5

I'm looking for a way to write an application. I use Visual C++ 6.0.

I need to prevent the user from closing this process via task manager.

  • 66
    I sincerely hope there is no way to do this. – balpha Jun 14 '09 at 11:41
  • 5
    Try explaining a bit more of what you need. Why do you need to prevent the user from closing it? There might be another solution if we get a bit more background info. Also for heaven's sake, ditch VC6 already! If you're planning to write C++ code, do yourself a favor and use a proper C++ compiler, not one that predates the language standard. – jalf Jun 14 '09 at 11:45
  • 1
    You could use two programs which watch each other. If the other program dies, the first just restarts it. I think you cannot kill two programs at the same time with the Task Manager. If you want to retain the program state, perform a periodic save. – akarnokd Jun 14 '09 at 11:46
  • 3
    This has been asked before (but I can't find the original). It can't be done, nor should it be allowed. – Binary Worrier Jun 14 '09 at 11:47
  • kd304: You can suspend one of the two programs and kill them one after the other. – Joey Jun 14 '09 at 11:48
  • 1
    @ kd304 This is no solution. The administrator can kill the process tree. If process1 starts process2 or vice-versa, one will come under other's tree and hence the admin can always kill the parent. – siddhant3s Jun 14 '09 at 12:07
  • It can be done because viruses do it all the time. I don't know how though and I wouldn't tell you even if I did. – SpliFF Jun 14 '09 at 14:44
  • 2
    duplicate of http://stackoverflow.com/questions/922207/how-to-make-a-program-thats-impossible-to-be-killed-windows and http://stackoverflow.com/questions/712870/windows-services – sean e Jun 14 '09 at 15:51
  • 1
    I should also note that an unkillable process would not only be annoying to the end user, but probably to you as well. Since you are bound to eventually make mistakes during development (you're human, it's gonna happen), you're eventually going to get bit by your own process. – Michael Kohne Jun 23 '09 at 01:29
  • 1
    The best answer I saw is here: http://security.stackexchange.com/questions/30985/create-a-unterminable-process-in-windows – YaDa Nov 17 '13 at 08:33

10 Answers10

33

You can't do it.

rtn
  • 127,556
  • 20
  • 111
  • 121
  • 17
    +1. That's right. And you shouldn't be trying. It's not your machine, it belongs to the user. – paxdiablo Jun 14 '09 at 12:35
  • 2
    And (as mentioned on the other question, which apparently got deleted) it also would prevent Windows from shutting down. – GalacticCowboy Jun 14 '09 at 12:43
  • "You can't do it" == "You can not do it" ;) – rtn Jun 14 '09 at 15:26
  • 3
    Actually "You can't do it" == "You cannot do it" :-) – Mark Pattison Jun 15 '09 at 09:34
  • 3
    We just had one, it is rather by accident, never mind. This post is quite old, but check out Mark Russinovich's blog post "Unkillable Processes" - http://blogs.technet.com/b/markrussinovich/archive/2005/08/17/unkillable-processes.aspx – flq Sep 01 '10 at 09:27
  • 6
    Nonsense. Here's a great answer at the Security StackExchange showing a number of ways to do it. http://security.stackexchange.com/questions/30985/create-a-unterminable-process-in-windows – MarioVilas Jul 06 '13 at 14:21
  • 3
    Then how do antivirus do this? Like when I terminate avast process from task manager, it gives me Access Denied – mrid Jun 16 '19 at 12:38
18

Raymond Chen on why this is a bad idea.

Theodore Tsirpanis
  • 743
  • 8
  • 21
Ken Keenan
  • 9,818
  • 5
  • 32
  • 49
  • 3
    The question was about how to do this (maybe to know why to protect against that), not about whether it is a good idea or not. – ya23 Jun 14 '09 at 13:01
  • 10
    @ya23: ok then - would you answer, "How can I write a program to kill my wife?" Nothing wrong with calling out a bad idea... – Shog9 Jun 14 '09 at 17:33
  • @Shog9: write the unkillable program. She'll have a brain aneurysm trying to figure out why her computer won't shut down... – GalacticCowboy Jun 15 '09 at 20:21
  • 2
    @Shog9, there's nothing wrong with calling out a bad idea, but doing so isn't an answer to his question either. – mrduclaw Oct 18 '09 at 03:54
  • Nothing wrong with pointing out it is a bad idea - even when anti-virus and anti-malware applications do it. Still, your answer is not an answer to the question - it's a comment. I agree with your comment; here i am trying to kill anti-virus software on a customer's server because they refuse to uninstall anti-virus software from their servers. We *wish* Microsoft hadn't added *"Protected Services"* with Windows 8 - but here we are. So now we're trying to reverse engineer how McAfee and Cylance did it, so i can kill them from their server. – Ian Boyd Sep 21 '21 at 19:02
17

You can make an unkillable process, but it won't be able to accomplish anything useful while it's unkillable. For example, one way to make a process unkillable is to have it make synchronous I/O requests to a driver that can never complete (for example, by deliberately writing a buggy driver). The kernel will not allow a process to terminate until the I/O requests finish.

So it's not quite true that you "can't do it" as some people are saying. But you wouldn't want to anyway.

John Feminella
  • 303,634
  • 46
  • 339
  • 357
  • 1
    This won't work either - it will make it harder to kill but not unkillable . The system will terminate the threads that can be terminated. Those threads that are 'stuck' in a driver will not be killed but they cannot do any work. – Foredecker Jun 14 '09 at 14:39
  • 6
    @Foredecker » Right, but that's why I said "it won't be able to accomplish anything useful while it's unkillable". – John Feminella Jun 14 '09 at 15:14
  • But couldn't you then write code that does something usefull in driver? – ghord May 08 '13 at 13:11
  • @ghord Sure, but running a program requires different permissions than installing drivers. And then you could have just written the program to do the useful thing in the first place. – John Feminella May 09 '13 at 06:19
7

That all depends on who shouldn't be able to kill that process. You usually have one interactively logged-on user. Running the process in that context will alow the user to kill it. It is her process so she can kill it, no surprise here.

