views:

10689

answers:

14

I have a requirement to hide a process in Task Manager. It is for Intranet scenario. So, everything is legitimate. :)

Please feel free to share any code you have (preferably in C#) or any other techniques or any issues in going with this route.

Update1: Most of the users have admin privileges in order to run some legacy apps. So, one of the suggestion was to hide it in task manager. If there are other approaches to prevent users from killing the process, that would be great.

Update2: Removing the reference to rootkit. Somehow made this post look negative.

+8  A: 

I hope that you would not be able to.

Update: given the scenario, I think that you will probably be best off running it under a different admin account. That may help alert people to the fact that they should not kill the process.

Marcin
I understand your point.
Gulzar
+2  A: 

Could you elaborate on why you need this?

It sounds like 'security by obscurity' and that, my friend, just doesn't work.

Sergio Acosta
+13  A: 

There is no supported way to accomplish this. The process list can be read at any privilege level. If you were hoping to hide a process from even Administrators, then this is doubly unsupported.

To get this to work, you would need to write a kernel mode rootkit to intercept calls to NtQuerySystemInformation so that the SystemProcessInformation info class fails to list your hidden process.

Intercepting system calls is very difficult to do safely, and the 64 bit Windows kernels go out of their way to prevent this from being possible: trying to modify the syscall table results in an instant blue screen. It's going to be very difficult on those platforms

Here is an example of a rootkit that tries to do something similar (and has several serious problems).

Chris Smith
+2  A: 

If you simply need to disguise the process and not hide it completely, you can rename it winlogon.exe or svchost.exe and it will likely be ignored by users. But as Sergio mentioned, that's security by obscurity and it's got a bad reputation for a reason.

Preventing users from killing a process is another difficulty if they have proper privileges. The only method I know is to have multiple processes that watch each other and restart any watched process which gets killed. Again, this is going down a shady path.

Ben Hoffstein
I hate to say it, but since users have admin privileges disguising the process is probably his best bet. Be wary, though: anti-virus software may see this as malicious behavior and just block the program.
Joel Coehoorn
+1  A: 

There is no easy or supported way to do this. Even if you wrote a rootkit to do it then that could very easily get broken by a future update that was made to plug that hole. I would reexamine whether that is something you want to do.

StubbornMule
+21  A: 

Don't try to stop it from being killed - you're not going to manage it. Instead, make it regularly call home to a webservice. When the webservice notices a client "going silent" it can ping the machine to see if it's just a reboot issue, and send an email to a manager (or whoever) to discipline whoever has killed the process.

Jon Skeet
first good answer I was looking for.
Gulzar
+100, I initially was looking to do what the original author wanted to do, but this sounds like an excellent idea.
Zack
+10  A: 

If you want to prevent users from killing the process from task manager, you can just use a security descriptor on the process to deny terminate access to everyone. Administrators technically can still kill the process by taking ownership of the process and resetting the DACL, but there is no interface to do either of these things from Task Manager. Process Explorer may have an interface to though.

When your process starts, use SetKernelObjectSecurity with DACL_SECURITY_INFORMATION using the current process handle. Set a DACL with zero ACLs. This will deny all access to everyone, including those trying to end your process with task manager.

Here is an example that also changes the process's owner:

SECURITY_DESCRIPTOR sd;
ACL dacl;
SID_IDENTIFIER_AUTHORITY ntauth = SECURITY_NT_AUTHORITY;
PSID owner;

assert(InitializeAcl(&dacl, sizeof dacl, ACL_REVISION));

assert(AllocateAndInitializeSid(&ntauth, 1, SECURITY_LOCAL_SYSTEM_RID, 0,0,0,0,0,0,0, &owner));

assert(InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION));

assert(SetSecurityDescriptorDacl(&sd, TRUE, &dacl, FALSE));

assert(SetSecurityDescriptorOwner(&sd, owner, FALSE));

assert(SetKernelObjectSecurity(GetCurrentProcess(), DACL_SECURITY_INFORMATION | OWNER_SECURITY_INFORMATION, &sd));

assert(FreeSid(owner) == NULL);

Unfortunately, it doesn't seem to be effective. I can still close the process (although not as a limited user). Perhaps Task Manager is taking ownership or invoking some other privilege to kill the process? I seem to remember this working in previous versions of Windows (I was testing 2003), but I could be mistaken.

Chris Smith
+10. This is definitely worth looking at...Thanks a bunch.
Gulzar
I've tried to do this in a sample app, but it didn't seem to have any effect (although all of the calls succeeded). I hate to say it, but can you link to some code that does this?
Stephen Deken
I was about to ask the same question. Thanks Stephen.
Gulzar
+2  A: 

Alternatively, you could write a small "checker" utility that checks if the app is running, if it isn't it automatically starts it. Then add code to the app to check for the "checker" utility that does the same. This way if one is terminated, then the other starts it back up. I've seem virus's do this, and it seems to work pretty effectively.

Chris Pietschmann
yeah. its possible. wanted to avoid the cpu cycles for all that checking.
Gulzar
A: 

What about you just ask the user to don't kill the process ? How much time you'll spend doing it, for a behavior that is clearly childish from employees in the same company.

pmlarocque
The process is in place to educate users. I have to cover this possibility from a technical angle.
Gulzar
A: 

do you have some code for checking and running application again and again?

Mohammad Kashif
+1  A: 

As people mentioned above, the best method is 2 tasks, monitoring each other, I understand you don't want to waste CPU, so the best way is to establish an event between the tasks which will be triggered when one closes.

I am not entirely sure on how to set up the hook, but then you don't use a while loop which does waste CPU.

eitama
+1  A: 

Hi guyz.

I am writing a parental control system. This is a C#.NET executable ParentalController.exe and is started as System.Diagnostics.Process.Start. The app is working fine but i don't want the children to stop the ParentalController.exe from Task Manager. Please help me with this. I have tried the checker solution which means two apps are guarding each other but i dont like this solution theoritically because a clever child can stop both the executables. So i am looking for a solution in which the child just cannot stop the application and its guardian. However the administrator can stop it.

Please help me.

ihtesham
This should be posted as a separate question, not as an answer to a question asked back in 2008. Please use the **[Ask Question]** button at the top right of the page if you haven't resolved this issue yet.
Bill the Lizard
A: 

Have you looked at writing a service? This way the service runs as the local system, and the application runs under the user's context, and the service can ensure that things are still done as needed, and the application is just an interface to this service. Killing the application would just result in the user not seeing any notices, system tray icon, etc, but the service is still doing its job.

Rick
A: 

Here's my Codeproject Project. It might be of some help...

st0le