3

We are developing a .net application to run on startup for all users. Now we want to hide this application from task manager -> process list so that logged in user cannot delete it. We are using windows-xp

Please let me know if this is feasible

Rcrd 009
  • 323
  • 6
  • 17
  • 4
    I really hope that this is not possible, because it would be great for key loggers or the likes. – Franky Aug 21 '12 at 09:05

3 Answers3

4

It's definitely possible to hide a process; you're talking about designing a rootkit. If that's actually what you want to do, see this question.

It's usually not the right way to approach this problem however: if you're the admin of a machine and you don't wish other users to kill a process, you simply don't give them permissions to do it.

Have your users log on with a limited user account and have your application run under a different account.

To get logon time reliably, you can use some either the windows security logs or if you're on a domain, active directory services:

Getting Local Windows User login session timestamp in C#

Getting idle time is more complicated because it depends on what you consider "idle" to be, but if you consider GetLastInputInfo() sufficient, this question describes a good way to do it, with a user process reporting back to a system process:

Getting user Idle time in C#?

Since the user cannot kill the system process, you could have that watch the user process and recreate it if necessary.

Community
  • 1
  • 1
Colin Pickard
  • 45,724
  • 13
  • 98
  • 148
  • 1
    yes, our users are logging in with a limited user account.. this app is placed in all users startup.. – Rcrd 009 Aug 21 '12 at 09:11
  • Sounds like it should be straightforward then - instead of placing the app in the users startup, have it run under a different account. If it should be running all the time, you should probably make it a [Windows Service](http://en.wikipedia.org/wiki/Windows_service) – Colin Pickard Aug 21 '12 at 09:15
  • okay.. How can we make this app to run under a different account? Even if we manage to do this, we also have another hurdle. Our application takes the logged in user name and write their login time, idle time to a database.. So if we manage to run as a different user, the username recorded would be of the user who started that app right? please let me know – Rcrd 009 Aug 21 '12 at 09:18
  • I've updated my answer. Running under a different account is easy if you're running as a service - you can choose the account at install time and the machine administrator can even change accounts from the control panel services menu. there's a number of tutorials on msdn and the net covering windows services; If you're using Visual Studio, there's a specific project type for them – Colin Pickard Aug 21 '12 at 09:32
1

Hide it in plain sight : make it run as a service with name that looks like it should be part of windows.

Then have another service that watches for the this one shutting down and restart it.

Avner Shahar-Kashtan
  • 14,492
  • 3
  • 37
  • 63
Preet Sangha
  • 64,563
  • 18
  • 145
  • 216
  • 1
    Well, the OP just states that they don't want the user **deleting** it; I would say name it *correctly*, which is fine as non-admin users wont have the ability to stop/terminate a service (and admin users you can't really stop *anyway*) – Marc Gravell Aug 21 '12 at 09:07
  • @MarcGravell I suspect that's not what the OP means :-) – Preet Sangha Aug 21 '12 at 09:08
1

That's what Windows security is for. Define user account's permission in a way that he/she cannot manage services or kill processes.

If the case is as you described in comments under Colin's answer, then you can run a service-level process that respawns user process every time it is killed (by user). This way it is even simplier. You can use CreateProcessAsUser from WinApi to execute process on behalf of the user: http://msdn.microsoft.com/en-us/library/ms682429%28v=vs.85%29.aspx

Kuba Wyrostek
  • 6,163
  • 1
  • 22
  • 40
  • is it possible to deny process killing even if they have started that process. In my case, we are placing this app in all users startup. So whenever a user logs in, he is the owner for that app in the process list. Is it possible to delete this permission also? – Rcrd 009 Aug 21 '12 at 09:12
  • If the case is as you described in comments under Colin's answer, then you can run a service-level process that respawns user process every time it is killed (by user). This way it is even simplier. You can use CreateProcessAsUser from WinApi to execute process on behalf of the user: http://msdn.microsoft.com/en-us/library/ms682429%28v=vs.85%29.aspx – Kuba Wyrostek Aug 21 '12 at 09:36