If your user has limited privileges you can always start the process as another user. A user can't kill a process belonging to another user (except for the administrator), no surprise here as well.

You can also try to get your process running with Local System privileges where, I think not even an administrator could kill it (even though he could gain permission to do so, iirc).

In general, though, it's a terribly bad idea. Your process does not own the machine, the user does. The only unkillable process on a computer I know is the operating system and rightly so. You have to make sure that you can't hog resources (which can't be released because you're unkillable) and other malicious side-effects. Usually stuff like this isn't the domain of normal applications and they should stay away from that for a reason.

Joey
  • 344,408
  • 85
  • 689
  • 683
  • +1 for the last paragraph. Interesting corollary - if you have to ask, you're not sufficiently skilled/knowledgeable to understand or correctly implement the answer... – GalacticCowboy Jun 14 '09 at 12:49
5

What I've learned from malware:

  • Create a process that spawns a dozen of itself
  • Each time you detect that one is missing (it was killed) spawn a dozen more.
  • Each one should be a unique process name so that a batch process could not easily kill all of them by name
  • Sequentially close and restart some of the processes to keep the pids changing which would also prevent a batch kill
SeanDowney
  • 17,368
  • 20
  • 81
  • 90
  • **MUHUHAHAHAHAHAHA!!!** :) Of course, if you have an Antivirus, it should stop this behavior from occurring. (Assuming there is no 'exploit'.) – Mateen Ulhaq Nov 24 '11 at 03:27
5

It's a Win32 FAQ for decades. See Google Groups and Und. boards for well-known methods.(hooking cs and others...)
Noobs who answer "You can't do it" know nothing to Win32 programming : you can do everything with Win32 api...

  • 3
    Everything, except creating unkillable processes. If you use a special account to give access denied, then just launch Task Manager with a higher account. If you have a watcher process, kill that watcher process. If you hide from Task Manager, use a different tool like process explorer. If you make it a system process or device driver somehow that takes down the entire system (think ntlogon et al), just remove it. It's as easy as removing a Virus or Rootkit. – Michael Stum Jun 15 '09 at 09:39
  • @MichaelStum nah, you can make unkillable processes. just not ones that do useful things. plenty of ntfs bugs that can cause a kernel call to hang indefinitely and prevent killing. – Erik Aronesty Nov 29 '21 at 18:28
3

Depends on the users permission. If you run the program as administrator a normal user will not have enough permissions to kill your process. If an administrator tries to kill the process he will in most cases succeed. If you really want someone not to kill you process you should take a look at windows system services and driver development. In any case, please be aware that if a user cannot kill a process he is stuck with it, even though it behaves abnormally duo to bugs! You will find a huge wealth of these kind of programs/examples on the legal! site rootkit.com. Please respect the user.

merkuro
  • 6,161
  • 2
  • 27
  • 29
2

I just stumbled upon this post while trying to find a solution to my own (unintentional) unkillable process problem. Maybe my problem will be your solution.

  1. Use jboss Web Native to install a service that will run a batch file (modify service.bat so that it invokes your own batch file)
  2. In your own batch file, invoke a java process that performs whatever task you'd like to persist
  3. Start the service. If you view the process in process explorer, the resulting tree will look like:

jbosssvc.exe -> cmd.exe -> java.exe

  1. use taskkill from an administrative command prompt to kill cmd.exe. Jbosssvc.exe will terminate, and java.exe will be be an orphaned running process that (as far as I can tell) can't be killed. So far, I've tried with Taskmanager, process explorer (running as admin), and taskkill to no avail.

Disclaimer: There are very few instances where doing this is a good idea, as everyone else has said.

mathaetaes
  • 21
  • 1
1

There's not a 100% foolproof method, but it should be possible to protect a process this way. Unfortunately, it would require more knowlegde of the Windows security system API than I have right now, but the principle is simple: Let the application run under a different (administrator) account and set the security properties of the process object to the maximum. (Denying all other users the right to close the process, thus only the special administrator account can close it.) Set up a secondary service and make it run as a process guardian. It should have a lifeline to the protected application and when this lifeline gets cut (the application closes) then it should restart the process again. (This lifeline would be any kind of inter-process communications.) There are still ways to kill such an unkillable process, though. But that does require knowledge that most users don't really know about, so about 85% of all users won't have a clue to stop your process.

Do keep in mind that there might be legal consequences to creating an application like this. For example, Sony created a rootkit application that installed itself automatically when people inserted a Sony music CD or game CD in their computer. This was part of their DRM solution. Unfortunately, it was quite hard to kill this application and was installed without any warnings to the users. Worse, it had a few weaknesses that would provide hackers with additional ways to get access to those systems and thus to get quite a few of them infected. Sony had to compensate quite a lot of people for damages and had to pay a large fine. (And then I won't even mention the consequences it had on their reputation.)

I would consider such an application to be legal only when you install it on your own computer. If you're planning to sell this application to others, you must tell those buyers how to kill the process, if need be. I know Symantec is doing something similar with their software, which is exactly why I don't use their software anymore. It's my computer, so I should be able to kill any process I like.

Wim ten Brink
  • 25,901
  • 20
  • 83
  • 149
0

The oldest idea in the world, two processes that respawn each other?

ilya n.
  • 18,398
  • 15
  • 71
  • 89