Page 1 of 1

Process Hacker attempts to access USBXHCI.SYS (WHY?)

Posted: 01 Jun 2021 21:57
by PPP700
If I enable admin access to process hacker, when I close the application I get a warning from my app control solution:

C:\Program Files\Process Hacker 2\ProcessHacker.exe,DRIVER,LOAD,SRC,,WINDRVDIR\USBXHCI.SYS

WHY?

Re: Process Hacker attempts to access USBXHCI.SYS (WHY?)

Posted: 02 Jun 2021 14:12
by dmex
PPP700 wrote: 01 Jun 2021 21:57
I get a warning from my app control solution
What is this "app control solution"?
PPP700 wrote: 01 Jun 2021 21:57
C:\Program Files\Process Hacker 2\ProcessHacker.exe,DRIVER,LOAD,SRC,,WINDRVDIR\USBXHCI.SYS

WHY?
Was that file modified or something and does it still have a digital signature? What was this "warning" exactly?

Re: Process Hacker attempts to access USBXHCI.SYS (WHY?)

Posted: 03 Jun 2021 17:38
by PPP700
Thank you for your reply.

App control solution is ZoneAlarm Pro Firewall. I am not in a sandbox so I denied access from Process Hacker and created a rule to permanently block. Just seemed like odd behavior and raised concerns. Likewise, I only run Process Hacker when internet is disabled (again, I am not in a sandbox).

I checked the referenced driver and is has not been modified and is still digitally signed by Microsoft.

7:00 GMT,UNKNOWN(0),Process Hacker,C:\Program Files\Process Hacker 2\ProcessHacker.exe,DRIVER,LOAD,SRC,,WINDRVDIR\USBXHCI.SYS,http://osalerts.zonealarm.com/osanalyze ... SBXHCI.SYS

Re: Process Hacker attempts to access USBXHCI.SYS (WHY?)

Posted: 03 Jun 2021 17:41
by PPP700
https://osalerts.zonealarm.com/osanalyz ... b=overview

This overview from Zonealarm makes sense to me and has me concerned: "Process Hacker may be malicious. It may be attempting to affect other programs or the security of the system. Programs do not normally need to load a driver."

Re: Process Hacker attempts to access USBXHCI.SYS (WHY?)

Posted: 04 Jun 2021 19:35
by PPP700
Update, something seemed to have partially infected my laptop with hooks and guessing attempts to inject into signed drivers, but failed. Chrome was compromised and associated itself to every file type, with persistence. After pulling every single regkey and file for Process Hacker and Chrome. No more strange behavior or drivers being attempted to load.

I can't say it was Process Hacker and I don't feel like reproducing. But I am not going to risk it and am suspicious.