I find it very useful as it helps to monitor unusual activity of the system w\/o engaging the full-blown capabilities of Sysmon (performance!). And yes, I do know how weird it sounds… Sysmon cures everything…<\/p>\n\n\n\n
How do we set our Process Hacker instance to deliver all this goodness?<\/p>\n\n\n\n
We first run Process Hacker with our Admin creds. Then we open Hacker \\ Options menu item:<\/p>\n\n\n\n Then choose one of the ‘Notification’ options and either leave it as it is (log everything) or we write down our own rules that can either include or exclude certain paths….<\/p>\n\n\n\n In the below example we include all the process names:<\/p>\n\n\n\n and then we exclude notepad*.exe:<\/p>\n\n\n\n We can include\/exclude both processes and services. This is awesome. It’s simple, it’s working.<\/p>\n\n\n\n And if you are curious where the information about these is stored, look for a `ProcessHacker.exe.settings.xml`file that lists the following:<\/p>\n\n\n\n where PROCESSLIST\/SERVICELIST has a form of:<\/p>\n\n\n\n That’s it really… Nothing ground breaking, but a very handy tool for quick & dirty investigations. I find it most useful to detect ‘funny’ Windows 10 services that start ‘out of nowhere’. I then… usually kill them. One by one, you may eventually kill’em all… <\/p>\n\n\n\n Oh yeah.. it may help with malware analysis too \ud83d\ude09 but somehow.. the analysis techniques and priorities changed a lot over last few years…<\/p>\n","protected":false},"excerpt":{"rendered":" Sysmon is great, no doubt. However… very often an overkill. Yes, you’ve read this right. I say: who cares about registry writes, process access, driver or module loads, etc. ? What if we just want to log running processes? Process … Continue reading ![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/03\/ph_0.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/03\/ph_1.png\")
<\/a><\/figure><\/div>\n\n\n\n![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/03\/ph_2.png\")
<\/a><\/figure><\/div>\n\n\n\n <setting name=\"ProcessHacker.ExtendedNotifications.LogFileName\">LOGFILEPATH<\/setting>\n <setting name=\"ProcessHacker.ExtendedNotifications.ProcessList\">PROCESSLIST<\/setting>\n <setting name=\"ProcessHacker.ExtendedNotifications.ServiceList\">SERVICELIST<\/setting>\n<\/code><\/pre>\n\n\n\n