Task Explorer - An Advanced Task Manager for hackers
Since Task explorer went a long way from a first preview build till now, I thought it would better fit into this section of the forum, so lets continue here.
Task Explorer is an advanced Task Manager tool with emphasis on, not just monitoring what applications are running, but on finding out what applications are doing. Screenshot: https://i.ibb.co/q5406rC/1.png The UI focuses on expedience and getting real time data of what the processes are doing at any given moment. Relevant data are provided in easy to access (as less clicks as possible) panels, with no need to open windows or windows of sub windows, instead additional information’s for selected entries are shown in the lower half of the panel. Allowing to browse the detailed information’s using arrow keys. And most data are refreshed continuously, as seeing the dynamic of values often grants additional insight. The Thread Panel contains a stack trace for the selected thread giving even more insight in wat the selected application is doing right now. This is also very useful to debug deadlocks or performance issues. The processes memory can be viewed and edited from the Memory Panel, which provides an advanced memory editor and string search capability. In the Handles Panel all open handles are shown, with useful information’s like file name the current file position and size, these allow to see what a program is actually working on right now disk wise. The Socket Panel shows all open connections/sockets per process providing also data rate information, in the settings one can enable the display of pseudo UDP connections created from ETW data. That is every destination endpoint for UDP packets will be shown as an own entry in the sockets panel allowing to monitor with whom a program is communicating. The Modules Panel shows all loaded dll’s and memory mapped files, allowing to unload them as well as to inject a dll. And many more panels like Token, Environment, Windows, GDI, .NET, etc…. By double clicking on a process, the Task Info panels can be opened in a separate window enabling the viewing of properties of multiple processes simultaneously. The system monitor aspect of the application is also well developed. The toolbar provides decently sized graphs providing not just CPU usage but also usage of Objects, handles, network and IO/disk access. The system info panels show All Open Files in the system, All Open Sockets by programs, and the services Panel allows viewing and controlling all system services including drives. The performance panels for CPU, Memory, Disk I/O, Network and GPU provide large graphs showing the usage of system resources in a detailed manner. The System info panel can be collapsed completely providing more space for the Task info panels. So Instead being a panel of the main window, or additionally, the system info panels can be opened in an own window using the appropriate toolbar button. Task Explorer can be found on my GitHub page: https://github.com/DavidXanatos/TaskExplorer its fully Open Source under the GPLv3.0 and is created using the Qt Framework, making its UI platform independent. As at a later point I intent to port the tool to Linux, creating the first advanced GUI based task manager for Linux ever. The tool is build using the process hacker library and it uses a self-compiled version of the kprocesshacker.sys driver called xprocesshacker.sys, the driver is signed using a “found” code signing certificate. However if preferred by the user the tool can also use the original kprocesshacker.sys driver however then with some limitations as the driver locks some functionality out if the accessing tool is not digitally signed by the process hacker team. I would appreciate feedback and improvement suggestions / feature requests... |
Most recent build, as of today: https://github.com/DavidXanatos/TaskExplorer/releases/tag/v0.8.5
[0.8.5] - 2019-09-01 This release focuses on bug fixing and usability improvements. An other major change is the use of the own xprocesshacker.sys driver by default, this is required as the original kprocesshacker.sys comes with a DRM that locks some functionality away from tools which are not signed by the process hacker team. With an own driver we can again mess with protected processes and read any memory location. The used leaked signing certificate does not seam to raise to many read flags eider, virus total: xprocesshacker.sys 4 false positivs https://www.virustotal.com/gui/file/ac2ed32418c81cf97dd6a53e258b4066952affbb768e66ebaaf57643d5f145ec/detection vs original kprocesshacker.sys 13 false positivs https://www.virustotal.com/gui/file/220a2dcf4d597f9208c0e7fd7057a91e88e118d420f20aac8e75ae3e39a7ac22/detection In fact we get much less than process hacker does. Added
Changed
Fixed
|
New Release: https://github.com/DavidXanatos/TaskExplorer/releases/tag/v0.9.0
