Ring3 API Hook Scanner

Martin Brinkmann
Aug 10, 2012
Security, Software, Windows

Think that a malicious program or tool is running on your system but your resident antivirus solution can't seem to grasp it? Then it is time to use alternative security software to throughly check your computer and get a second, third or even fourth opinion. Programs that I like to use for that task are Dr.Web CureIt, an excellent program that does not interfere with installed applications, SuperAntiSpyware or Malwarebytes Anti-Malware. While I prefer those tools for the job, I keep an assortment of tools ready on my PC in case I need to dig deeper than that.

And Ring3 API Hook Scanner has just been added to it. The program is a free portable security application for the Windows operating system that can be used to scan all running processes for "some types of usermode hooks". In other words, it is an anti-rootkit software.

Here is how it works: you run the 32-bit or 64-bit version of the program on your system, and click on scan once the interface shows up. It takes a couple of seconds to scan all processes, and if anything is found, it is displayed directly in the interface.

ring3 api hook scanner

The only indication that the scan has finished is that it returns to its former start after the scan. There is no notification in the end, and if nothing is found, you may just find yourself clicking again on Scan just to make sure you did it right the first time.

If something is found though you will receive information about the hook type and the process. That's however just the beginning of your journey then, as Ring3 API Hook Scanner can't resolve the issue for you, as it is only able to detect but not remove. Not everything that is found by the software is necessarily a rootkit. If you are using Sandboxie for instance, you may find the program listed here even though it is a legit program.

Ring3 Api Hook Scanner can also be run from the command line to scan all running processes or a particular process only. You can use the following command line parameters to do that:

  • Ring3Scan.exe /pid:all /log:C:\Ring3Hooks.log
  • Ring3Scan.exe /pid:1234 /log:C:\Ring3Hooks.log

The first command scans all processes and saves a log file to the main hard drive, the second scans only the process with ID 1234 and saves a log file to the same location.

The software is compatible with all 32-bit and 64-bit editions of the Microsoft Windows operating system from Windows 2000 all the way to the latest version.


Tutorials & Tips

Previous Post: «
Next Post: «


  1. tg said on July 5, 2014 at 11:51 pm

    good review

  2. wtf said on July 23, 2013 at 8:44 pm

    piece of crap doesn’t even work

  3. Wayfarer said on August 10, 2012 at 8:32 pm

    Always in the lookout for second-string malware checkers – just as long as they accept they’re second-string (which MS Security Essentials – otherwise excellent – steadfastly refuses to do.)

    I find SuperAntispyware is VERY useful, and Malwarebytes too – got rid of a lot of stuff that should never have been on my system given I have (expensive) Kaspersky. But I’ve never been able to get anything useful out of DrWeb other than popups to buy a more expensive version.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.