The paper analyses the way of hiding processes and common method of detecting hidden Processes and discusses the principle and the way of searching system memory to detect hidden Processes. First judged whether the page is effective or not, Then judged whether memory address is address of eprocess or not according to eprocess’s character and object’s character. And bring up the way of judging pae memory mode or general memory mode, The way of judging whether the page is effective or not in two memory mode. Discusses the way of improving efficiency. Experiments on windows 7. vista operation system showed that the algorithm can enumerate all processes with high efficiency in two memory mode, These processes hided self by hooking functions, or directly entered into kernel space changed kernel data to hide self.