Windows Object Explorer 64-bit

WinObjEx64 is an advanced utility that lets you explore the Windows Object Manager namespace. For certain object types, you can double-click on it or use the "Properties..." toolbar button to get more information, such as description, attributes, resource usage etc. WinObjEx64 let you view and edit object-related security information if you have required access rights.

System Requirements

WinObjEx64 does not require administrative privileges. However administrative privilege is required to view much of the namespace and to edit object-related security information.

WinObjEx64 works only on the following x64 Windows: Windows 7, Windows 8, Windows 8.1 and Windows 10/11, including Server variants.

Features

Explore all of Windows Object Manager namespace

Hierarchical objects tree
Symbolic links resolving
Version information for Section type objects that are backed by an image file
Additional information for WindowStation type objects
View objects details
- Descriptions
- Flags
- Invalid attributes
- Memory pool type
- Object type specific information
- Object-related structure memory dumps1
  - ALPC_PORT
  - CALLBACK_OBJECT
  - DEVICE_OBJECT
  - DRIVER_OBJECT
  - DIRECTORY_OBJECT
  - FLT_SERVER_PORT_OBJECT
  - KEVENT
  - KMUTANT
  - KSEMAPHORE
  - KTIMER
  - KQUEUE (IoCompletion)
  - OBJECT_SYMBOLIC_LINK
  - OBJECT_TYPE
- Opened handles
- Statistics
- Supported access rights
- Process Trust label
- And more...
Display in dump sub-structures such as1:
- ALPC_PORT_ATTRIBUTES
- DEVICE_MAP
- LDR_DATA_TABLE_ENTRY
- OBJECT_TYPE_INITIALIZER
- UNICODE_STRING
- and many others
Edit object-related security information2
Detect driver object IRP modifications (as part of structure dump)1
Detect kernel object hooking (as part of structure dump)1
Search for objects by name and/or type

System information viewer

Boot state and type
Code Integrity options
Mitigation flags
Windows version and build

Loaded drivers list viewer

Ability to dump selected driver1
Export driver list to file in CSV format
Jump to driver file location
Recognize Kernel Shim Engine "shimmed" drivers1
View driver file properties

Mailslots/Named pipes viewer

Display list of all registered mailslots/named pipes
Named pipes security information editor4
Object statistics

Hierarchical process tree viewer2

Show process id, user name, EPROCESS addresses
Highlight processes by type similar to default Process Explorer highlighting
Show thread list for selected process
Show ETHREAD addresses
Show common properties for Process/Thread objects
- Basic properties as for any other object type
- Start time
- Process type
- Image file name
- Command line
- Current directory
- Applied mitigation's
- Protection
- State of "Critical Process" flag
- Security edit
Jump to process file location
Process/Thread token information
- User name
- User SID
- AppContainer SID
- Session
- UIAccess
- Elevation state
- Integrity level
- Privileges and groups
Show additional token properties for Process/Thread
- Basic properties as for any other object type
- List of security attributes
- Security edit

Software Licensing Cache viewer

Display list of registered licenses
Display license data
Dump license data of type SL_DATA_BINARY to file

User Shared Data viewer

Display structured dump of most important parts of KUSER_SHARED_DATA

System callbacks viewer1

Display address, module and callback specific information for callbacks registered with:
- PsSetCreateProcessNotifyRoutine
- PsSetCreateProcessNotifyRoutineEx
- PsSetCreateProcessNotifyRoutineEx2
- PsSetCreateThreadNotifyRoutine
- PsSetCreateThreadNotifyRoutineEx
- PsSetLoadImageNotifyRoutine
- PsSetLoadImageNotifyRoutineEx
- KeRegisterBugCheckCallback
- KeRegisterBugCheckReasonCallback
- CmRegisterCallback
- CmRegisterCallbackEx
- IoRegisterShutdownNotification
- IoRegisterLastChanceShutdownNotification
- PoRegisterPowerSettingCallback
- SeRegisterLogonSessionTerminatedRoutine
- SeRegisterLogonSessionTerminatedRoutineEx
- IoRegisterFsRegistrationChange
- IopFsListsCallbacks
- ObRegisterCallbacks
- DbgSetDebugPrintCallback
- DbgkLkmdRegisterCallback
- PsRegisterAltSystemCallHandler
- CodeIntegrity SeCiCallbacks
- ExRegisterExtension
- PoRegisterCoalescingCallback
- PsRegisterPicoProvider
- KeRegisterNmiCallback
- PsRegisterSiloMonitor
- EmProviderRegister

Windows Object Manager private namespace viewer1

View basic namespace entry information
View boundary descriptor information
Show common properties for objects

KiServiceTable viewer1

Show dump of Ntoskrnl-managed KiServiceTable (sometimes referenced as SSDT)
Jump to service entry module
Export list to file in CSV format

W32pServiceTable viewer1

Show dump of Win32k-managed W32pServiceTable (sometimes referenced as Shadow SSDT)
Support Win32k import forwarding
Support Win32k ApiSets resolving
Jump to service entry module
Export list to file in CSV format

CmControlVector viewer

Show dump of Ntoskrnl CmControlVector array
Dump value data from kernel memory to file1
Export list to file in CSV format

Most of list/trees allows to copy object address and/or name to the clipboard

Running on Wine/Wine-Staging is supported3

Plugins subsystem for extending basic features

Available plugins that shipped with WinObjEx64 release:
- ApiSetView - viewer for Windows ApiSetSchema internals, support loading ApiSet schema from file
- Example plugin - example plugin for developers
- Sonar - NDIS protocols viewer, display registered NDIS protocols and dumps some information about them
- ImageScope - context plugin allowing to view more details in WinObjEx64 for Section type objects that are backed by image file (available through popup menu on object of Section type in WinObjEx64 main list)

Documentation

Windows Callbacks
Plugins subsystem

This feature require driver support enabled, see "Driver support" part below.

This may require administrator privileges.

Most of additional Windows internals-specific features however will be unavailable due to obvious reasons.

Some named pipes may require administrator privileges to access.

Driver support

WinObjEx64 supports two types of driver helpers:

Helper for read-only access to the kernel memory. Default version uses Kernel Local Debugging Driver (KLDBGDRV) from WinDbg. In order to use it (and thus enable all the above features) Windows must be booted in the debug mode (bcdedit -debug on) and WinObjEx64 must be run with administrator privileges. If you are using WinObjEx64 version with custom helper driver - Windows debug mode is not required. There are exist several drivers that can be used as helpers for WinObjEx64, by default it has only WinDbg type built-in.

Helper to access object handles. WinObjEx64 (any variant) support Process Explorer driver of version 1.5.2 to open process/threads. To enable this just load Process Explorer with administrator privileges simultaneously with WinObjEx64.

All driver helpers require WinObjEx64 to be run with administrative privileges.

Instructions

Select Platform ToolSet first for project in solution you want to build (Project->Properties->General):

v140 for Visual Studio 2015;
v141 for Visual Studio 2017;
v142 for Visual Studio 2019;
v143 for Visual Studio 2022.

For v140 and above set Target Platform Version (Project->Properties->General):

If v140 then select 8.1;
If v141 and above then select 10.

Minimum required Windows SDK version 8.1

Recommended Windows SDK version 10.0.19041 and above

WinObjEx64 hfiref0x

README

WinObjEx64

Windows Object Explorer 64-bit

System Requirements

Features

Driver support

Build

Instructions

What is new

Authors