1
0
"Process Explorer" is the TOOL for Windows, one use for me is too see system drivers, that's watching DLLs in the process "System" (Pid 4 - always?). The drivers aren't, of course, DLLs, BUT for the system they are some kind of drivers (kernel extensions), that's why probably they are show there. My question - why the search ("Find Handle or DLL") doesn't work for them?
Windows 7, Process Explorer v15.12
Liviu
Posted 2013-12-30T23:23:57.077
Reputation: 69
2
For information, a .sys "driver" is nothing else but a renamed .dll.
I suppose that Process Explorer has a problem with the System process because this is a very special process with unique permission. Feel free to complain about this inefficiency on their forum.
If you are looking for an immediate solution, you could use Process Hacker. This is an open-source alternative process viewer with roughly the same capabilities as Process Explorer, except it does not have a dual-pane display.
I have tested searching for a DLL used by the System process, and Process Hacker did find it.
harrymc
Posted 2013-12-30T23:23:57.077
Reputation: 306 093
Process Explorer doesn't have a problem with System process since it shows all the loaded drivers in the lower pane (when selected). Why does not find them? For instace, I see Beep.sys there, why is not found? It has a name, it has a path, it should be found. – Liviu – 2014-01-13T18:12:52.450
Yes, it should. This is maybe caused by the code that lists the DLLs not using the same system calls as the one that does the search. This is why I feel that you should report it as a bug. With the rate at which arrive new releases of Process Explorer, you have a good chance of a speedy solution. – harrymc – 2014-01-13T18:20:22.723
Nice explanation, but it seems so hard to report the bug on their site. I have to ... complete a form to register D:<, I never do that! – Liviu – 2014-01-13T18:39:00.837
I know the guy behind Process Explorer for some years and I presume all the work behind it, why should I trust this Process Hacker of yours? Is it made by Steve Balmer, Jeffrey Richter, Jeff Atwood or Raymond Chen? – Liviu – 2014-01-13T18:43:30.293
I normally use Process Explorer but I also have Process Hacker and I use it when PE fails. PH is open-source and is distributed by all the major download sites, including PortableApps, Softpedia, Cnet and Majorgeeks, so it should be safe. – harrymc – 2014-01-13T19:02:27.307
It's not about safety that I am worried, but about its performances. – Liviu – 2014-01-13T19:29:56.333
If start-time is the question, I find that for me PH starts much faster than PE. For the rest, only experimentation can tell. Can't be too bad with user rating on sourceforge at 4.7 out of 5 and glowing reviews. – harrymc – 2014-01-13T20:24:36.453
seems to be PID of 4 on my comp and if I right click the system process and click properties, then threads, i see some files. like testing on xp, i see some sys files and ntoskernel.exe or something like that.. don't see any dlls at the moment there but i'm over vnc and things a bit sluggish.. but it may be there are no dlls that it uses in which case that could explain it – barlop – 2013-12-30T23:39:45.713
on both win7 and win xp. system idle has(or is shown to have) pid 0 and system has pid 4. – barlop – 2013-12-30T23:42:10.550
No right click: Ctrl-L (View/Show lower pane), Ctrl-H (View/Lower pane view) to switch between DLLs and Handles – Liviu – 2013-12-30T23:42:59.140
Asking "Why?" here would probably need someone who has the source code. You could try to write Mark Russinovich an Email instead. – Thomas Weller – 2014-01-14T14:38:20.440
What is your search term? It seems to work for me with Process Explorer 15.40 – Thomas Weller – 2014-01-14T14:40:44.543
At work I have
Xpand15.40: it still doesn't work, tried to search "BEEP" (from "BEEP.sys"). – Liviu – 2014-01-14T15:21:27.323Or "hal.dll", eveybody has one ;) – Liviu – 2014-01-14T15:24:10.523