Hack Windows Task Manager

• Download source files - 11.5 Kb
• Download demo project - 4.15 Kb

Introduction

It may be carrying lots of fun if you are manipulating the Windows internals... Well, here's one simulation of the process and application name hiding.. Here, we hide the names of our application and our process, being displayed in the Windows Task Manager... in the SysListView32 control.

The code can be fabricated to just hack the Windows Task Manager which I'll deal later here.. Let's see the simple call that makes things happen.

How to use the code

All you have to do is run Windows Task Manager, then run Clear Task Manager, click "Hide" button.. and then look on Windows Task Manager...

Architecture

Here, we have to carry out just few tasks. The tasks are..

1. Find the Windows Task Manager when ever it is displayed.
2. Find the Applications and Processes tab controls.
3. Move on to the SysListView32 control and delete the strings displayed over there..

We can accomplish these tasks by using one timer and one callback function. Well, carrying out these tasks is very simple as a lot of people know.

How it works..

Timer functions:

The timer is started when the dialog in initialized. The timer just vigils the Windows Task Manager for its window status ON, I mean WM_SHOW. It is carried out by the API call:

HWND FindWindow( LPCTSTR lpClassName , 
     // class name LPCTSTR lpWindowName // window name );

in which it is enough to pass either the class name or the window name. Here, we are familiar with window name "Windows Task Manager".

At last, we have found the window where our manipulation starts..

Enumerate child windows:

BOOL EnumChildWindows
(
  HWND hWndParent,         // handle to parent window

  WNDENUMPROC lpEnumFunc,  // callback function

  LPARAM lParam            // application-defined value

);

We are familiar with hWndParent which we received in the previous call FindWindow. We have to just take care of the callback function. And lparam parameter is NULL.

Handling callback function:

We have provided callback function to be:

BOOL CALLBACK EnumChildProcedure(HWND hWnd,LPARAM lParam)

Handle of particular window and lparam is NULL. Handle is assigned for each child window.

In the callback function, we require to know about the two tabs, that's all. The knowledge about the tabs can be had by just comparing the window name and its class name. The window name and the class of the child window can be had from:

char name[256]; 
GetWindowText(hWnd,name,256);

char ClassName[256];
GetClassName(hWnd,ClassName,256);

And then we compare the class name with the class name we have retrieved and the window name with the window name we have retrieved.

When both the conditions are satisfied, we get to the actual location where the Processes' names and the Applications' names are displayed.

Here, we send a message to Windows stating that the contents of the SysListView32 are to be deleted, by a standard API call..

::SendMessage(hWnd,LVM_DELETECOLUMN,(WPARAM)0,0);

hWnd is handle to window. LVM_DELETECOLUMN is the message to Windows to delete the contents of SysListView32. And the rest of the parameters are 0.

Now, we have send a message to Windows to delete the contents.. that's all, it's done.

Before I wind up, let's have a discussion about Windows Task Manager and real hacking.

Windows Task Manager calls or refreshes the processes list view every 0.5 seconds (maximum). So, if we set our timer's time more than 500 ms, we can see the deleting of the column of SysListView32 visually.

This program can be added to Windows startup or in the registry to invoke the program at Windows start up. Though, we have to modify certain parts of the program.

Modifications in the program:

1. We have to hide our program window, this can be achieved by sending SW_HIDE message to our window.
2. We can place this code either in Windows startup or in the registry. Though we can discard the calls made by Windows start up, we can't with Windows registry. The registry key is:

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

   Placing our exe path in this key will start our code in startup.