This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Process hacker kernal driver detected in Memory

Hi Alls,

In one of my server sophos console its giving message of Process hacker kernal driver detected in Memory.Even after scanning its not able to remove it.

How do i get it clean and how do I get it removed from the sophos events.

Regards

Bijoy

This thread was automatically locked due to age.

Parents

0 Gowtham Mani over 7 years ago
Hi Bijoy,

Can you please check the alert details if there are any application associated with the alert? If you get the application details, you can choose to:

take no action, if you wish to continue blocking the application.

remove the software to prevent future alerts.

re-authorize a blocked application.
Regards,

Gowtham Mani
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 jak over 7 years ago in reply to Gowtham Mani

Generally for this sort of thing I would download and run as administrator Process Explorer.

https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

Highlight the System process (as this is a driver) and in the bottom panel look at the loaded modules.

You should be able to see the paths of each loaded module.

I assume that kprocesshacker.sys is in the list?

If so, where is it on disk?

Can you navigate to that location and delete the file?

I assume that after rebooting the modules is not loaded as I don't believe it installs a service. It requires the user mode process to load the driver.

Regards,

Jak
Cancel
Vote Up 0 Vote Down

Cancel
0 David Mei over 7 years ago in reply to jak

I've attempted your steps and I don't see it in processes. I already manually deleted the associated folder and I'm at a lost where I can locate the kernel driver.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 David Mei over 7 years ago in reply to jak

I've attempted your steps and I don't see it in processes. I already manually deleted the associated folder and I'm at a lost where I can locate the kernel driver.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 jak over 7 years ago in reply to David Mei

If I run Process Hacker as an administrator, then the kprocesshacker.sys driver is installed, started and therefore can be seen in the System process as shown below.

The service is created under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KProcessHacker3\

I guess this could change based on version.

If I close Process Hacker then the driver is not unloaded from kernel memory but the service is marked for deletion. I.e. The service registry entry has the DeleteFlag set:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KProcessHacker3\
DWORD DeleteFlag = 1

With this set, on the next startup, services.exe will remove the service.

If you are getting a memory detection for this driver I would expect it to be just loaded in the system process as shown above. I can only assume that maybe the driver isn't being marked for deletion or services.exe is not removing it. Maybe search in the registry under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

for the string hacker for example.

Regards,
Jak
Cancel
Vote Up 0 Vote Down

Cancel