Company logoHelp Center
Visit www.threatlocker.com

Enable In Memory Inspection

3 min. readlast update: 04.16.2026

Note: This Advanced Setting requires ThreatLocker Windows Agent version 10.10.10 or greater.

The 'Enable In-Memory Inspection' Advanced Setting can be used to monitor for the execution of code under suspicious circumstances within running processes. This type of activity can indicate Process Code Injection, in which an attacker executes code in a process's memory. When this Advanced Setting is enabled, ThreatLocker will grant access to the 'Memory' Action Type for custom Endpoint Detect policies.

Note: The 'Memory' Action Type will still be visible when creating an Endpoint Detect Policy, but will not alert for anything until the Advanced Setting is properly implemented on assets in your organization.

To enable this Advanced Setting, from within the 'Create Settings' sidebar, navigate to the 'Setting Type' dropdown and select 'Enable In Memory Inspection'.

The 'Parameters' section will now populate with a checkbox labeled 'Enable In Memory Inspection (Requires Restart)'. To enable this Advanced Setting, ensure that the checkbox is selected.

Once you have applied all the proper settings to this 'Advanced Setting', select the 'Create' button at the bottom of the sidebar, then use the 'Update Agents' button in the top left corner of the 'Advanced Settings' window to apply these changes.

When this Advanced Setting is applied, you MUST restart the ThreatLocker agent on all devices to which it was applied. For information on how to restart the ThreatLocker agent directly from your portal, please visit the following article:

Restarting the ThreatLocker Agent | ThreatLocker Help Center

Once the ThreatLocker Agent has been restarted on all devices, Endpoint Detect policies using the 'Memory' Action Type as a Policy Condition will now work.

The Memory Action Type

To set up an Endpoint Detect policy using the 'Memory' Action Type as a policy condition, start by navigating to the 'Detect Policies' page. To do so, hover over the 'Detect' icon on the left side of the ThreatLocker Portal, then select 'Detect Policies' from the menu.

From the 'Detect Policies' page, select the 'Create New Endpoint Detect Policy' button found in the top left corner.

Once selected, the 'Create Endpoint Detect Policy' sidebar will open. From here, you can insert your information regarding the policy you are creating.

To add 'Memory' as a Policy Condition, navigate to the 'Policy Conditions' section of the sidebar.

From here, select the 'Condition' dropdown and set it to 'Action Type', choose your 'Operator', then select 'Memory' from the 'Action Type' dropdown.

The rest of the Endpoint Detect policy can be configured based on your organization's needs and the alerts you would like to receive.

Was this article helpful?