This releases added some new useful insights into the operating system and adds firewall event monitoring to be able to show blocked connection attempts. [0.9.0] - 2019-09-09 Added added windows firewall monitor to show blockes connection atempts added network column to processes, showing if a process is or was using network sockets added toolbar button to set persistence to 1h added toolbar menu to quickly change item persistence added kernel object tab to system panel, including the pool table and otehr informations added nt object browser sub tab added atom table view to the kernel objects tab Changed The system info Drivers tab is now moved to a sub tab of the new kernel objects tab the stack trace section of the thread window can now be colapsed Fixed fixed issue disabling network adapter graphs did not work fixed driver view module info was not loaded |
New release: https://github.com/DavidXanatos/TaskExplorer/releases/tag/v0.9.25
This releases added many small convenience features, as well as a few major once. It now has a DNS cache tab, and the date form the DNS cache are used to more reliably resolve the remote host mane to which a socket was opened. Instead of just using a reverse dns which in the age of CDN's, likecloud flare and blazing fast, is quite useless, the tool correlates new sockets with the system DNS cache this way resolving which host name the process actually requested. Task explorer can now use the Wait Chain Traversal feature of windows to debug deadlocks of processes. And as the version approaches 1.0 we have many bug fixed. [0.9.25] - 2019-09-15 Added added remote host names resolution for the socket's tabs added dns cache viever with 60 min persistence -- the dns cache feature correlates the cached data with open sockets and provides a remote host name more reliable than reverse dns lookups better formating when copying panels added column reset option to all lists added f5 full refresh options added security explorer all sub windows now save their geometry addes Working Set Watch fature to count page faults added a few more pool informations added running object table view to kernel objects added Wait Chain Traversal feature to detect deadlocks added option to open thread tokens Changed when a new process is seen in an ETW or FW event it is now created and some masic infos are loaded copy cell now can copy multiple cels when enabling/disablign columns a refresh is triggered right away to fill in the data (in caseuse has set a ver slow refresh rate) improved menu layout Fixed fixed on copy cell did not work properly with multiple items selected fixed on cppy panel and row copying empty(hiden) columns fixed process tree horizontal scroll bar position reset on selection in tree fixed NtQueryInformationFile deadlock in windows 7 when querying \Device\VolMgrControl fixed issue where some deltas caused a overflow when the counter reset |
New release: https://github.com/DavidXanatos/TaskExplorer/releases/tag/v0.9.50
This new build features many usability improvements and some bug fixes. [0.9.50] - 2019-09-24 Added critical status added to processes state string critical processes / threads have an own list color trying to terminate a critical process or thread wil now display an additional confirmation mesage ctrl+c now copys the selected rows formating for copying panels can be set in settings added additional mitigation informations added additional informations to geneal process info -- details sub tab -- security sub tab -- app subtab added job id to job tab added app infos to process general tab Changed resolving symbols for pool limits is only triggered once the kernel objects tab gets opened all priority settings have now an own groupe in the process tree no longer keeping a handle open to all threads when thay were not used recently mitigation informtions are not more verbose Fixed all unselected tabs are no longer unnececerly updated at startup issue with private bytes displaying the wrong value fixed crash bug in task menu action handling fixed a minor issue with sid resolving |
New release: https://github.com/DavidXanatos/TaskExplorer/releases/tag/v0.9.75
This release focuses on bugfixes many many bug fixes, and some usability improvements. [0.9.75] - 2019-09-29 Added priority columns now show text instead of numbers (except base priority) added cert display to process security sub tab ctrl+e now expands all process tree items added driver config window added verbose error's dialog added more status informations Changed reduced cpu usage of models reduced cpu usage of rate counters moved firewall status resolution to separate threa reworked thread enumeration to save cpu usage service and socket tabs are not longer updated when thay are not visible gpu per proces stat update is now performed on a as needed basis massivly reduced treeview cpu usage by adaping configuration Fixed fixed an issue when on successfuly changing priority still an error was reported when starting using UAC bypass the process ended up with lower priority, -- fixed by now always settign higher priority on startup fixed bug with gpu usage column display fixed issue "bring in front" was always disable din the process tree fixed issue where thread start adresses were resolved multiple times unnececerly fixed crash issue when logging out users fixed service window not closing when ok was pressed fixed issue with service to process association fixed crash bug in reverse dns lookups on win 7 |
