Several people requested an update of PTFinder for the Microsoft Windows Vista platform. The changes to support kernel version 6.0.6000.16386 were not trivial. I've added a BETA version to the PTFinder Collection.
There's an experimental option, --pool, that enables a check of the POOL_HEADER structure. While this check slightly reduces the number of false positives, it may exclude some traces of defunct processes, too. Therefore this option is turned off by default.
Thanks go to Umang Desai (Georgia Institute of Technology) for extensive testing. The Vista version is still in BETA and needs more testing, though. I welcome any feedback from the community.