Windows Guide Tags: Clash PROCESS-NAME Mihomo split routing Windows

Clash on Windows: PROCESS-NAME Rules Not Working —Fix Paths and Permissions

You pasted tutorial YAML, restarted the core, yet traffic still ignores your PROCESS-NAME lines—or logs never show a process hit at all. On Windows, that outcome is rarely “random Mihomo breakage.” It is usually a mismatch between how you spell the executable, which session owns the socket (standard user versus elevated admin), whether rules sit below an aggressive GEOIP catch-all, and whether your capture mode exposes process metadata to the engine. This guide walks through those layers in order, connects them to practical split routing behavior, and points to scenario guides such as Steam downloads and Discord voice once the PROCESS-NAME mechanism itself is healthy.

Approx. 24 min read
Clash Editorial
Table of Contents

1. Symptoms That Look Like PROCESS-NAME Failure

The complaint sounds repetitive in forums: “I added PROCESS-NAME for my game launcher, browser, or IDE; subscription domains look fine; yet speed tests and IP checkers still show the wrong exit—or the app behaves as if Clash were off.” Sometimes the misread is emotional: users watch only the browser while the stubborn binary is something else (svchost.exe, a helper updater, or a service child). Other times the rule truly never fires: logs show repeated MATCH or GEOIP branches while the executable you care about never appears next to a policy line.

Separating those cases matters. If some traffic obeys split routing but one executable does not, you likely have either a wrong process key (name or path), a different binary doing the network work, or an ordering problem where an earlier rule swallows the flow. If nothing process-specific ever logs while generic domain rules work, suspect capture path: the dataplane feeding Mihomo may not attach process ownership to packets in the mode you enabled. Treat “PROCESS-NAME is broken” as a hypothesis to falsify with one log line, not an identity.

Tip: Skim the rules and DNS overview on this site so vocabulary lines up between your GUI (Clash Verge, Clash for Windows, other forks) and the underlying core. Labels move; PROCESS-NAME semantics stay surprisingly stable when the traffic is actually captured.

2. How the Core Sees a Process on Windows

At a high level, process-based rules exist because modern desktops run dozens of concurrent programs. Domain lists cannot capture every ephemeral hostname a game or Electron app touches. The engine therefore asks the operating system—or a cooperating driver—which binary opened a socket, then compares that identifier against your YAML. On Windows, the identifier is not “window title,” “shortcut name,” or “Start Menu label.” It is the image file backing the process: typically something like example.exe, occasionally qualified with a path when you use path-aware rule types in newer cores.

That observation immediately excludes a family of user errors. Renaming a shortcut does nothing. Pinning python.exe while your script actually runs under py.exe or a virtual-environment shim breaks your mental model. Microsoft Store apps may live under package directories with long, versioned paths and executables you never see on disk as a single friendly string. WSL distributions add another twist: TCP from wsl.exe is not the same process as binaries inside the Linux namespace, which is why WSL-focused networking usually needs interface or subnet rules instead of pretending a single Windows PROCESS-NAME covers both worlds.

When diagnostics fail, Task Manager Details is your friend. Sort by PID, confirm the exact spelling and path (right-click → Open file location), and only then mirror that string into YAML. If the process elevates mid-session—installers often spawn a separate elevated child—remember the child’s name may differ from the parent you launched from Explorer.

3. File Name vs Full Path Syntax

Most tutorials show the compact form: PROCESS-NAME, chrome.exe, PROXY. That instructs the matcher to compare the executable file name only, typically case-insensitive on Windows, which feels forgiving until you collide with two different update.exe binaries from unrelated vendors. When collisions happen, cores that support path-scoped variants (often documented as PROCESS-PATH or similar, depending on fork and version) let you anchor the rule to a directory prefix such as C:\Program Files\Vendor\app.exe or escape ambiguity with forward slashes versus backslashes per your YAML quoting discipline.

