diff --git a/samples/phidecheck.py b/samples/phidecheck.py
new file mode 100644
index 0000000..770e66c
--- /dev/null
+++ b/samples/phidecheck.py
@@ -0,0 +1,31 @@
+# 
+# Search hidden processes: 
+# compare content of PspCidTable table and PsActiveProcessHead list
+# 
+
+from pykd import *
+import ntobj
+
+if __name__ == "__main__":
+
+  if not isSessionStart():
+    print "Script is launch out of WinDBG"
+    quit(0)
+
+  # build list from PsActiveProcessHead
+  pActiveProcessList = getOffset("nt", "PsActiveProcessHead")
+  lstTypedActiveProcesses = typedVarList(pActiveProcessList, "nt", "_EPROCESS", "ActiveProcessLinks")
+  lstActiveProcesses = [process.getAddress() for process in lstTypedActiveProcesses]
+
+  # build list from PspCidTable
+  pCidTable = ptrPtr(getOffset("nt", "PspCidTable"))
+  pProcessType = ptrPtr(getOffset("nt", "PsProcessType"))
+  lstProcessTable = ntobj.getListByHandleTable(pCidTable, pProcessType, False)
+
+  # compare lists and print result
+  founded = 0
+  for processFromTable in lstProcessTable:
+    if (0 == lstActiveProcesses.count(processFromTable)):
+      dprintln("!process 0x%X removed from PsActiveProcessHead" % processFromTable)
+      founded += 1
+  dprintln("checked 0x%x processes" % len(lstProcessTable) + (", %u hidden" % founded if (0 != founded) else ", hidden not found"))