In one of my previous posts (check Suspending processes in Windows), I was trying to discuss the well-known and less popular techniques making it possible to suspend threads or entire processes working under Microsoft Windows OS control. I also announced that a specific way of TaskMgr.exe modification – extending it with the interesting functionality – would be described in the next post. Although, before getting straight to the point (this is – changing the executable binary code), we have to consider some other important matters. Namely, we intend to have the modification applied to every single Task Manager instance running on the system. Right here, we have a few possible paths to go:
- Perform a one-time TaskMgr.exe system file alteration on hard disk.
- Create an additional executable file, called the loader – associated with the Task Manager and launched as its debugger.
- Leave the hard disk contents unchanged – modify only the virtual memory of all active processes, meeting some specific requirements (in our case – executable image path).
Each option presented above has it’s own set of drawbacks. When it comes to physical HDD modification, we start playing with system file data, which should be always considered dangerous and unwanted behavior. What is more, since Windows keeps many backup copies of core system applications, we would have to get rid of or modify all the existing Task Manager backups. In general, I find the method a little bit too messy to use in practice. If you would like to read more about this subjects, Windows File Protection and Windows Resource Protection should be a good place to start.