2.5 KiB
What is new in 1.7
- W32pServiceTable viewer
W32pServiceTable is a service table of Win32k - a Windows User and GDI subsystem driver. It is a secondary system service table (where first is a ntoskrnl managed KiServiceTable). This table can be saved to text file from popup menu.
This feature available starting from Windows 10 1607 (RS1 14393) and require running program as administrator. Additionally Windows must be booted in the Debug mode (only for kldbgdrv version).
- Process list
Simple process list dialog. Display tree of running processes, their id, address of EPROCESS structure, user and domain name. Additionally this list uses highlighting similar to SysInternals Process Explorer. You can copy EPROCESS address value from popup menu. To view all process information program must run elevated.
- Callbacks viewer
List of system wide driver callbacks and notify routines registered with the following API:
- ObRegisterCallbacks
- CmRegisterCallbacks
- CmRegisterCallbacksEx
- PsSetCreateProcessNotifyRoutine
- PsSetCreateProcessNotifyRoutineEx
- PsSetCreateProcessNotifyRoutineEx2
- PsSetCreateThreadNotifyRoutine
- PsSetCreateThreadNotifyRoutineEx
- PsSetLoadImageNotifyRoutine
- PsSetLoadImageNotifyRoutineEx
- KeRegisterBugCheckCallback
- KeRegisterBugCheckReasonCallback
- IoRegisterShutdownNotification
- IoRegisterLastChanceShutdownNotification
- SeRegisterLogonSessionTerminatedRoutine
- SeRegisterLogonSessionTerminatedRoutineEx
- PoRegisterPowerSettingCallback
- DbgSetDebugPrintCallback
- IoRegisterFsRegistrationChange
- IoRegisterFileSystem
- Callback object type viewer
Viewer of registered callbacks for Callback object type. Drivers can create callbacks with ExCreateCallback API and register them with ExRegisterCallback.
- Improved OBJECT_TYPE view
Improved display of structured dump for OBJECT_TYPE and substructure OBJECT_TYPE_INITIALIZER by including newly added Windows 10 fields.