wingetCollections
  • Auto
  • Search
  • Awesome Collections
  • Awesome Programs
  • My Favorite Collections
  • My Collections
  • Account / Settings
  • Terms of Service
  • Privacy
  • About

© 2025 winget.ragerworks.com

Loading...
Install WinObjEx64 using Winget - wingetCollections
  1. Go back
  2. Packages
  3. WinObjEx64
WinObjEx64 logo

WinObjEx64 hfiref0x

c objects-namespace windbg winobj
Use this command to install WinObjEx64:
winget install --id=hfiref0x.WinObjEx64 -e

WinObjEx64 is an advanced utility that lets you explore the Windows Object Manager namespace.

WinObjEx64 is an advanced utility designed to explore the Windows Object Manager namespace, providing detailed insights into kernel-level objects and their associated properties. It enables users to view object details, edit security information, detect kernel hooks, analyze SSDT (KiServiceTable) and Shadow SSDT (W32pServiceTable), and use driver helpers for memory access or handle management.

Ideal for system administrators, developers, and security professionals who need to analyze and manage low-level Windows objects. WinObjEx64 can be installed via winget.

README

WinObjEx64

Build status Visitors

Windows Object Explorer 64-bit

WinObjEx64 is an advanced utility that lets you explore the Windows Object Manager namespace. For certain object types, you can double-click on it or use the "Properties..." toolbar button to get more information, such as description, attributes, resource usage etc. WinObjEx64 let you view and edit object-related security information if you have required access rights.

System Requirements

WinObjEx64 does not require administrative privileges. However, administrative privileges are required to view much of the namespace and to edit object-related security information.

WinObjEx64 works only on the following x64 Windows: Windows 7, Windows 8, Windows 8.1, and Windows 10/11, including Server variants.

Features

View list

  • Explore all of Windows Object Manager namespace

    • Hierarchical objects tree

    • Symbolic links resolving

    • Version information for Section-type objects backed by an image file

    • Additional information for WindowStation-type objects

    • View objects details:

      • Descriptions
      • Flags
      • Invalid attributes
      • Memory pool type
      • Object type-specific information
      • Object-related structure memory dumps1:
        • ALPC_PORT
        • CALLBACK_OBJECT
        • DEVICE_OBJECT
        • DRIVER_OBJECT
        • DIRECTORY_OBJECT
        • FLT_SERVER_PORT_OBJECT
        • KEVENT
        • KMUTANT
        • KSEMAPHORE
        • KTIMER
        • KQUEUE (IoCompletion)
        • OBJECT_SYMBOLIC_LINK
        • OBJECT_TYPE
Versions
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.1
Website
github.com
License
Last Updated
6/20/2025
  • Opened handles
  • Statistics
  • Supported access rights
  • Process Trust label
  • And more...

  • Display in dump sub-structures1:

    • ALPC_PORT_ATTRIBUTES
    • DEVICE_MAP
    • LDR_DATA_TABLE_ENTRY
    • OBJECT_TYPE_INITIALIZER
    • UNICODE_STRING
    • And many others

  • Edit object-related security information2

  • Detect driver object IRP modifications (via structure dump)1

  • Detect kernel object hooking (via structure dump)1

  • Search for objects by name and/or type

  • System information viewer

    • Boot state and type
    • Code Integrity options
    • Mitigation flags
    • Windows version and build

  • Loaded drivers list viewer

    • Dump selected driver1
    • Export driver list to CSV file
    • Jump to driver file location
    • Detect Kernel Shim Engine "shimmed" drivers1
    • View driver file properties

  • Mailslots/Named pipes viewer

    • List all registered mailslots/named pipes
    • Edit named pipes security information4
    • Object statistics

  • Hierarchical process tree viewer2

    • Show process ID, user name, EPROCESS addresses
    • Highlight processes by type (similar to Process Explorer)
    • Show thread list for selected process
    • Show ETHREAD addresses
    • Common properties for Process/Thread objects:
      • Basic properties (as other object types)
      • Start time
      • Process type
      • Image file name
      • Command line
      • Current directory
      • Applied mitigations
      • Protection
      • "Critical Process" flag state
      • Security edit
    • Jump to process file location
    • Process/Thread token information:
      • User name
      • User SID
      • AppContainer SID
      • Session
      • UIAccess
      • Elevation state
      • Integrity level
      • Privileges and groups
    • Additional token properties:
      • Basic properties (as other object types)
      • Security attributes list
      • Security edit

  • Software Licensing Cache viewer

    • List registered licenses
    • Display license data
    • Dump SL_DATA_BINARY license data to file

