-
-
Notifications
You must be signed in to change notification settings - Fork 75
Injection targets and critical system processes
By default, the Windhawk engine is injected into all processes except a predefined list of critical system processes. This injection allows Windhawk to load and manage the relevant mods in the target processes.
You can customize this behavior in the Windhawk settings:
- Exclude additional processes: Add them to the "Process exclusion list". This can be useful if Windhawk is not compatible with a specific program.
- Include processes excluded by default: Add them to the "Process inclusion list".
To modify these lists:
- Open Windhawk.
- Go to Settings > Advanced settings > More advanced settings.
- Adjust the "Process exclusion list" or "Process inclusion list" as needed.
Note: Excluded processes are entirely unaffected by Windhawk, regardless of installed mods or other settings.
Each mod specifies the processes it targets. A target can be:
- A fixed name or path, such as
calc.exeorC:\Windows\notepad.exe. - A pattern, such as
*to target all processes orC:\folder\*to target all processes in a specific folder.
When the Windhawk engine is injected into a process, it loads mods that target that process. However, there is an exception for the predefined list of critical system processes: pattern-based targets (e.g., * or C:\folder\*) are ignored, and mods will only be loaded if they explicitly target the process (e.g., critical.exe).
This behavior can be customized in Windhawk's advanced settings.
A common question is why Windhawk injects code into most processes, even if no mods target them directly. Wouldn't it make sense to inject code only into processes that are being customized by mods?
Injecting code into most processes allows Windhawk to intercept the creation of new processes and load mods before a new target process starts running. Without this capability, certain mods that rely on being loaded at an early stage would not function correctly.
Determining which processes to target by default is tricky:
- If fewer processes are targeted: Some mods may not work correctly because they aren't loaded early enough.
- If too many processes are targeted: There's a higher risk of incompatibilities or system instability.
Since incompatibilities with Windhawk are rare, it was decided to inject code into most processes by default while excluding critical system processes. This strikes a balance between maintaining system stability and ensuring mods work reliably.
However, this default behavior may cause issues in certain cases:
- Incompatibility with a program: If a program is incompatible with Windhawk, it can be added to the exclusion list (see Windhawk targets). Programs that are known to be incompatible with Windhawk can be found here.
- Incompatibility with antivirus or other security software: Some antivirus or security software may conflict with Windhawk due to its intrusive nature. Some information about it can be found here. If nothing else works, you can try excluding all processes but the ones you'd like to customize. Note that, as mentioned earlier, some mods might not work correctly in this case since they won't be loaded early enough. Therefore, this option is only recommended as a last resort.
The ideal solution would involve a mechanism in Windows that allows mods to load early without injecting code into every process. This topic has been discussed on GitHub.
Currently, the most promising approach is to develop a small kernel driver, which is a system component running at the core of the operating system. Using a kernel driver, Windhawk could load mods at an early stage without injecting code into every process. However, creating and signing a kernel driver for Windows is a complex and costly process, and there are currently no concrete plans to pursue it.
Windhawk v1.5.1 defines the following list of processes as critical system processes:
%systemroot%\system32\autochk.exe
%systemroot%\syswow64\autochk.exe
%systemroot%\system32\chkdsk.exe
%systemroot%\syswow64\chkdsk.exe
%systemroot%\system32\consent.exe
%systemroot%\system32\csrss.exe
%systemroot%\system32\doskey.exe
%systemroot%\syswow64\doskey.exe
%systemroot%\system32\dwm.exe
%systemroot%\system32\fontdrvhost.exe
%systemroot%\system32\logonui.exe
%systemroot%\system32\lsaiso.exe
%systemroot%\system32\lsass.exe
%systemroot%\system32\searchindexer.exe
%systemroot%\syswow64\searchindexer.exe
%systemroot%\system32\searchprotocolhost.exe
%systemroot%\syswow64\searchprotocolhost.exe
%systemroot%\system32\services.exe
%systemroot%\system32\setupcl.exe
%systemroot%\system32\smss.exe
%systemroot%\system32\spoolsv.exe
%systemroot%\system32\svchost.exe
%systemroot%\syswow64\svchost.exe
%systemroot%\system32\taskhostw.exe
%systemroot%\system32\userinit.exe
%systemroot%\syswow64\userinit.exe
%systemroot%\system32\werfault.exe
%systemroot%\syswow64\werfault.exe
%systemroot%\system32\werfaultsecure.exe
%systemroot%\syswow64\werfaultsecure.exe
%systemroot%\system32\wermgr.exe
%systemroot%\syswow64\wermgr.exe
%systemroot%\system32\wininit.exe
%systemroot%\system32\winlogon.exe
%systemroot%\system32\winrshost.exe
%systemroot%\syswow64\winrshost.exe
%systemroot%\system32\wbem\wmiprvse.exe
%systemroot%\syswow64\wbem\wmiprvse.exe
%systemroot%\system32\wsmprovhost.exe
%systemroot%\syswow64\wsmprovhost.exe