[Original] debugging real - using alternative task manager process explorer

Original Aha summary Registry Process Explorer Sysinternals Process Monitor

Foreword

Generally, we will use the Task Manager to view system in which processes are running, forced to kill a process. But the limited system with Task Manager feature, process exploreris a more powerful tool. It allows us to view more detailed information (such as viewing the parent of a process, a process which is loaded dll, which files are open, thread cpuusage, thread call stack, which files are taking up what processes, etc. Wait…… ). Is there a way process explorerto replace the system with Task Manager it? : thinking:

Features

This function, process explorerthe author Mark Russinovichhas helped us think. process explorerProvides a cool feature - Replace Task Manager ( taskmgr.exe), so that when we run the Task Manager and they will automatically open the more powerful process explorerthe.

replace task manager

{% Note info%}
Description: This operation requires to administrator privileges to run process explorer.
{% Endnote%}

So much action, is how to achieve it?

The principle

原来windows中有个注册表项HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options。如果程序A在Image File Execution Options下有对应的注册表项, 当我们启动程序A的时候，系统会启动Debugger子项中的值对应的程序，并把程序A的路径当作参数传递过去。

以taskmgr.exe为例，设置如下图：
image file excution options taskmgr

当taskmgr.exe启动的时候，系统检测到taskmgr.exe在Image File Execution Options下有对应的设置项，系统会启动Debugger子项中的值对应的程序C:\My\tools\sysinternals\procexp.exe，并把taskmgr.exe的路径（我机器上是C:\WINDOWS\SYSTEM32\TASKMGR.EXE）当作参数传递给procexp.exe。

验证

process explorer到底是不是通过这种方法实现的呢？让我们用process monitor来观察一下整个过程吧。具体步骤我就省略了，请参考下面的动图。

{% note warning %}
注意: process monitor默认会过滤掉process explorer相关的事件，如果想看到相关事件，需要手动取消过滤。自己验证的时候，一定不要忘了这一点。为了引起大家的重视，我特地把相关设置截图贴到下方！

cancel-filter-process-explorer

{% endnote %}

轻松一下

既然我们知道了原理，我们可以尝试尝试其它玩法。用notepad.exe替换taskmgr.exe怎么样？当启动taskmgr.exe的时候，启动的将会是notepad.exe。
何不用这项技术娱乐下周围的同事？替换掉大家常用的vs（对应的名字为devenv.exe），这样当同事打开vs准备写代码的时候，会是什么表情呢？ :smirk:

脚本

The following code stored into taskmgr.reg, double-click into the registry.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe]
"Debugger"="\"C:\\My\\tools\\sysinternals\\procexp.exe\""

{% Note warning%}
Note: debugger value to be replaced with the path on your machine.
{% Endnote%}

do you know?

You can use Ctrl + Shift + Escor Ctrl + Alt + Deleteto open the Task Manager. In what way you prefer to open it? Know of any other way to open the Task Manager do?

to sum up

Use process monitorthe Process Treefunction, you can easily let us find the specified process and filtered.
Image File Execution OptionsRegistry entries very very strong. Mirror hijacking.
process explorerAnd process monitorjust sysinternalstwo common tools toolset. Heart it? Official Download: https://docs.microsoft.com/en-us/sysinternals/downloads/

Reference material

Image File Execution Options
"Windows Sysinternals combat Guide"