witr-win is a powerful, native CLI tool designed exclusively for Windows to explain why a process exists. It goes beyond simple task listing by building a causal chain of process ancestry, analyzing system signals, and providing deep inspection capabilitiesβall in a convenient terminal interface.
"It's like
psmeetsnetstatmeetsProcess Explorer, but for the command line."
- π Deep Causality: Don't just see what is running, see who started it and why (parent process chain).
- π‘οΈ Security & Integrity: Inspect DLL modules, open file handles, security tokens, and integrity levels.
- π Network Aware: Instantly identify what process is holding a port, or what connections a process has open.
- β‘ Performance Metrics: View real-time CPU, memory, and I/O statistics.
- πΈ Time Travel: Take snapshots of process states and compare them later to detect changes.
- π€ Automation Ready: Output in JSON for scripts, or visualize ancestry with Graphviz DOT format.
- π₯οΈ TUI Mode: Interactive terminal UI for exploring processes without remembering flags.
Choose the method that fits your workflow.
If you use Scoop:
scoop bucket add witr-win https://github.com/m-de-graaff/witr-win-bucket
scoop install witr-winIf you use Chocolatey:
choco install witr-win- Go to the Releases Page.
- Download the latest
witr-win.exe. - Place it in a folder included in your system
PATH.
Requires Rust installed.
cargo install --git https://github.com/m-de-graaff/witr-winEverything starts with witr-win. Run it with --help for a quick refresher.
Find out what you're looking for.
| Goal | Command | Description |
|---|---|---|
| Analyze by PID | witr-win --pid 1234 |
Analyze a specific Process ID. |
| Analyze by Port | witr-win --port 8080 |
Find the process listening on port 8080. |
| Search by Name | witr-win node |
Find processes matching "node". |
| Interactive Mode | witr-win -i |
Launch the TUI to select a process interactively. |
Add flags to get more details about the target.
# Show EVERYTHING (Modules, Handles, Network, Perf, Security)
witr-win --pid 1234 --all
# Show specific details
witr-win --pid 1234 --modules # List loaded DLLs
witr-win --pid 1234 --handles # List open files/registry keys
witr-win --pid 1234 --net # List active network connections
witr-win --pid 1234 --perf # Show CPU/RAM usage
witr-win --pid 1234 --security # Show User, SID, Integrity LevelTailor the output to your needs.
# Default (Human Readable Narrative)
witr-win --pid 1234
# Tree View (Visualize Ancestry)
witr-win --pid 1234 --tree
# JSON (For Scripts/Automation)
witr-win --pid 1234 --json
# One-Liner (For Piping/Logging)
witr-win --pid 1234 --short
# Graphviz DOT (Visual Diagram)
witr-win --pid 1234 --graph > ancestry.dotTrack how a process changes over time (memory leaks, handle leaks, etc.).
-
Take a Snapshot:
witr-win --pid 1234 --snapshot "baseline"
-
Wait/Do work...
-
Compare Current State to Snapshot:
witr-win --pid 1234 --compare "baseline"
This will highlight differences in memory, thread count, and configuration.
-
List Snapshots:
witr-win --list-snapshots
Customize defaults so you don't have to type flags every time.
-
Generate Config:
witr-win --init-config
Creates
~/.witr-win/config.toml -
Edit Config: Open that file to set preferred defaults (e.g., always enable
--treeor--no-color).
Keep your tool fresh.
witr-win --check-update
witr-win --updateNeed to stop a rogue process?
# Kill the process on port 3000
witr-win --port 3000 --endExplore your network footprint.
# Netstat-like list of all listening ports
witr-win --list-ports
# Scan a specific range
witr-win --port-range 5000-5010
# Filter by protocol
witr-win --port 80 --protocol tcpWe are constantly improving witr-win. Here's what's planned:
- Classification: Better recognition of "Scheduled Tasks" and Service dependencies.
- Container Awareness: Detection of Docker/Podman processes.
- Advanced Filtering: Filter by user, memory usage, or interactive status.
- Security: ASLR/DEP status and digital signature verification.
See FEATURES.md for the full roadmap.
Contributions are welcome! Please check out CONTRIBUTING.md for guidelines.
This project is licensed under the MIT License.