Process Hacker

image

image

Environment tab in Process Explorer

image

Pretty much exactly same in Process Hacker

image

The Strings tab in Process Explorer allows both Image and Memory inspection of strings

image

Process Hacker uses a Memory tab instead – this can search Private memory, the image or mapped files.

image

image

It allows for editing of the memory as well

image

Process Hacker has some additional tabs that do not have equivalents in process explorer

Handles Tab (in Process Explorer this is available via split view)

image

image

Jobs…

image

Modules tab which is similar to split view DLL option in Process Explorer

image

Conclusions

Process Hacker and Process Explorer are essentials tools for the IT Pro and Windows Developer. While Process Explorer has an edge on troubleshooting performance Process Hacker has some advantages like more options for terminating hard-to-kill processes and identifying hidden processes that can assist when dealing with rootkits/malware, and ability to extend via plugins. Some of Process Hacker options like DLL injection, special Run As command, unloading DLLs, editing memory while process is running may be useful for experimentation purposes.

For more info on Process Hacker Plugins refer to https://chentiangemalc.wordpress.com/2011/07/03/process-hacker-plugins/

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in SysInternals, Troubleshooting and tagged . Bookmark the permalink.

4 Responses to Process Explorer vs Process Hacker–Part 2 of 2

  1. Gaël says:

    Hi Malcolm,

    Nice post !
    Maybe there is a little mistake in it : if I understood correctly this post section, I think you typed “Process Hacker” while you thinked “Process Explorer” in the sentence “But Process Hacker has the performance graph on a separate tab:”, in the Process Properties Comparison section.

    Gaël

    • Yes you are right I’ll correct it thanks.

      • wj32 says:

        Hi,

        I stumbled upon this post a while ago and I’ve tried to implement several of your suggestions (in 2.18, 2.19 and 2.20). I’m just commenting to tell you that version 2.20 has been released, with several cool new features that you might useful, including support for managed stack traces (something which usually only WinDbg and VS have).

        Thanks for the feedback!
        wj32.

  2. gmaran23 says:

    such a neat compilation of differences. I wonder how long it actually took you to take the screenshots and collate them here in this blog.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s