← All drivers
vulnerable
Driver

kprocesshacker.sys

Process Hacker kernel companion driver (renamed System Informer in 2022)

From Wen Jia Liu / Process Hacker project (now System Informer, Winsider Seminars and Solutions)
Part of the Process Hacker family
Status
On a known-vulnerable list
Known variants
1 distinct hashes
Field notes

kprocesshacker.sys is the kernel companion to Process Hacker, an open-source system inspection utility in the same problem space as Microsoft's Sysinternals Process Explorer (procexp.sysDriverprocexp.sysProcess Explorer kernel helperOpen plate →, also curated here). The user-mode tool itself is benign and widely used by administrators, developers, and malware analysts; the driver exists to give it the kernel-level visibility and control a Process Explorer-class tool needs.

The legacy 2.x driver exposes process memory read and write and process termination primitives to user-mode with relatively permissive checks, which is why ransomware operators have been documented using it to disable endpoint protection. CrowdStrike published a detailed write-up in 2020 describing DoppelPaymer using kprocesshacker.sys to terminate endpoint-protection processes before encrypting files. No formal CVE is assigned. The project was renamed System Informer in 2022 and its current driver tightens the access controls that made the older build useful for that abuse.

If you use Process Hacker for legitimate system inspection, move to the current System Informer release. Microsoft's Vulnerable Driver Blocklist blocks the legacy KProcessHacker2 driver from loading.

What the record shows

kprocesshacker.sys is listed as a known-vulnerable driver on the public LOLDrivers project. One distinct binary hash matching this filename is on record.

What this means, plainly
Presence is not proof of misuse. Driver files on the LOLDrivers list commonly ship with legitimate hardware tools, gaming software, or vendor utilities. Their presence is recorded as evidence on a record. It is never treated as a verdict about a person.
Related drivers

Other drivers in the Process Hacker family. See the whole family →

Source

Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.

Cite this entry

Vera Project. “kprocesshacker.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/kprocesshacker-sys