← All drivers
vulnerable
Driver

procexp1627.sys

Process Explorer v16.27 kernel helper

From Microsoft (Sysinternals)
Part of the Microsoft family
Status
On a known-vulnerable list
Known variants
1 distinct hashes
Field notes

procexp1627.sys is a version-stamped build of Process Explorer's kernel driver from the Sysinternals suite. Process Explorer uses a kernel helper to inspect other processes at a level user-mode APIs do not allow. Version-stamped builds from older releases remain signed and loadable.

The driver's presence on a system means someone installed Process Explorer. Update Sysinternals tools from the current Microsoft download page.

What the record shows

procexp1627.sys is listed as a known-vulnerable driver on the public LOLDrivers project. One distinct binary hash matching this filename is on record.

What this means, plainly
Presence is not proof of misuse. Driver files on the LOLDrivers list commonly ship with legitimate hardware tools, gaming software, or vendor utilities. Their presence is recorded as evidence on a record. It is never treated as a verdict about a person.
Related drivers

Other drivers in the Microsoft family. See the whole family →

Source

Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.

Cite this entry

Vera Project. “procexp1627.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/procexp1627-sys