  • User Shared Data viewer

    • Structured dump of key KUSER_SHARED_DATA sections

  • System callbacks viewer1

    • Display callback addresses, modules, and details for:
      • PsSetCreateProcessNotifyRoutine
      • PsSetCreateProcessNotifyRoutineEx
      • PsSetCreateProcessNotifyRoutineEx2
      • PsSetCreateThreadNotifyRoutine
      • PsSetCreateThreadNotifyRoutineEx
      • PsSetLoadImageNotifyRoutine
      • PsSetLoadImageNotifyRoutineEx
      • KeRegisterBugCheckCallback
      • KeRegisterBugCheckReasonCallback
      • CmRegisterCallback
      • CmRegisterCallbackEx
      • IoRegisterShutdownNotification
      • IoRegisterLastChanceShutdownNotification
      • PoRegisterPowerSettingCallback
      • SeRegisterLogonSessionTerminatedRoutine
      • SeRegisterLogonSessionTerminatedRoutineEx
      • IoRegisterFsRegistrationChange
      • IopFsListsCallbacks
      • IoRegisterPlugPlayNotification
      • ObRegisterCallbacks
      • DbgSetDebugPrintCallback
      • DbgkLkmdRegisterCallback
      • PsRegisterAltSystemCallHandler
      • CodeIntegrity SeCiCallbacks
      • ExRegisterExtension
      • PoRegisterCoalescingCallback
      • PsRegisterPicoProvider
      • KeRegisterNmiCallback
      • PsRegisterSiloMonitor
      • EmProviderRegister

  • Windows Object Manager private namespace viewer1

    • Namespace entry information
    • Boundary descriptor details
    • Common object properties

  • KiServiceTable viewer1

    • Dump Ntoskrnl-managed KiServiceTable (SSDT)
    • Jump to service entry module
    • Export to CSV file

  • W32pServiceTable viewer1

    • Dump Win32k-managed W32pServiceTable (Shadow SSDT)
    • Win32k import forwarding support
    • Win32k ApiSets resolving
    • Jump to service entry module
    • Export to CSV file

  • CmControlVector viewer

    • Dump Ntoskrnl CmControlVector array
    • Export kernel memory data to file1
    • Export to CSV file

  • Clipboard integration: Copy object addresses/names to clipboard

  • Wine/Wine-Staging support3

  • Plugins subsystem

    • Included plugins:
      • ApiSetView: Windows ApiSetSchema viewer (supports loading schema from file)
      • Example plugin: Developer template
      • Sonar: NDIS protocols viewer (dumps protocol details)
      • ImageScope: Enhanced Section-type object details (via context menu)

  • Documentation

    • Windows Callbacks
    • Plugins subsystem
    1. Requires driver support (see "Driver Support" section).
    2. Administrator privileges may be required.
    3. Windows internals features unavailable on Wine/Wine-Staging.
    4. Administrator privileges required for some named pipes.

    Driver support

    WinObjEx64 supports two types of driver helpers:

    1. Helper for read-only access to kernel memory:

      • Default version uses the Kernel Local Debugging Driver (KLDBGDRV) from WinDbg.
      • Requires:
        • Windows booted in debug mode (bcdedit -debug on)
        • WinObjEx64 running with administrator privileges
      • Custom helper driver versions do not require Windows debug mode.
      • Multiple third-party drivers can be used as helpers, though only the WinDbg-type driver is included by default.

    2. Helper to access object handles:

      • WinObjEx64 (any variant) supports Process Explorer driver v1.5.2 for opening processes/threads.
      • Enable by running both Process Explorer and WinObjEx64 with administrator privileges.

    Note: All driver helpers require WinObjEx64 to run with administrative privileges.

    Build

    WinObjEx64 comes with full source code. To build from source, you need Microsoft Visual Studio 2015 or later.

    Instructions

    • Select Platform ToolSet first for the project in the solution you want to build (Project->Properties->General):
      • v140 for Visual Studio 2015;
      • v141 for Visual Studio 2017;
      • v142 for Visual Studio 2019;
      • v143 for Visual Studio 2022.
    • For v140 and above, set Target Platform Version (Project->Properties->General):
      • If v140, select 8.1;
      • If v141 and above, select 10.
    • Minimum required Windows SDK version: 8.1
    • Recommended Windows SDK version: 10.0.19041 and above

    What is new

    Whats New in 2.0.0

    Complete changelog

    Support Our Work

    If you enjoy using this software and would like to help the authors maintain and improve it, please consider supporting us with a donation. Your contribution fuels development, ensures updates, and keeps the project alive.

    Cryptocurrency Donations:

    BTC (Bitcoin): bc1qzkvtpa0053cagf35dqmpvv9k8hyrwl7krwdz84q39mcpy68y6tmqsju0g4

    This is purely optional, thank you!~

    Authors

    (c) 2015 – 2025 WinObjEx64 Project, hfiref0x

    Original WinObjEx (c) 2003 – 2005 Four-F