WinObjEx64: Windows Object Explorer 64-bit

WinObjEx64

WinObjEx64 is an advanced utility that lets you explore the Windows Object Manager namespace. For certain object types, you can double-click on it or use the “Properties…” toolbar button to get more information, such as description, attributes, resource usage etc. WinObjEx64 let you view and edit object-related security information if you have required access rights.

System Requirements

WinObjEx64 does not require administrative privileges. However administrative privilege is required to view much of the namespace and to edit object-related security information.

WinObjEx64 works only on the following x64 Windows: Windows 7, Windows 8, Windows 8.1 and Windows 10/11, including Server variants.

Feature

• Explore all of Windows Object Manager namespace

  • Hierarchical objects tree

  • Symbolic links resolving

  • Version information for Section type objects that are backed by an image file

  • Additional information for WindowStation type objects

  • View objects details

    • Descriptions
    • Flags
    • Invalid attributes
    • Memory pool type
    • Object type specific information
    • Object-related structure memory dumps
      • ALPC_PORT
      • CALLBACK_OBJECT
      • DEVICE_OBJECT
      • DRIVER_OBJECT
      • DIRECTORY_OBJECT
      • FLT_SERVER_PORT_OBJECT
      • KEVENT
      • KMUTANT
      • KSEMAPHORE
      • KTIMER
      • KQUEUE (IoCompletion)
      • OBJECT_SYMBOLIC_LINK
      • OBJECT_TYPE
    • Opened handles
    • Statistics
    • Supported access rights
    • Process Trust label
    • And more…

  • Display in dump sub-structures such as:

    • ALPC_PORT_ATTRIBUTES
    • DEVICE_MAP
    • LDR_DATA_TABLE_ENTRY
    • OBJECT_TYPE_INITIALIZER
    • UNICODE_STRING
    • and many others

  • Edit object-related security information

  • Detect driver object IRP modifications (as part of structure dump)

  • Detect kernel object hooking (as part of structure dump)

  • Search for objects by name and/or type

• System information viewer

  • Boot state and type
  • Code Integrity options
  • Mitigation flags
  • Windows version and build

• Loaded drivers list viewer

  • Ability to dump selected driver
  • Export driver list to file in CSV format
  • Jump to driver file location
  • Recognize Kernel Shim Engine “shimmed” drivers
  • View driver file properties

• Mailslots/Named pipes viewer

  • Display list of all registered mailslots/named pipes
  • Named pipes security information editor
  • Object statistics

• Hierarchical process tree viewer

  • Show process id, user name, EPROCESS addresses
  • Highlight processes by type similar to default Process Explorer highlighting
  • Show thread list for selected process
  • Show ETHREAD addresses
  • Show common properties for Process/Thread objects
    • Basic properties as for any other object type
    • Start time
    • Process type
    • Image file name
    • Command line
    • Current directory
    • Applied mitigation’s
    • Protection
    • State of “Critical Process” flag
    • Security edit
  • Jump to process file location
  • Process/Thread token information
    • User name
    • User SID
    • AppContainer SID
    • Session
    • UIAccess
    • Elevation state
    • Integrity level
    • Privileges and groups
  • Show additional token properties for Process/Thread
    • Basic properties as for any other object type
    • List of security attributes
    • Security edit

• Software Licensing Cache viewer

  • Display list of registered licenses
  • Display license data
  • Dump license data of type SL_DATA_BINARY to file

• User Shared Data viewer

  • Display structured dump of most important parts of KUSER_SHARED_DATA

• System callbacks viewer¹

  • Display address, module and callback specific information for callbacks registered with:
    • PsSetCreateProcessNotifyRoutine
    • PsSetCreateProcessNotifyRoutineEx
    • PsSetCreateProcessNotifyRoutineEx2
    • PsSetCreateThreadNotifyRoutine
    • PsSetCreateThreadNotifyRoutineEx
    • PsSetLoadImageNotifyRoutine
    • PsSetLoadImageNotifyRoutineEx
    • KeRegisterBugCheckCallback
    • KeRegisterBugCheckReasonCallback
    • CmRegisterCallback
    • CmRegisterCallbackEx
    • IoRegisterShutdownNotification
    • IoRegisterLastChanceShutdownNotification
    • PoRegisterPowerSettingCallback
    • SeRegisterLogonSessionTerminatedRoutine
    • SeRegisterLogonSessionTerminatedRoutineEx
    • IoRegisterFsRegistrationChange
    • IopFsListsCallbacks
    • IoRegisterPlugPlayNotification
    • ObRegisterCallbacks
    • DbgSetDebugPrintCallback
    • DbgkLkmdRegisterCallback
    • PsRegisterAltSystemCallHandler
    • CodeIntegrity SeCiCallbacks
    • ExRegisterExtension
    • PoRegisterCoalescingCallback
    • PsRegisterPicoProvider
    • KeRegisterNmiCallback
    • PsRegisterSiloMonitor
    • EmProviderRegister

• Windows Object Manager private namespace viewer¹

  • View basic namespace entry information
  • View boundary descriptor information
  • Show common properties for objects

• KiServiceTable viewer¹

  • Show dump of Ntoskrnl-managed KiServiceTable (sometimes referenced as SSDT)
  • Jump to service entry module
  • Export list to file in CSV format

• W32pServiceTable viewer¹

  • Show dump of Win32k-managed W32pServiceTable (sometimes referenced as Shadow SSDT)
  • Support Win32k import forwarding
  • Support Win32k ApiSets resolving
  • Jump to service entry module
  • Export list to file in CSV format

• CmControlVector viewer

  • Show dump of Ntoskrnl CmControlVector array
  • Dump value data from kernel memory to file¹
  • Export list to file in CSV format

• Most of list/trees allows to copy object address and/or name to the clipboard

• Running on Wine/Wine-Staging is supported³

• Plugins subsystem for extending basic features

  • Available plugins that shipped with WinObjEx64 release:
    • ApiSetView – viewer for Windows ApiSetSchema internals, support loading ApiSet schema from file
    • Example plugin – example plugin for developers
    • Sonar – NDIS protocols viewer, display registered NDIS protocols and dumps some information about them
    • ImageScope – context plugin allowing to view more details in WinObjEx64 for Section type objects that are backed by image file (available through popup menu on object of Section type in WinObjEx64 main list)

• Documentation

  • Windows Callbacks
  • Plugins subsystem

1. This feature require driver support enabled, see “Driver support” part below.
2. This may require administrator privileges.
3. Most of additional Windows internals-specific features however will be unavailable due to obvious reasons.
4. Some named pipes may require administrator privileges to access.

Install & Use