New Release: https://github.com/DavidXanatos/TaskExplorer/releases/tag/v1.0
Finally we arrived at the build v1.0, this build features a extended xprocesshacker.sys that can unprotect (PPL) protected processes. An other great new feature is a much better remote host name resolution for sockets, instead of just relying on reverse dns (which in the age of CDN's is not very reliable), we monitor ETW events emitted when a process issues a dns query. This way we know what domains every process requested and what IP's it got as answer, hence when observing a new socket we first check in this list for matching entries, when found it is almost certain the socket was opened with the intention to reach the captured domain. Added xprocesshacker.sys can now unprotect and re protect protected processes (light) using ETW Events to monitor what domains individual processes querry -- enabled more accurate remote hostname column display Changed cleaned up PH directory improved process display for the case when multiple processes are sellected now using https://github.com/microsoft/krabsetw to monitor ETW events reworked socket process association when opening finder the search term ist selected such it can be replaced quickly Fixed no longer trying to do reverse dns on adresses that returned no results |
Quote:
excellent work! your task explorer could even be source closed,i hope your work will not be stolen,it's more than a simple github project. |
Quote:
So I really wouldn't want to risk putting others in the same kind of pickle I found my self in. |
Quote:
|
Maintenance Release with some bug fixes, see change-log.
https://github.com/DavidXanatos/TaskExplorer/releases/tag/v1.0.1 [1.0.1] - 2019-11-15 Changed improved file handle info retrival ewt monitoring button is now disabled when running without admin rights Fixed memory leak occuring when updating per process handle list fixed issue with service to process association |
Happy Holidays everyone!
I bring you a new build Ho! Ho! Ho! Download: https://github.com/DavidXanatos/TaskExplorer/releases/tag/v1.0.2 This release adds some improvements and fixes some bugs, as well as updating the used PH-library to a new version. [1.0.2] - 2019-12-24 Added settign for reverse DNS to disable it when desired when flushing dns cache the dns cache retention is reset as well Changed most "unknown" values now shows teh numeric value encountered updated PHlib to version 3.0.2812 Fixed an issue with the DNS cache monitoring fixed issue with etw event tracking for UDP traffic fixed issue with thread service tag not being resolved properly |
This build focuses on greatly improving the tracking of process starts and display of meaningful process trees. This is accomplished by monitoring the appropriate ETW events and using this information to list short lived processes that otherwise would fall between the refresh intervals of the regular enumeration method.
A new setting "Retain parent Processes" makes task explorer keep terminated processes listed as long as there are still child or (grand,...)grandchild processes running. A new toolbar button allows to quickly switch between a list view and a tree view while retaining the list sort order. The new build also features other UI improvements most notably a Dark Mode for those who likes it. Download: https://github.com/DavidXanatos/TaskExplorer/releases/tag/v1.1 [1.1.0] - 2020-23-01 Added added Dark Theme Support added ETW monitoring of the processProvider -- allows to capture all process cration events henc elisting of very short lived processes -- using ETW data to set image path and command line when the process closed before we could inspect it added option to keep processes listed indefinetly as long as thay have still running children. added functionality to find some types of hidden processes, also usefull to find some already terminated processes added tool bar button to switch between the tree view and a list view more convinient as the last choose list sort column is remembered Changed the handle tab is now present twice once as it was and once providing only an open file list Fixed handle types are now sorted properly i.e. "[All]" is first fixed bug where in the unifyed list view switching to tree view was not possible fixed issue with some values not being initialized in CWinMainModule fixed High DPI scaling issues |
I tried to compile this today and it all went well apart from a couple of resources that seemed to be missing? I did however manage to compile if I removed the references from the resources.qrc file..
|
Quote:
|
I have a small inquiry for you guys...
