Process Hacker Forums

If I enable admin access to process hacker, when I close the application I get a warning from my app control solution:

C:\Program Files\Process Hacker 2\ProcessHacker.exe,DRIVER,LOAD,SRC,,WINDRVDIR\USBXHCI.SYS

WHY?

PPP700 wrote: ↑01 Jun 2021 21:57

I get a warning from my app control solution

What is this "app control solution"?

PPP700 wrote: ↑01 Jun 2021 21:57

C:\Program Files\Process Hacker 2\ProcessHacker.exe,DRIVER,LOAD,SRC,,WINDRVDIR\USBXHCI.SYS

WHY?

Was that file modified or something and does it still have a digital signature? What was this "warning" exactly?

Thank you for your reply.

App control solution is ZoneAlarm Pro Firewall. I am not in a sandbox so I denied access from Process Hacker and created a rule to permanently block. Just seemed like odd behavior and raised concerns. Likewise, I only run Process Hacker when internet is disabled (again, I am not in a sandbox).

I checked the referenced driver and is has not been modified and is still digitally signed by Microsoft.

7:00 GMT,UNKNOWN(0),Process Hacker,C:\Program Files\Process Hacker 2\ProcessHacker.exe,DRIVER,LOAD,SRC,,WINDRVDIR\USBXHCI.SYS,http://osalerts.zonealarm.com/osanalyze ... SBXHCI.SYS

https://osalerts.zonealarm.com/osanalyz ... b=overview

This overview from Zonealarm makes sense to me and has me concerned: "Process Hacker may be malicious. It may be attempting to affect other programs or the security of the system. Programs do not normally need to load a driver."

Update, something seemed to have partially infected my laptop with hooks and guessing attempts to inject into signed drivers, but failed. Chrome was compromised and associated itself to every file type, with persistence. After pulling every single regkey and file for Process Hacker and Chrome. No more strange behavior or drivers being attempted to load.

I can't say it was Process Hacker and I don't feel like reproducing. But I am not going to risk it and am suspicious.