Process Hacker and Windows discussion

 
User avatar
wj32
Founder
Posts: 948
Joined: 17 Jan 2011 05:19
OS: Windows
Location: Australia
Contact:

Command line reference

06 Feb 2011 09:20

Process Hacker supports a limited number of command line options, listed below.

-settings filename

This option allows you to specify the location of Process Hacker's settings file. filename can be a relative path, in which case the current working directory at startup is used as the base.

Examples:
ProcessHacker.exe -settings settings.xml

-nosettings

Disables settings. Settings are set to their defaults at startup, and no settings are saved.

-noplugins

Disables plugins, even if the "Enable plugins" option is set.

-newinstance

Starts a new instance of Process Hacker, even if the "Allow only one instance" option is set.

-v

Forces Process Hacker's main window to be displayed at startup, even if the "Start hidden" option is enabled.

-hide

Hides Process Hacker's main window at startup, even if the "Start hidden" option is disabled.

-elevate

Prompts for elevation if Process Hacker is not started with elevated privileges.

-c -ctype objecttype -cobject object -caction action -cvalue value

Enables command mode. The status of the operation is returned in the exit status of the process.

Possible values of objecttype:
  • "process". object is the process ID, and action can be "terminate", "suspend", "resume", "priority", "iopriority" or "pagepriority".
  • "service". object is the service name, and action can be "start", "continue", "pause", "stop" or "delete".
  • "thread". object is the thread ID, and action can be "terminate", "suspend" or "resume".
Examples:

ProcessHacker.exe -c -ctype process -cobject 1424 -caction terminate
ProcessHacker.exe -c -ctype process -cobject 5896 -caction priority -cvalue high
ProcessHacker.exe -c -ctype service -cobject Winmgmt -caction pause

-s

Enables silent mode. No error messages are displayed for command mode, -installkph and -uninstallkph.

-ras

Enters run-as-service mode. This is used internally by the Run As command.

-nokph

Disables KProcessHacker. Process Hacker will not attempt to load the driver or connect to it.

-installkph

Installs KProcessHacker as a System Start service.

-uninstallkph

Deletes the KProcessHacker service.

-debug

Shows the debug console early in the startup process.

-showoptions -hwnd parentwindow -point x,y

Displays the Advanced tab of the options window only. parentwindow specifies the parent window handle in hexadecimal and x,y specifies the location of the options window.

-phsvc

Enters phsvc mode. This exposes a LPC-based API currently used by Process Hacker for tasks that require elevation.

-priority r|h|n|l

Sets the priority of Process Hacker to realtime (r), high (h), normal (n) or idle (l).

-selectpid pid

Selects pid in a new or existing instance of Process Hacker.

-sysinfo section

Opens the System Information window at startup, and optionally navigates to the specified section.
 
User avatar
OrdiFacil
New User
Posts: 2
Joined: 08 Feb 2011 21:13
OS: Windows XP SP3 x86
Location: Paris, France
Contact:

Command line reference - Feedback

17 Feb 2011 08:50

:thumbup: Thanks! The "-hide" option is especially useful for peoples who want to start Process Hacker minimized at windows startup.
"We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare ; now, thanks to the Internet, we know that is not true." Robert Wilensky

"Give a man a fish and he will eat for a day. Teach a man to fish and he will eat for the rest of his life." Lao Tse
 
frank
Member
Posts: 6
Joined: 14 May 2014 22:36
OS: windows 7

Re: Command line reference

17 May 2014 14:22

Sounds like a noob could do it! I will be giving it a try sometime! Wish me luck!
 
isabel

Re: Command line reference

05 Nov 2014 00:34

:thumbup: :thumbup: :thumbup: very helpful
 
wschloss
New User
Posts: 1
Joined: 10 Nov 2014 15:58
OS: Windows 7 64 bit

Re: Command line reference

10 Nov 2014 16:10

It would save time if there was a command line option to start directly in "System Information/CPU/One Graph per CPU" or other "System Information/view" modes. Thank you for this very nice tool.
 
shackles
Member
Posts: 17
Joined: 03 Jan 2016 22:44
OS: windows

Re: Command line reference

10 Dec 2016 21:10

There are new command line actions? Like unloaddll and injectdll?
 
User avatar
dmex
Admin
Posts: 1562
Joined: 17 Jan 2011 05:43
Location: Australia

Re: Command line reference

11 Dec 2016 01:52

It would save time if there was a command line option to start directly in "System Information/CPU/One Graph per CPU" or other "System Information/view" modes. Thank you for this very nice tool.
There are plugins for this ;)
There are new command line actions? Like unloaddll and injectdll?
Those two options require user interaction and will not be available from the command line as they would likely become a target for malicious software.
 
shackles
Member
Posts: 17
Joined: 03 Jan 2016 22:44
OS: windows

Re: Command line reference

11 Dec 2016 10:30

That's what I thought but when I was going through the source code I saw theses parameters so I asked.
 
ZabZab

Re: Command line reference

15 Dec 2017 06:21

There a few stubborn process that not been killed with regular task manager due to Access Is Denied.
From proces hacker GUI I am able to kill those processes , however when I try to use processhacker in command line with the following command:
ProcessHacker.exe -c -ctype process -cobject 1424 -caction terminate

I am getting Access Is Denied.
I tried it with run as administrator and system user and results are the same.