Slash direction and escaping

YAML treats backslashes as escape characters unless you quote carefully. Many users cargo-cult copied paths from Explorer verbatim, accidentally producing invalid YAML or silently shortened strings. Prefer quoting the entire token, doubling backslashes where needed, or normalizing to forward slashes when the parser accepts them—consistency beats cleverness.

32-bit vs 64-bit Program Files

A perennial trap is assuming C:\Program Files (x86)\… versus C:\Program Files\…. A 64-bit host can run either; the active path is whichever image actually started. If you path-anchored a rule to the wrong tree, match failure is correct behavior, not engine failure.

When in doubt, keep the first hop on PROCESS-NAME with only the executable, prove the hit in logs, then tighten to a path-specific row if collisions appear. That sequence stops you from debugging three variables at once.

4. Permissions, UAC, and Session Boundaries

Windows splits security contexts sharply. If Clash runs as a standard user while the target app runs elevated as Administrator (or vice versa), some capture strategies see only a subset of flows, or attach metadata late enough that your rule ordering already committed to a fallback. Symptoms include “works after I run everything as admin” or “breaks only for installers.” Those are permission surfaces, not proof that PROCESS-NAME is fundamentally unreliable.

Similarly, Session 0 services versus interactive desktop Session 1 behave differently. Background updaters and system agents may not appear where you expect in a user-scoped GUI picker. Antimalware hooks and corporate endpoint tools can inject their own proxies or filter drivers ahead of your TUN adapter, effectively shifting which process owns the outward connection from your point of view.

Operational guidance: align elevation between the core and the apps you care about when testing; document a known-good pairing; then decide whether production use should remain standard-user for security reasons. If you must split elevation, plan alternative policy—subnet, user-agent-agnostic domain rows, or interface rules—rather than insisting a single user-mode row defy the security model.

Warning: Running arbitrary clients as Administrator to appease routing is a security regression. Treat it as a diagnostic step, then back off to the least privilege that still satisfies capture and your split routing goals.

5. Duplicate Installs and Launcher Wrappers

Gaming platforms epitomize the wrapper problem. What you click may spawn game.exe, but downloads and CDN chatter sometimes ride through launcher.exe, steam.exe, or an anti-cheat kernel companion. Enterprise browsers fork helper processes with distinct names. IDEs delegate Git operations to git.exe or ssh binaries outside the IDE directory.

Before expanding YAML endlessly, capture one failing session with verbose-enough logging and note every distinct executable involved in the outbound SYN you care about. Then either enumerate those names honestly or collapse policy upward one layer (for example routing an entire publisher directory via path rules when supported). Our Steam-focused guide discusses how bulk CDN traffic differs from UDP multiplayer flows—PROCESS awareness helps precisely because names multiply.

Portable distributions merit extra caution: users unzip multiple versions across drives; Task Manager shows D:\tools\app\v12\bin\foo.exe today and E:\mirror\v11\foo.exe tomorrow. If you anchored paths too eagerly during debugging, stale anchors silently rot.

6. Capture Mode and Metadata Plumbing

PROCESS-NAME is not a spell that overrides physics; it requires the dataplane to know which process originated the flow. On Windows, “system proxy only” setups influence WinINET-aware consumers but leave vast categories of traffic—including many games and custom clients—outside the hook that annotates process IDs. Users then see domain rules firing (because SNI or DNS metadata exists) while process rules feel “dead.”

TUN mode generally elevates fidelity for user traffic by pulling IP packets through a virtual adapter where the core can correlate connections with richer context—at the cost of touching routing tables, firewall prompts, and sometimes driver coexistence with other VPNs. If enabling TUN instantly makes PROCESS-NAME lines appear in logs, you have learned that the prior mode never supplied metadata, not that YAML was meaningless. Follow the dedicated Clash TUN troubleshooting article when the adapter misbehaves; a broken tunnel makes every downstream rule lie.

