• Explore all of Windows Object Manager namespace

  • Hierarchical objects tree

  • Symbolic links resolving

  • Version information for Section-type objects backed by an image file

  • Additional information for WindowStation-type objects

  • View objects details:

    • Descriptions
    • Flags
    • Invalid attributes
    • Memory pool type
    • Object type-specific information
    • Object-related structure memory dumps¹:
      • ALPC_PORT
      • CALLBACK_OBJECT
      • DEVICE_OBJECT
      • DRIVER_OBJECT
      • DIRECTORY_OBJECT
      • FLT_SERVER_PORT_OBJECT
      • KEVENT
      • KMUTANT
      • KSEMAPHORE
      • KTIMER
      • KQUEUE (IoCompletion)
      • OBJECT_SYMBOLIC_LINK
      • OBJECT_TYPE
    • Opened handles
    • Statistics
    • Supported access rights
    • Process Trust label
    • And more...

  • Display in dump sub-structures¹:

    • ALPC_PORT_ATTRIBUTES
    • DEVICE_MAP
    • LDR_DATA_TABLE_ENTRY
    • OBJECT_TYPE_INITIALIZER
    • UNICODE_STRING
    • And many others

  • Edit object-related security information²

  • Detect driver object IRP modifications (via structure dump)¹

  • Detect kernel object hooking (via structure dump)¹

  • Search for objects by name and/or type

• System information viewer

  • Boot state and type
  • Code Integrity options
  • Mitigation flags
  • Windows version and build

• Loaded drivers list viewer

  • Dump selected driver¹
  • Export driver list to CSV file
  • Jump to driver file location
  • Detect Kernel Shim Engine "shimmed" drivers¹
  • View driver file properties

• Mailslots/Named pipes viewer

  • List all registered mailslots/named pipes
  • Edit named pipes security information⁴
  • Object statistics

• Hierarchical process tree viewer²

  • Show process ID, user name, EPROCESS addresses
  • Highlight processes by type (similar to Process Explorer)
  • Show thread list for selected process
  • Show ETHREAD addresses
  • Common properties for Process/Thread objects:
    • Basic properties (as other object types)
    • Start time
    • Process type
    • Image file name
    • Command line
    • Current directory
    • Applied mitigations
    • Protection
    • "Critical Process" flag state
    • Security edit
  • Jump to process file location
  • Process/Thread token information:
    • User name
    • User SID
    • AppContainer SID
    • Session
    • UIAccess
    • Elevation state
    • Integrity level
    • Privileges and groups
  • Additional token properties:
    • Basic properties (as other object types)
    • Security attributes list
    • Security edit

• Software Licensing Cache viewer

  • List registered licenses
  • Display license data
  • Dump SL_DATA_BINARY license data to file

• User Shared Data viewer

  • Structured dump of key KUSER_SHARED_DATA sections

• System callbacks viewer¹

  • Display callback addresses, modules, and details for:
    • PsSetCreateProcessNotifyRoutine
    • PsSetCreateProcessNotifyRoutineEx
    • PsSetCreateProcessNotifyRoutineEx2
    • PsSetCreateThreadNotifyRoutine
    • PsSetCreateThreadNotifyRoutineEx
    • PsSetLoadImageNotifyRoutine
    • PsSetLoadImageNotifyRoutineEx
    • KeRegisterBugCheckCallback
    • KeRegisterBugCheckReasonCallback
    • CmRegisterCallback
    • CmRegisterCallbackEx
    • IoRegisterShutdownNotification
    • IoRegisterLastChanceShutdownNotification
    • PoRegisterPowerSettingCallback
    • SeRegisterLogonSessionTerminatedRoutine
    • SeRegisterLogonSessionTerminatedRoutineEx
    • IoRegisterFsRegistrationChange
    • IopFsListsCallbacks
    • IoRegisterPlugPlayNotification
    • ObRegisterCallbacks
    • DbgSetDebugPrintCallback
    • DbgkLkmdRegisterCallback
    • PsRegisterAltSystemCallHandler
    • CodeIntegrity SeCiCallbacks
    • ExRegisterExtension
    • PoRegisterCoalescingCallback
    • PsRegisterPicoProvider
    • KeRegisterNmiCallback
    • PsRegisterSiloMonitor
    • EmProviderRegister

• Windows Object Manager private namespace viewer¹

  • Namespace entry information
  • Boundary descriptor details
  • Common object properties

• KiServiceTable viewer¹

  • Dump Ntoskrnl-managed KiServiceTable (SSDT)
  • Jump to service entry module
  • Export to CSV file

• W32pServiceTable viewer¹

  • Dump Win32k-managed W32pServiceTable (Shadow SSDT)
  • Win32k import forwarding support
  • Win32k ApiSets resolving
  • Jump to service entry module
  • Export to CSV file

• CmControlVector viewer

  • Dump Ntoskrnl CmControlVector array
  • Export kernel memory data to file¹
  • Export to CSV file

• Clipboard integration: Copy object addresses/names to clipboard

• Wine/Wine-Staging support³

• Plugins subsystem

  • Included plugins:
    • ApiSetView: Windows ApiSetSchema viewer (supports loading schema from file)
    • Example plugin: Developer template
    • Sonar: NDIS protocols viewer (dumps protocol details)
    • ImageScope: Enhanced Section-type object details (via context menu)

• Documentation

  • Windows Callbacks
  • Plugins subsystem

1. Requires driver support (see "Driver Support" section).
2. Administrator privileges may be required.
3. Windows internals features unavailable on Wine/Wine-Staging.
4. Administrator privileges required for some named pipes.

WinObjEx64 supports two types of driver helpers:

1. Helper for read-only access to kernel memory:

   • Default version uses the Kernel Local Debugging Driver (KLDBGDRV) from WinDbg.
   • Requires:
     • Windows booted in debug mode (bcdedit -debug on)
     • WinObjEx64 running with administrator privileges
   • Custom helper driver versions do not require Windows debug mode.
   • Multiple third-party drivers can be used as helpers, though only the WinDbg-type driver is included by default.

2. Helper to access object handles:

   • WinObjEx64 (any variant) supports Process Explorer driver v1.5.2 for opening processes/threads.
   • Enable by running both Process Explorer and WinObjEx64 with administrator privileges.

Note: All driver helpers require WinObjEx64 to run with administrative privileges.