11/24/2019 process - How to find processes that are hidden from task manager - Information Security Stack Exchange

How to find processes that are hidden from task manager

Asked 4 years, 11 months ago Active 2 years, 3 months ago Viewed 72k times

I have read that you can hide processes from the task manager, example here

I've seen a few posts on hidden keyloggers using rootkit but that's it really.
16
Is there a tool or way to look at processes being run even though they have been hidden?

process

edited Mar 17 '17 at 13:14 asked Dec 16 '14 at 11:13

Community ♦ Arlix
1 1,369 2 11 22

1 You can use "tasklist" too. – programings Dec 16 '14 at 14:00

1 I just watched a Webinar last week on this very subject. Check out: vimeo.com/… – k1DBLITZ Dec 16 '14 at
21:14

1 Most of malware/rootkit or kind of this programs communicate with master over network. If you succesfully
analyze the network with wireshark you can find this processes. – dgn Dec 22 '14 at 9:27

4 Answers

This really depends on how the process is hidden. If certain Windows API functions are hooked, then
process managers using those functions will not see the process. So it's dependent on the particular
13 piece of software trying to hide as well as the monitoring software trying to find it. Regardless of
which monitoring program you use you're not guaranteed to find all processes running. That being
said there are a couple of good tools out there.

SysInternals Suite has multiple different monitoring programs. Process Explorer is very nice from a
GUI perspective. It also links into VirusTotal to let you know if any currently running processes it sees
is known to be malicious. Procmon is awesome for process monitoring. It bases its output off of
Windows API file/registry/network function calls. The downside is that the output is massive, and you
By usinggenerally have
our site, you to know what
acknowledge you're
that you havelooking
read andfor.understand
But if a hidden process
our Cookie is, accessing
Policy the
Privacy Policy registry,
, and our
files, or
Terms of Service. communicating over the network it would be shown here.

https://security.stackexchange.com/questions/76100/how-to-find-processes-that-are-hidden-from-task-manager 1/4
11/24/2019 process - How to find processes that are hidden from task manager - Information Security Stack Exchange

There's an open source monitor called YaProcmon (Yet Another Process Monitor) that has a feature
that specifically looks for process hiding mechanisms, and attempts to expose them.

answered Dec 16 '14 at 12:49

RoraΖ
11.6k 4 45 74

1 Incredible that one has not got the ability to see all the processes by default.What about Comodo KillSwitch? It
claims to show all running processes. – edmz Dec 25 '14 at 22:36

@raz, Regarding "feature that specifically looks for process hiding mechanisms" which feature are you talking
about? – Pacerier Jun 8 '15 at 17:07

Show Hidden Processes – RoraΖ Jun 8 '15 at 17:12

@raz, It says that it is under main menu. But it doesn't seem to have such a feature:
i.stack.imgur.com/fKIZm.png There is only 'Emergency hotkeys' and 'Change Connection Type'. No 'Show
Hidden Process'. – Pacerier Jun 8 '15 at 17:22

2 @black Suppose there was one that showed all processes by default. And suppose it was popular. Then
malware writers would make their malware hide from it, therefore it wouldn't show all processes by default. –
user253751 Jan 11 '16 at 1:00

Sysinternals process explorer is your friend. This will show you more information than you're used to
from Task Manager, including invisible tasks.
14

+50

By using our site, you acknowledge that you have read and understand our Cookie Policy, Privacy Policy, and our
Terms of Service.

https://security.stackexchange.com/questions/76100/how-to-find-processes-that-are-hidden-from-task-manager 2/4
11/24/2019 process - How to find processes that are hidden from task manager - Information Security Stack Exchange

answered Dec 16 '14 at 11:28

kalina
3,314 5 18 35

3 Where are the invisible tasks? – Pacerier Jun 8 '15 at 17:35

I know of a Process, A Game Really that hides itself from any processes that are not x2.exe which is
kinda hard as then any processes trying to detect if it is running Via the .NET Framework via image
0 name does not work nor even FindWindow when it takes a minute or two for it to actually "have" a
Window. Which makes Image Name Detection the only way, but the issue is bypassing that hiding
on a kernel level or something.

So, Long Story short there are methods of hiding your process from things like the Sysinternals tools
but not for the Windows Task Manager, the trick is to find a API that bypasses it on a more "kernel"
level.

answered Aug 29 '16 at 20:45

PSXGamerPro1
1
By using our site, you acknowledge that you have read and understand our Cookie Policy, Privacy Policy, and our
Terms of Service.

https://security.stackexchange.com/questions/76100/how-to-find-processes-that-are-hidden-from-task-manager 3/4
11/24/2019 process - How to find processes that are hidden from task manager - Information Security Stack Exchange

The answer is via Volatility.

0 Process Explorer can only see/find the processes that are in the process list which is a doubly linked
list sitting somewhere in memory. Process Explorer knows the location of the first node (or has a
pointer to one of the nodes) and from that node, it iterates through the list and finds the "not hidden"
processes.

Task scheduler doesn't use this list to schedule tasks, instead it uses another list (it should be thread
list).

However, when a process hides itself, it simply removes its links to previous and next node and
remain in the memory hidden . Since it just removes itself from the process list and not thread list, it
will continue running without being visible.

Each process has a specific class structure like a simple c class with many parameters.

Volatility searches through whole memory and finds process class structures in the memory as well
as the doubly linked list (which is the list of processes).

So the output is all the processes in the memory including currect , killed and hidden processes.

Note that I was looking for an easier program for hidden processes but since I couldn't see volatility
in the answer, I felt I was bound to answer.

answered Mar 20 '17 at 5:29

smttsp
374 2 12

By using our site, you acknowledge that you have read and understand our Cookie Policy, Privacy Policy, and our
Terms of Service.

https://security.stackexchange.com/questions/76100/how-to-find-processes-that-are-hidden-from-task-manager 4/4