processhacker

This MCP server provides a dynamic runtime analysis router modeled after the ProcessHacker toolset, exposed via an executable that communicates over standard input and output. It is designed for use with AI agents and editors, allowing tool-like operations such as memory inspection hooks, process analysis, and extensible plugins loaded from the extensions/ folder. The server is plug-in based: core routing is separate from the actual tooling, with functional tools implemented as DLL plugins loaded at startup. You can integrate this into editors (e.g., Gemini, Claude desktop, VSCode) by pointing your editor’s MCP configuration to the ProcessHackerMCP.exe binary and leaving or supplying appropriate arguments. The server includes safety rails to limit destructive actions and logs all tool calls for auditing.

Prerequisites:

• A supported development environment (Windows) with a CMake-capable toolchain and Visual Studio.
• Source code containing a CMakeLists.txt to build ProcessHackerMCP.exe and its extensions.

Installation steps:

1. Clone or download the repository to your machine.
2. Open the project folder in Visual Studio (the project includes a CMakeLists.txt).
3. Build all targets (Ctrl+Shift+B) to compile ProcessHackerMCP.exe and create the extensions/ folder populated with the initial DLLs.
4. Locate the generated ProcessHackerMCP.exe under the build output directory. Ensure extensions/ contains the necessary DLL plugins.
5. Run ProcessHackerMCP.exe. It will communicate with clients via stdin/stdout.

Notes:

• The server expects editors or AI agents to provide the absolute path to the executable in their MCP configuration.
• If you modify extensions, rebuild or reload as appropriate so the updated DLLs are loaded at startup.

Tips and considerations:

• Payload limit: there is a 2MB payload protection limit to prevent editor/editor-like clients from freezing the host. For large data, use limit and offset when querying memory regions.
• Read-Only mode: to restrict destructive actions, set the server args to ["--read-only"] in your MCP config.
• Audit logging: all tool invocations and arguments are recorded in processhacker_audit.log. Destructive actions are tagged with [WARNING: DESTRUCTIVE].
• Rate limiting: there is a loop breaker that can lock out an agent for 30 seconds after rapid tool usage (e.g., 50 calls in one minute).
• Extensions: the core is a router; actual tools live as DLL plugins in extensions/. You can add custom tools by implementing McpToolRegistration, marking isDestructive appropriately, and exporting InitMcpExtension. After compiling, place the DLL in extensions/ and restart the server.
• Dynamic extensions (advanced): v1.6.0 introduces ext_auto_compiler, enabling AI-driven C code to be compiled with a bundled Tiny C Compiler (TCC) and hot-loaded at runtime. This enables the agent to generate and install custom bypasses on the fly.