Loopback and local redirection

Traffic that never leaves the machine, or loops through 127.0.0.1 shims, may never present the remote process attribution you imagine. Diagnostics that only look at WAN hops will mislead you. Always ask: did this packet ever traverse the capture interface where the core listens?

7. Rule Order, Providers, and Silent Shadows

YAML executes top to bottom until the first match. Subscription “rule providers” and remote sets frequently prepend broad GEOIP or final MATCH entries. If your painstaking PROCESS-NAME rows land below a catch-all that already fired, they are unreachable dead code—not because the syntax failed, but because control flow never reaches them.

Another subtlety is merge semantics: some GUIs splice provider fragments before or after user overrides automatically. After an overnight refresh, your insert point may drift. Version-control exported profiles and diff them when regression appears “without config changes.” The enemy is silent reordering.

Finally, remember complementary mechanisms: sniffing overrides, IP rules, and DNS-fake-ip interactions can classify a flow before process logic runs, depending on fork and settings. When two mechanisms disagree, logs—not intuition—show the winner.

8. GUI Clients vs Plain Mihomo

Forks diverge on UX, not merely skins. One wrapper may expose “application rules” that compile down to slightly different YAML than another’s literal editor. Validators sometimes strip unknown tokens after updates. Always inspect the merged runtime configuration your core actually loads—often accessible via debug HTTP APIs or temporary export—not only the textarea where you typed hoping it would ship verbatim.

If you migrated from legacy Clash-for-Windows-era workflows to newer Verge stacks, revisit driver bundles (WinTUN/WFP), permission prompts, and auto-start elevation defaults. Identical YAML across machines with different GUIs can diverge behavior purely because one silently enables TUN while the other stays on mixed-port local proxies.

9. Verification Checklist

  1. Identify the real outbound executable via Task Manager → Details → Image path.
  2. Quote YAML paths safely; prefer bare PROCESS-NAME until proof of hit.
  3. Confirm rule rows appear above sweeping GEOIP/MATCH entries after merges.
  4. Toggle capture mode intentionally; reproduce once with TUN if metadata was missing.
  5. Align elevation between core and target app during controlled testing.
  6. Flush stale assumptions after updates (launchers spawn new helpers).
  7. Archive one log excerpt showing either the matched policy line or the earlier rule that preempted it.

If every checkbox passes yet behavior violates expectation, widen scope briefly to correlated guides—for voice-heavy workloads see Discord process routing—because UDP/WebRTC introduces constraints orthogonal to naming—but still gated on whether process metadata exists.

10. Troubleshooting Matrix

Use the table as a map; confirm with logs rather than vibes.

Observation Investigate first
Domain rules hit; PROCESS-NAME never appears Capture mode (system proxy vs TUN), elevation mismatch, metadata-less dataplane
Worked yesterday; broke after subscription refresh Rule provider reordering, duplicated MATCH rows, GUI merge precedence
Only elevated installers fail UAC split sessions; core running standard user while target is admin
Multiple apps share one exe name Switch from bare name to path-qualified rows where supported
TUN toggle changes everything Routes, firewall prompts, competing VPN adapters—see TUN guide

Structured evidence beats reinstall rituals. Save snippets where an earlier rule preempted your row; that snippet becomes reusable institutional knowledge across machines.

11. Summary

PROCESS-NAME on Windows fails softly: wrong identifiers, invisible wrappers, YAML escaping mistakes, elevation seams, shadowed ordering, or capture modes that never supply process metadata can each mimic “rules ignored.” Fixing split routing starts with confirming one truthful log line tying a socket to the executable you named, then stabilizing the dataplane (TUN where appropriate), then auditing merge order—not hopping providers nightly.

Compared with opaque VPN clients that hide classification, maintained Mihomo-family stacks reward operators who export configs, diff merges, and read rule traces. Prefer installers distributed via this site’s channel so binaries align with the guides you follow.

Once paths, permissions, and capture agree, revisit domain augmentations sparingly—they become backups for rare collisions, not substitutes for understanding process attribution.

Download Clash for free and experience the difference