What features would you like to see in the next builds? I was thinking about the ability to set priorities and CPU affinities persistently, i.e. the tool would remember it on an file name basis and whenever a process is seen with one of the preset paths (or only exe name, in the end probably a wildcard path really) its priorities and stuff will get adjusted accordingly. I was also thinking about adding an option to perpetually kill processes on the same basis, when one gets seen it will get killed. thinking here about typical telemetry processes like vctip.exe (VS2017/2019), software_reporter_tool.exe (Chrome), NvTelemetryContainer (NVidia) etc.... With regard to not allowing processes to start I could enforce that using the driver so that the process never goes past created suspended. But is that overkill? Is that the right thing for a task manager or should that go into some separate HIPS tool? I don't want to cram thematically unrelated features together, but well not allowing processes to start is still in the scope of a process manager. What do you think? |
Is there (I couldn't find it) a way to "dump" on file all of the information relative to a specific process?
Just as an example, the list of all opened files? BTW, great program! |
Yes, I think the kill feature would be better to have in a separate program.
The program is great, but maybe you can find a way to either switch to git altogether or find a way to make your workflow work with github. This would allow others to contribute to the project smoothly. |
Quote:
Yes, my favorite tool at the moment lol! Very good work! |
Quote:
|
Quote:
hmm... for an every day use I don't think that is a good idea you would accumulate possibly hundreds of such processes. but for some particular debug operations when you want to trace something that spawns many child processes really thoroughly, may be... |
Quote:
this (an option, not automatic) - thx |
Shell David
This Seema an awesome piece of software. That being salid. Andy france of having a precompiled versión @ github? Cheers TGD |
Quote:
https://github.com/DavidXanatos/TaskExplorer/releases |
Quote:
Quote:
Jeep safe! Cheers TGD |
This build focuses on many large and small usability improvements as well as a few small new features.
Download: https://github.com/taskexplorer/TaskExplorer/releases/tag/v1.2 ChangeLog: [1.2.0] - 2020-04-20 Added Option to configure process name display Pressing the refresh toolbar button now also clears the persistence when in hold mode Persistent Process Presets -- CPU, IO, Memory Priorities and CPU Affinity can be set persitence actoss process starts -- Processes are identifyed by path wildcard paths can be used -- The mechanism can also kill undesired processes swiftly add pe file viewer Sandboxie support, sandboxed prosesses are marked in yellow and the box thay belong to is provided in the tooltip Changed more options on main window close -- Exit confirmation dialog can now be disabled by default symbols are not auto downloaded, upon selecting a thread the user will be prompted whether to download them of the internet updated PHlib to version 3.0.3014 updated some default collors switched to Inno Setup as instller Fixed fixed when opening from tray window sometimes being empty |
This build comes with many big fixes and minor usability improvements.
Download: https://github.com/taskexplorer/TaskExplorer/releases/tag/v1.2.1 [1.2.1] - 2020-04-27 Added the TCP/IP traffic graph now show additional plots with LAN traffic based on ETW data services can now be stoped from the process tree contect menu Changed statis column now sorts not alphabetically but by list color reorganized the tool bar a bit and added a few shortcuts switched back to the custom installer due to "compatybility" issues Fixed cpu affinity was not properly loaded from file fixed more tray opening issues fixed issue displaying .NET assembly informations fixed issues with list coloring when not allcolors were enabled |
This build updates the driver with the ability to log kernel debug messages, when Debug Output Logging is enabled every process gets a Debug tab with its debug output and accordingly the system process is showing the Kernel Debug Output.
Other changes reorganized the UI to be more comprehensive, I would recommend to disable all System info tabs that contain graphs and use then only from the standalone System Info window. This uncluttered the UI quite a bit further more the Kernel View tab has been incorporated into the system tab and some process info tabs now are sub tabs of the general process tab. Download: https://github.com/taskexplorer/TaskExplorer/releases/tag/v1.2.1 [1.2.5] - 2020-06-01 Added Added debug view tab to see the debug output of individual process, when debug monitor is enabled Added kernel debug log option to xprocesshacker3 driver Changed Sandboxie support needs to be enabled in the settings, as having it always on interfears with updating sandboxie moved services tab to the general tab as a sub tab moved environment tab to the general tab as a sub tab merged system info tab kernel objects and main system tab moved a lot of usefull generic code to MiscHelpers.dll Fixed fixed tab menu checks fixed issue with system and task info window tabs fixed issue process name label forcing panel size fixed soem more minor ui glitches Have Fun! :) |
PS: ups the download link is not right that's the latest one: https://github.com/taskexplorer/TaskExplorer/releases/tag/v1.2.5
|
New Update with various usability improvements.
