← All drivers
vulnerable
Driver

procexp.sys

Process Explorer kernel helper

From Microsoft (Sysinternals)
Part of the Microsoft family
Status
On a known-vulnerable list
Known variants
28 distinct hashes
Field notes

procexp.sys is the kernel helper used by Sysinternals Process Explorer, Microsoft's advanced task manager. Process Explorer is a developer and system-administrator staple; the driver is what lets it inspect kernel handles, driver state, and protected processes that user-mode APIs do not expose.

It is on the LOLDrivers list because that same inspection ability is useful for tampering with security products. There are well-known public reports of criminal data-extortion crews using older signed copies of procexp.sys to terminate endpoint-protection processes before deploying their payload; Microsoft now ships explicit blocks for those older builds in the Vulnerable Driver Blocklist.

Common on developer machines, power-user setups, and IT shops. Use the current Process Explorer release.

What the record shows

procexp.sys is listed as a known-vulnerable driver on the public LOLDrivers project. 28 distinct binary hashes matching this filename are on record, meaning multiple versions of the file have been observed.

What this means, plainly
Presence is not proof of misuse. Driver files on the LOLDrivers list commonly ship with legitimate hardware tools, gaming software, or vendor utilities. Their presence is recorded as evidence on a record. It is never treated as a verdict about a person.
Related drivers

Other drivers in the Microsoft family. See the whole family →

Source

Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.

Cite this entry

Vera Project. “procexp.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/procexp-sys