Process Hacker Discussion Forum

 
PPP700
Member
Posts: 4
Joined: 01 Jun 2021 21:54

Process Hacker attempts to access USBXHCI.SYS (WHY?)

01 Jun 2021 21:57

If I enable admin access to process hacker, when I close the application I get a warning from my app control solution:

C:\Program Files\Process Hacker 2\ProcessHacker.exe,DRIVER,LOAD,SRC,,WINDRVDIR\USBXHCI.SYS

WHY?
 
User avatar
dmex
Admin
Posts: 1702
Joined: 17 Jan 2011 05:43

Re: Process Hacker attempts to access USBXHCI.SYS (WHY?)

02 Jun 2021 14:12

PPP700 wrote: 01 Jun 2021 21:57
I get a warning from my app control solution
What is this "app control solution"?
PPP700 wrote: 01 Jun 2021 21:57
C:\Program Files\Process Hacker 2\ProcessHacker.exe,DRIVER,LOAD,SRC,,WINDRVDIR\USBXHCI.SYS

WHY?
Was that file modified or something and does it still have a digital signature? What was this "warning" exactly?
 
PPP700
Member
Posts: 4
Joined: 01 Jun 2021 21:54

Re: Process Hacker attempts to access USBXHCI.SYS (WHY?)

03 Jun 2021 17:38

Thank you for your reply.

App control solution is ZoneAlarm Pro Firewall. I am not in a sandbox so I denied access from Process Hacker and created a rule to permanently block. Just seemed like odd behavior and raised concerns. Likewise, I only run Process Hacker when internet is disabled (again, I am not in a sandbox).

I checked the referenced driver and is has not been modified and is still digitally signed by Microsoft.

7:00 GMT,UNKNOWN(0),Process Hacker,C:\Program Files\Process Hacker 2\ProcessHacker.exe,DRIVER,LOAD,SRC,,WINDRVDIR\USBXHCI.SYS,http://osalerts.zonealarm.com/osanalyze ... SBXHCI.SYS
 
PPP700
Member
Posts: 4
Joined: 01 Jun 2021 21:54

Re: Process Hacker attempts to access USBXHCI.SYS (WHY?)

03 Jun 2021 17:41

https://osalerts.zonealarm.com/osanalyz ... b=overview

This overview from Zonealarm makes sense to me and has me concerned: "Process Hacker may be malicious. It may be attempting to affect other programs or the security of the system. Programs do not normally need to load a driver."
 
PPP700
Member
Posts: 4
Joined: 01 Jun 2021 21:54

Re: Process Hacker attempts to access USBXHCI.SYS (WHY?)

04 Jun 2021 19:35

Update, something seemed to have partially infected my laptop with hooks and guessing attempts to inject into signed drivers, but failed. Chrome was compromised and associated itself to every file type, with persistence. After pulling every single regkey and file for Process Hacker and Chrome. No more strange behavior or drivers being attempted to load.

I can't say it was Process Hacker and I don't feel like reproducing. But I am not going to risk it and am suspicious.