Process Monitoring
Real-time enumeration and inspection of processes, threads, handles, modules, and memory regions using Windows APIs.
Process Enumeration
The Process tab displays all running processes with the following information:
- • PID — Process ID
- • Name — Process name (executable filename)
- • Parent PID — Parent process ID
- • CPU % — Current CPU usage percentage
- • Memory — Working set memory usage
- • Threads — Number of threads
- • Path — Full executable path
Tree View
Toggle between flat list and hierarchical tree view showing parent-child relationships.
Features
- • Unicode box-drawing connectors (│ ├ └ ─)
- • Expand/collapse per node (▶/▼)
- • "Expand All" / "Collapse All" buttons
- • State survives auto-refresh
Search in Tree Mode
- • Shows matching processes + all ancestors
- • Preserves hierarchy context
- • Auto-expands children of matches
Inspection Windows
Right-click a process and select "Inspect" to open detailed views:
Threads
NtQueryInformationThreadView all threads with ID, base priority, current priority, start address, and state.
Handles
NtQuerySystemInformationView all open handles with value, type (File, Key, Event, etc.), and name.
Modules
ToolHelp32View loaded DLLs with base address, size, entry point, and full path.
Memory
VirtualQueryExView virtual memory regions with base address, size, state (Commit/Reserve/Free), type (Private/Mapped/Image), and protection flags.
Performance
Real-timeReal-time CPU and memory graphs with 60-second rolling history. SVG-based with fill area, auto-scaling, and pause/resume controls.
String Scan
Memory ScanExtract ASCII and UTF-16 strings from process memory. Configurable minimum length (1-100), encoding filter, paginated results (1000/page), and export to .txt.
Memory Window Features
- • Module correlation — MEM_IMAGE regions display associated module name
- • Hex dump viewer — Paginated hex dump (4KB pages) with ASCII column
- • Memory dump — Export any committed region to .bin file
- • Memory operations — Commit reserved regions, decommit, free allocations
- • Filtering — Filter by address, state, type, protection, or module name
Network Tab
View TCP and UDP connections with owning process information via IP Helper API (GetExtendedTcpTable / GetUdpTable).
- • Protocol (TCP/UDP)
- • Local address and port
- • Remote address and port (TCP only)
- • Connection state (TCP only)
- • Owning process PID and name
Services Tab
Windows Service enumeration and management via Service Control Manager.
- • Enumerate — List all services with name, display name, status, start type
- • Start/Stop — Control service state
- • Create/Delete — Manage service entries
- • Details — Binary path, description, PID (if running)
Data Types
| Struct | Crate | Key Fields |
|---|---|---|
| ProcessInfo | process | pid, parent_pid, name, memory, threads, cpu, exe_path |
| ThreadInfo | process | thread_id, owner_pid, base_priority, priority |
| HandleInfo | process | handle_value, type, name |
| ModuleInfo | process | base_address, size, path, entry_point |
| MemoryRegionInfo | process | base_address, region_size, state, mem_type, protect |
| NetworkConnection | network | protocol, local/remote addr:port, state, pid |
| ServiceInfo | service | name, display_name, status, start_type, binary_path |