Download: https://github.com/taskexplorer/TaskExplorer/releases/tag/v1.2.7 Changelog: [1.2.7] - 2020-06-13 Added Custom run dialog with the ability to inject a DLL when starting process Added process filter to proces tree to improve usability Changed description in the process column now shows for svchost.exe instances a list of hosted services esc key now clsoes the finder bar in lists app id column now displays teh container id if its an app Fixed run dialogs now execute on return press error with comctl32 user connect/login window now hides teh password fixed pid in process info window modern apps are now properly atributed to the their users |
This build focuses on usability improvements and bug fixes. It solves an issue causing very high CPU usage introduced in the last build. And it introduces some mitigation to the issues caused by the driver not being signed properly.
Download: https://github.com/DavidXanatos/TaskExplorer/releases/tag/v1.2.8 ChangeLog Added "Original Token" button to inspect the original process token of sandboxed processes -- SbieDrv driver 5.42 or higher required added command line option to start multiple instances added driver file obfuscation and driver installation dialog Changed reorganized settings pages improved sandboxie support implementation Fixed fixed excessive CPU usage in new process filter fixed outdated data shown in token panel when no token could be obtained |
This build updates the PH Library to 3.0.3014 and adds minor usability improvements.
Download: Download: https://github.com/DavidXanatos/TaskExplorer/releases/tag/v1.2.9 ChangeLog Added added highest thread CPU percentage to the CPU column Changed tree graph background in dark mode is also dark now updated PHlib to version 3.0.3476 merged ASLR, DEP, CFG, CET columns into a joined mitigations column |
Quote:
|
This build updates the PH Library to 3.0.3972 and adds fixes various minor bugs.
Download: https://github.com/DavidXanatos/TaskExplorer/releases/tag/v1.3.0 ChangeLog: Changed changed memory search window layout on debug log start stop the lists are now reset updated MiscHelpers updated PHlib to version 3.0.3972 updated QWT to version 6.1.6 updated to use Visual studio 2019 Fixed fixed issues with hex string memory search fixed issue with updating token privileges fixed issues with disabled items in dark mode fixed race condition in etw initialization |
This is awesome, my new favourite Task Manager! Thank goodness I stumbled upon it.
Great work and also kudos for keeping this open source. :) |
This build updates the PH Library to 3.0.4365 and adds fixes various minor bugs.
Download: https://github.com/DavidXanatos/TaskExplorer/releases/tag/v1.4.0 Important Note: The driver is now only test signed as the leaked certificate was blacklisted in the windows kernel, hence you need to enable test mode to use all of the features. ChangeLog Added added sandboxie tab with a lot of sandboxie related details added option to freeze and unfreeze entire jobs added "Original Impersonation Token" menu command to inspect the impersonation token of sandboxed thread added rpc view listing all rpc endpoints on the system added windows 11 detection Changed replaced all icons updated PHlib to version 3.0.4365 Fixed fixed issue resolving kernel symbols introduced with 1.3 |
This build updates the PH Library to 3.0.4706 and adds fixes various minor bugs.
Download: https://github.com/DavidXanatos/TaskExplorer/releases/tag/v1.4.1 ChangeLog Fixed fixed singleapp not working the xprocesshacker.sys driver is now signed with a new certificate and shoudl load on win 11 Changed updated PHlib to version 3.0.4706 |
Quote:
|
Quote:
|
This build updates the PH Library to 3.0.5553 and adds fixes various minor bugs.
Download: https://github.com/DavidXanatos/TaskExplorer/releases/tag/v1.5.0 ChangeLog Changed Made Qt6 Compatible updated QWT library to v6.2 updated PHlib to version 3.0.5553 updated DotNET counter code Fixed fixed issues with GPU usage not being displayed proeprly fixed memory leak in RPC Endpoint View Removed removed ability to unprotect protected processes removed kernel debug log dumping (will be re added later) |
All times are GMT +8. The time now is 04:59. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX