Process Hacker and Windows discussion

 
Qiris
Member
Posts: 6
Joined: 03 Feb 2013 04:11
OS: Windows 7 64bit

How do you completely kill Process Hacker?

03 Feb 2013 04:16

Disclaimer: By no means am I attempting to use this program for any of personal gains at expense of others to gain an upper hand. I am not cracking the game, nor am I attempting to attach to the game by changing its process using Process Hacker.

I have found that Process Hacker is a great tool for shutting down processes that normally give access denied in other commandline options, such as taskkill, pskill, PV, etc.

However, the biggest issue I'm dealing with is that I'm not sure how to completely shut down its own program, Process Hacker itself. While I can get rid of the exe with ease, I'm not sure what, but the HackShield (the antihack program most commonly found in MMO games) can detect Process Hacker 2, despite the exe not even appearing in Windows Task Manager, tasklist, etc. Is there something that Process Hacker is running even when the exe is completely turned off?
 
User avatar
dmex
Admin
Posts: 1555
Joined: 17 Jan 2011 05:43
Location: Australia

Re: How do you completely kill Process Hacker?

03 Feb 2013 08:20

Is there something that Process Hacker is running even when the exe is completely turned off?
Process Hacker uses a kernel-mode driver, KProcessHacker, to assist with certain functionality - this driver will remain loaded (but inactive) after PH has exited - like all kernel drivers.

You can disable the driver and prevent it from being initially loaded by doing the following: open Process Hacker > click Options > click the Advanced tab, untick the 'Enable kernel-mode driver' option and finally apply to save the settings - after you've done this, just reboot to unload the driver and it'll remain disabled until the option is enabled (and you've restarted again) ;)

However the following functionality will become unavailable without the driver:
* Bypassing rootkits and some security software in limited ways
* More powerful process and thread termination
* Setting DEP status of processes
* Capturing kernel-mode stack traces
* More efficiently enumerating process handles
* Retrieving names for file handles
* Retrieving names for EtwRegistration objects
* Setting handle attributes

-dmex
 
Qiris
Member
Posts: 6
Joined: 03 Feb 2013 04:11
OS: Windows 7 64bit

Re: How do you completely kill Process Hacker?

03 Feb 2013 08:22

Thank you! Now for the second question:

Is it possible to do that in a command line? Or is that simply not possible?
 
User avatar
dmex
Admin
Posts: 1555
Joined: 17 Jan 2011 05:43
Location: Australia

Re: How do you completely kill Process Hacker?

03 Feb 2013 08:26

Is it possible to do that in a command line? Or is that simply not possible?
You should be able to manually stop/start the kernel module using the Service Control Manager (without modifying the PH settings) - try one of these using an elevated command prompt:

sc stop KProcessHacker2 (If PH is running: the driver will stop once PH has exited)
sc start KProcessHacker2 (If PH isn't running: the driver will load and do nothing until PH has started)
 
Qiris
Member
Posts: 6
Joined: 03 Feb 2013 04:11
OS: Windows 7 64bit

Re: How do you completely kill Process Hacker?

03 Feb 2013 08:29

So assuming I was in the right directory, and wanted to:
First start the Process Hacker to shut down a process then shut down the the kernel module, my syntax would be along the lines of:
sc start KProcessHacker2
ProcessHacker.exe -c -ctype process -cobject Program.exe -caction terminate
sc stop KProcessHacker2
Would this be the case? Or am I not even close?
 
User avatar
dmex
Admin
Posts: 1555
Joined: 17 Jan 2011 05:43
Location: Australia

Re: How do you completely kill Process Hacker?

03 Feb 2013 08:32

So assuming I was in the right directory, and wanted to:
First start the Process Hacker to shut down a process then shut down the the kernel module, my syntax would be along the lines of:

Would this be the case? Or am I not even close?
You don't need to start KPH manually - the following should be enough ;)
ProcessHacker.exe -c -ctype process -cobject Program.exe -caction terminate
sc stop KProcessHacker2
 
Qiris
Member
Posts: 6
Joined: 03 Feb 2013 04:11
OS: Windows 7 64bit

Re: How do you completely kill Process Hacker?

03 Feb 2013 08:33

Do I not need to specify the exe in the second line? Like:

ProcessHacker.exe sc stop KProcessHacker2

Or is that unnecessary?
 
User avatar
dmex
Admin
Posts: 1555
Joined: 17 Jan 2011 05:43
Location: Australia

Re: How do you completely kill Process Hacker?

03 Feb 2013 08:41

Do I not need to specify the exe in the second line? Like:

ProcessHacker.exe sc stop KProcessHacker2

Or is that unnecessary?
It's unnecessary - SC is a command line program included with Windows.

Usage:
sc [command] [service name] <option1> <option2>...

Example 1: (unload KProcessHacker)
sc stop KProcessHacker2 
or Example 2: (disable/unload all sound cards)
sc stop Audiosrv
;)
 
Qiris
Member
Posts: 6
Joined: 03 Feb 2013 04:11
OS: Windows 7 64bit

Re: How do you completely kill Process Hacker?

03 Feb 2013 08:42

I see. Thank you so much (:

EDIT: If I were to run this the second time, don't I need to turn the kernel on again though?
 
User avatar
dmex
Admin
Posts: 1555
Joined: 17 Jan 2011 05:43
Location: Australia

Re: How do you completely kill Process Hacker?

03 Feb 2013 09:09

If I were to run this the second time, don't I need to turn the kernel on again though?
The 'sc stop' trick will only work if you have the 'Enable kernel-mode driver' setting ticked under advanced, if the option is unticked then ProcessHacker won't connect to KPH at all (even if it's loaded and available).

I'll try explain how the KPH driver loads/unloads from system start to shut-down ;)

The default system pattern:
-System Startup-

-first PH start (KPH load, connect) <-- Note: the first PH start loads the driver
-first PH exit (KPH disconnect)

-second PH start (KPH connect) <-- Note: how the second start doesn't load KPH
-second PH exit (KPH disconnect)

-System Shutdown- (KPH unload) <-- Note: the only time KPH is unloaded
What going to happen once you use the sc command to stop KPH:
-System Startup-

-first PH start (KPH load, connect)
-first PH exit (KPH disconnect)
-first SCM stop (KPH unload) <-- Note: from using the sc command

-second PH start (KPH load, connect) <-- Note: had to load KPH since it wasn't loaded
-second PH exit (KPH disconnect)
-second SCM stop (KPH unload) <-- Note: from using the sc command

-System Shutdown-
Does this make any sense? :?
 
Qiris
Member
Posts: 6
Joined: 03 Feb 2013 04:11
OS: Windows 7 64bit

Re: How do you completely kill Process Hacker?

03 Feb 2013 09:10

Ahhhh I see~ Thank you!
 
boss7070
New User
Posts: 1
Joined: 30 Jul 2020 13:17

Process Hacker still has some files left after uninstall

30 Jul 2020 13:20

Pls help i cannot delete Process Hacker
Attachments
help.PNG
help.PNG (10.34 KiB) Viewed 281 times