17

I noticed that GoogleToolbarNotifier.exe cannot be killed from Process Explorer. It returns "Access Denied". It runs as the user, it runs "Normal" priority, and it runs from Program Files.

How did they do it?

I think there might be a way to modify the ACL, or mark the process as 'critical', but I cannot seem to locate anything.

Update:

I found the answer with a good bit of digging. @Alex K. was correct in that PROCESS_TERMINATE permission was removed for the process, but I wanted to supply the answer in code:

static const bool ProtectProcess()
{
    HANDLE hProcess = GetCurrentProcess();
    EXPLICIT_ACCESS denyAccess = {0};
    DWORD dwAccessPermissions = GENERIC_WRITE|PROCESS_ALL_ACCESS|WRITE_DAC|DELETE|WRITE_OWNER|READ_CONTROL;
    BuildExplicitAccessWithName( &denyAccess, _T("CURRENT_USER"), dwAccessPermissions, DENY_ACCESS, NO_INHERITANCE );
    PACL pTempDacl = NULL;
    DWORD dwErr = 0;
    dwErr = SetEntriesInAcl( 1, &denyAccess, NULL, &pTempDacl );
    // check dwErr...
    dwErr = SetSecurityInfo( hProcess, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pTempDacl, NULL );
    // check dwErr...
    LocalFree( pTempDacl );
    CloseHandle( hProcess );
    return dwErr == ERROR_SUCCESS;
}
Blazes
  • 4,721
  • 2
  • 22
  • 29
  • Is it running with admin permissions and PE isn't? – Sushisource May 31 '11 at 10:07
  • PE is running with admin (elevated) permissions. Process is normal non-admin user. – Blazes May 31 '11 at 10:27
  • it works great, thanks. you should post it as an answer and accept it – Andriy Tylychko Jul 27 '11 at 08:46
  • 1
    You must not close the process handle retrieved by GetCurrentProcess since it is a pseudo handle. – Norbert Willhelm Mar 25 '12 at 15:54
  • @NorbertWillhelm, thanks for the tip regarding the pseudo handle. Though, just to clarify the docs say it has no effect... "The pseudo handle need not be closed when it is no longer needed. Calling the CloseHandle function with a pseudo handle has no effect." – Blazes Mar 27 '12 at 09:55
  • refer to the following link.. http://security.stackexchange.com/questions/30985/create-a-unterminable-process-in-windows – Raghav Guar Sep 10 '13 at 11:57
  • 3
    Please post your answer in an answer, not in the question. – Nic Oct 08 '15 at 12:26
  • Does this work in Windows 7? I can't get it working for some reason. It always lets me stop the process either from Task Manager or by just closing the program normally. – Edw590 May 08 '19 at 16:49

3 Answers3

10

The code given in the question is misleading. It constructs a DACL with no allow entries and one deny entry; that might make sense if you were applying the DACL to a file with inheritance enabled, but in this case the deny entry is redundant. In the Windows access control model, if a DACL exists but contains no matching ACE, access is implicitly denied.

Here's my version, which applies an empty DACL, denying all access. (Note that it returns an error code rather than a boolean.)

DWORD ProtectProcess(void)
{
    HANDLE hProcess = GetCurrentProcess();
    PACL pEmptyDacl;
    DWORD dwErr;

    // using malloc guarantees proper alignment
    pEmptyDacl = (PACL)malloc(sizeof(ACL));

    if (!InitializeAcl(pEmptyDacl, sizeof(ACL), ACL_REVISION))
    {
        dwErr = GetLastError();
    }
    else
    {
        dwErr = SetSecurityInfo(hProcess, SE_KERNEL_OBJECT, 
                   DACL_SECURITY_INFORMATION, NULL, NULL, pEmptyDacl, NULL);
    }

    free(pEmptyDacl);
    return dwErr;
}
Harry Johnston
  • 35,639
  • 6
  • 68
  • 158
  • this solution did not worked for me on XP. I could still terminate the process from Process Explorer. – kobik Jan 17 '17 at 14:21
  • @kobik: were you logged on as an administrator? XP doesn't have UAC, so if you're logged on with administrative rights then Process Explorer is running with administrative rights. As wj32 already noted, if Process Explorer is running with administrative rights the process permissions are bypassed. This is by design. – Harry Johnston Jan 17 '17 at 20:31
  • @SneakyTactician, the Task Manager in Windows 10 auto-elevates, so if your account has administrative privileges - which it usually will, except perhaps in an enterprise environment - then Task Manager will always be able to kill a process regardless of the permissions. (On Windows 7 you had to ask Task Manager to elevate via the "Show processes from all users" button.) – Harry Johnston Sep 05 '17 at 22:31
9

When running my copy of that has Deny set on the Terminate permission (Process Explorer shows this).

Presumably they call SetKernelObjectSecurity to change/remove the ACLs when their process loads.

Alex K.
  • 171,639
  • 30
  • 264
  • 288
  • 7
    Note that this has no effect when running programs like Task Manager and Process Explorer as admin, because with SeDebugPrivilege, access checking is bypassed for processes and threads. – wj32 May 31 '11 at 10:53
  • Gave you credit because you were correct about the PROCESS_TERMINATE permission. I eventually found code to do that... – Blazes May 31 '11 at 13:00
-4

I have tried to do it with the help of writing windows services ..and then making some changes

here is the link to write a simple windows service http://code.msdn.microsoft.com/windowsdesktop/CppWindowsService-cacf4948

and we can update Servicabase.cpp file with the following two statements..

fCanStop=FALSE; fCanShutdown=FALSE;

Raghav Guar
  • 61
  • 1
  • 8
  • a small console eg. namely nuke-m can kill your service onthefly. even if you set both values false. – Zen Of Kursat Feb 11 '15 at 10:57
  • This doesn't affect Process Explorer, it will only affect the Service administrative tool (and equivalent tools such as `sc`). So it isn't relevant to this question. – Harry Johnston Jan 17 '17 at 21:18