Am I missing something?
 
zabzab

Re: Command line reference

15 Dec 2017 10:26

Running Command line kill process ends with access denied while through the GUI it kills the process.
I tried running Command line as admin and system user , same result of access denied.
Any in lightment about that?
 
Nautilus

Re: Command line reference

23 Sep 2018 21:21

Having the same issue that commands that I run from interface can kill process but same process cannot be killed with cmd!
 
User avatar
viksoftru
Member
Posts: 617
Joined: 15 Aug 2011 06:01
OS: Win7 (Live! DVD), BSD
Location: Russia

Re: Command line reference

13 Oct 2018 15:27

Is not bug . Just this process is locked by another process. See parent, handles and command line for this process for find that's lock it.
 
User avatar
Astara
Member
Posts: 25
Joined: 03 Oct 2011 21:15
OS: Win7-64, Suse11.4-x64

Re: Command line reference

04 May 2019 04:49

It could also have a deny ACL for a group that includes your userid, like 'Everyone', 'CONSOLE LOGIN' or 'INTERACTIVE'. I saw such an ACL on a game-anti-user process that was intended to keep every type of user from interacting with that process in any way. Pretty ugly. It's been a while since I used it, but it is possible the kernel-driver for PH, might be able to override some of those restrictions, but w/o testing, I wouldn't know for sure.
 
User avatar
dmex
Admin
Posts: 1562
Joined: 17 Jan 2011 05:43
Location: Australia

Re: Command line reference

04 May 2019 05:43

It could also have a deny ACL for a group that includes your userid, like 'Everyone', 'CONSOLE LOGIN' or 'INTERACTIVE'. I saw such an ACL on a game-anti-user process that was intended to keep every type of user from interacting with that process in any way. Pretty ugly. It's been a while since I used it, but it is possible the kernel-driver for PH, might be able to override some of those restrictions, but w/o testing, I wouldn't know for sure.
You don't need a kernel driver.

Windows automatically bypasses access checking the process ACL when the caller is running as administrator with SeDebugPrivilege and every system service has SeDebugPrivilege enabled by default. The deny acl works great for corporate environments where users don't have administrative access but is a waste of time and completely useless for home environments (especially for anti-cheat).
 
User avatar
Astara
Member
Posts: 25
Joined: 03 Oct 2011 21:15
OS: Win7-64, Suse11.4-x64

Re: Command line reference

04 May 2019 12:42

Thanks! good to know.
 
CommandLine

Re: Command line reference

09 Jul 2019 21:08

Hey i'm wondering the same thing as zabzab

"Running Command line kill process ends with access denied while through the GUI it kills the process.
I tried running Command line as admin and system user , same result of access denied."

I'm guessing this is by design then?
 
User avatar
Astara
Member
Posts: 25
Joined: 03 Oct 2011 21:15
OS: Win7-64, Suse11.4-x64

Re: Command line reference

17 Jul 2019 19:54

It could also have a deny ACL for a group that includes your userid, like 'Everyone', 'CONSOLE LOGIN' or 'INTERACTIVE'. I saw such an ACL on a game-anti-user process that was intended to keep every type of user from interacting with that process in any way. Pretty ugly. It's been a while since I used it, but it is possible the kernel-driver for PH, might be able to override some of those restrictions, but w/o testing, I wouldn't know for sure.
You don't need a kernel driver.

Windows automatically bypasses access checking the process ACL when the caller is running as administrator with SeDebugPrivilege and every system service has SeDebugPrivilege enabled by default. The deny acl works great for corporate environments where users don't have administrative access but is a waste of time and completely useless for home environments (especially for anti-cheat).
----
I may be able to get around ACL checking w/debug priv, I know it is set on my login, but maybe something
disables it, but just now, I was blocked from killing off NISSERV -- the network inspection service. It seemed like it might be interfering with Windows installing its anti-malware definitions -- since I just saw it update them, then got a message that I needed to reboot cuz windows couldn't update files because I was logged in.

But I'm thinking it was more likely to be nisserv, since I usually don't have that running and for whatever reason it started running again recently.

Anyway, looking at the process properties, I wasn't able to take ownership of the process's token, or set myself to have access to the token -- wasn't able change anything about it.

So installed the kernel mode driver, and wala -- instantly able to override restrictions on killing that process.
It's a pain to let that driver run, as it protects itself so you can' shut it down through the services control panel -- only by killing it and only if PH has it's driver installed.

Note my login has DEBUG priv, why am I unable to override security around that process (system lvl integrity).
but I am able to override it with the kernel mode driver installed?

FWIW, without driver, I wasn't able to change it's integrity level down from System to High, with driver, I could.
Once its integrity level was reduced, I was able to override object permissions as a normal admin (take ownership/then modify acl).
 
jxian725
New User
Posts: 1
Joined: 28 Jun 2020 10:23
OS: Windows 10 64bit
Location: Somewhere

Re: Command line reference

28 Jun 2020 10:24

Hi is it possible to run command as admin? Something like
-admin ProcessHacker.exe -c -ctype process -cobject 1424 -caction terminate

OR

If i put the command line into a .bat and run the batch script as admin, will it launch the command as admin?
Last edited by jxian725 on 28 Jun 2020 10:43, edited 1 time in total.