Process Hacker Forums

Process Hacker supports a limited number of searchbox commands in addition to the default wildcard search.

By default you can search by any entered syntax and filter all Process, Service and Network activity. Examples:
Explorer.exe
Svchost
TDI
High
Low

You can enter multiple queries using the | character. Examples:
svchost|BadSignature
svchost|IsImmersive
svchost|chrome|firefox|IsBeingDebugged

You can also filter the current view based on specific search queries:

Limited
The Process token elevation type is limited.

Full
The Process token elevation type is elevated.

IsBeingDebugged
The Process is being natively debugged.

IsDotNet
The Process is a native .NET executable.

IsElevated
The Process is elevated.

IsInJob
The Process is part of a job.

IsInSignificantJob
The Process is part of a significant job.

IsPacked
The Process is a packed executable.

IsPosix
The Process is a native POSIX executable.

IsSuspended
The Process is suspended.

IsWow64
The Process is a 32bit executable.

IsImmersive
The Process is a Metro (Immersive) executable.

NoSignature
The Process executable signature unavailable.

Trusted
The Process executable signature is trusted.

Expired
The Process executable signature has expired.

Revoked
The Process executable signature is revoked.

Distrust
The Process executable signature is not trusted.

SecuritySettings
The Process executable signature encountered a policy error.

BadSignature
The Process executable signature has a bad signature, not trusted.

Unknown
The Process executable signature is unknown.

Thanks for the references. It will come in handy.

Thanks

At first this queries are very useful.
However in the first post is said you could filter processes with the search queries you mentioned. But in my test it like this.
The "|" rather behaves like an "OR" so "svchost|BadSignature" does not show all svchost.exe processes which have an invalid signature, but it shows all svchost.exe processes and all processes which have an invalid signature.

Here you can see a screenshot: https://i.imgur.com/XKgGoJ7.png

PH 2.34

NewVersionTester wrote:

The "|" rather behaves like an "OR" so "svchost|BadSignature" does not show all svchost.exe processes which have an invalid signature, but it shows all svchost.exe processes and all processes which have an invalid signature.

This is how it's designed as the alternative is very limiting. If you want to filter more specifically then you need to be more specific with your search terms

Okay and how can I for example show all svchost.exe process which have a bad signature? "svchost.exe BadSignature" doesn't work.

NewVersionTester wrote:

Okay and how can I for example show all svchost.exe process which have a bad signature? "svchost.exe BadSignature" doesn't work.

You can try svchost|BadSignature but the filter routine only handles OR style filtering (e.g. You'll see both svchost OR BadSignature processes).

hello
can you please add this info as tool tip to show when click in search bar?
if you do that also add | Alt 124 so user know how to type that
thank you best regards