When you’re deep in a threat hunt or responding to an incident, having a real-time view of what’s happening on a system is invaluable. How can you tell if a legitimate-looking service is actually a malicious implant? How do you trace suspicious network traffic back to the program that created it?
In our last discussion, we covered the basics of analyzing processes with Process Hacker. Today, we’re diving deeper into two critical areas for any security analyst: services and network connections. Let’s explore how this powerful tool can help you peel back the layers of a running system to find what’s hiding underneath.
For the uninitiated, Process Hacker is a free, open-source, and incredibly powerful tool for dynamic analysis on Windows. Think of it as Task Manager on steroids. It gives you an unparalleled view into the inner workings of your applications and the operating system itself.
Here’s why it belongs in every analyst’s toolkit:
Deep Insight: Go beyond the process name to see detailed performance graphs, memory usage, file handles, registry access, and more.
Service & Network Visibility: Easily inspect all system services and active network connections in one clean interface.
Flexible & Portable: You can install it or run the portable version directly, meaning you don’t need installation permissions—a huge plus during an incident response engagement.
You can grab the latest version for free from its official homepage.
Before we go any further, let’s address the single most important tip for using this tool: run it with administrative privileges.
Permissions matter. If you launch Process Hacker as a standard user, you’re only getting a partial picture. You’ll be limited to seeing information that your user account has access to.
The most obvious difference is in the ‘User name’ column. Without admin rights, you can’t see processes running under system accounts like NT AUTHORITY\SYSTEM. This is a critical blind spot, as malware often runs with elevated privileges. To get the full story, always right-click and “Run as administrator.”
The Services tab is your command center for inspecting all Windows services, whether they’re running, stopped, or disabled. This is a favorite hiding place for persistent threats, so knowing how to navigate it is crucial.
At a glance, the services tab provides a wealth of information:
Service Name & Display Name: The internal and user-facing names.
Type: Is the service running in its own process, a shared process (svchost.exe), or is it a kernel driver?
Status: Is it currently Running or Stopped?
Start Type: Does it launch Auto at boot, Demand (manual), or is it Disabled?
Process ID (PID): If the service is running, you can immediately see its PID to correlate it with activity in the Processes tab.
This is where Process Hacker starts to shine. If you find a suspicious service, you don’t have to manually search for its components. Just right-click on the service to:
Go to Registry: This instantly opens RegEdit and takes you directly to the service’s configuration key. This is perfect for checking the ImagePath, a common target for attackers who modify it to point to their own malicious executable (a technique known as T1574.008 Hijack Execution Flow: Services).
Go to Directory: This opens File Explorer to the location of the service’s executable or DLL. From there, you can grab the file for malware analysis, check its signature, or review its properties.
These simple context menu options are massive time-savers that streamline your investigation.
Double-clicking any service opens its Properties window, giving you an even more granular view. Let’s look at a couple of key tabs.
On the General tab, you can verify the fundamental configuration of the service. Pay close attention to the Binary path. Does it point to a legitimate location like C:\Windows\System32 or a suspicious one like C:\Users\Public or C:\Temp? An unusual path is a major red flag.
The Security tab is essential for understanding who has control over a service. It details which user groups have permissions to start, stop, modify, or query the service. If you’re investigating how a service was tampered with, this tab shows you which accounts or groups had the necessary access, helping you narrow your search.
You can also explore other tabs to find the unique Service Security Identifier (SID), which can be used to correlate service activity with events in other logs, and view or modify any required privileges.
Now, let’s pivot to the Network tab. This view provides a live look at all network traffic originating from or being received by your machine, making it an excellent tool for spotting command and control (C2) channels or unauthorized data transfers.
netstat on SteroidsIf you’re familiar with the command-line tool netstat, you’ll feel right at home. Process Hacker provides a similar, real-time view with crucial details:
Process Name: The program responsible for the connection.
Local Address / Port: The source IP and port on your machine.
Remote Address / Port: The destination IP and port.
Protocol: TCP or UDP.
State: The current status of the connection (e.g., Listening, Established, Close_Wait).
From a threat hunting perspective, the State column is where you’ll focus.
Listening: A process in a Listening state has opened a port and is waiting for an incoming connection. This is normal for web servers or other legitimate services, but a strange application listening on an unusual port could be a malware backdoor.
Established: This indicates an active, ongoing connection. If you see a suspicious process with an Established connection to an unknown IP address, you could be looking at an active C2 channel. You can use the remote address for further threat intelligence lookups.
Best of all, if you see a suspicious connection, just double-click it. Process Hacker will immediately jump you to the process responsible for that traffic, closing the loop between network activity and a specific program.
Process Hacker is more than just a utility; it’s a comprehensive analysis platform. By mastering the Services and Network tabs, you can move beyond surface-level observations and begin to understand the complex interactions happening on a system. Whether you’re hunting for persistence mechanisms, investigating a malware infection, or simply debugging an application, this tool provides the clarity you need to get the job done efficiently.
We hope this guide helps you add another powerful technique to your security arsenal. Happy hunting!
Our products are designed to work with
you and keep your network protected.