TaskSTRun is a process explorer able to display system information about autostart entries, running process, services, tasks, and network events.
|File Size||703.57 KB|
|Operating System||Windows XP, Vista, 7, 8, 8.1, 10. 32/64 bits|
|Tags||analysis explorer injection monitor process startup|
- Microsoft .NET 3.5 Framework
Live list (processes, drivers, modules)
- Running processes (Tree, List) with icons
- Services (Ring3 / Ring0 - Drivers)
- Kernel modules
- Process modules
- IAT table of processes
- RAM usage monitoring / graph (ability to save the graph)
- Autostart entries by process (You can see how the program was started, if it's automatically started by the system)
For each item of that list, a color indicates the level of dangerousness, based on a whitelist/blacklist filtering:
- Green = known as safe
- Brown = suspicious
- Grey = unknown
- Red = malware
- Purple = AV software
- Registry keys (Run, RunOnce, Load, Shell, Userinit, ...
- Scheduled tasks (V1 - V2)
- Startup folders
For any of those items, TaskSTRun allows to remove them or restore their good value. You can kick any program from startup in 2 clicks.
- Proxy configuration (IE / Chrome Only)
- DNS Configuration
- Various hijacks (Task manager lock, Regedit lock, ...)
For any of those items, TaskSTRun allows to remove them or restore their good value.
In the service tab, you can see the status of each registered service, and play with it.
You can start/stop a service and modify its start mode (Boot, Auto, On demand, ...).
The list uses colors as well, but this time from grey to red in order to quickly see which service starts at critical time (boot, in red), which ones are started at logon (Auto, orange), which ones need a manual start (On demand, green) and which ones are disabled (grey). Services displayed are both userland services (Ring3) and kernel drivers (Ring0).
The Net tab displays open connexions to remote computers/server.
It also shows which process has opened this connexion.
To understand the color scheme of whitelists/blacklists, please look at the legend above.
To open process modules, double click on it in the list, it will then show the list of DLLs, and load the IAT (Import Address Table). You then see if some hooks are placed into the in-memory version of the dll.