tags:

views:

127

answers:

1
Q: 

What is the difference between these two methods of killing a process?

I am writing a C# application that, among other things, automatically closes the advertisement a certain game displays after the user exits the game. My program accomplishes this by killing the game process when it detects that the user has exited the game. My program is similar to an Autohotkey script written by someone else that does similar things but it adds some features and a GUI.

Naturally, I used the Process.Kill method. However, that would fail with an "Access is denied" exception. I noticed that the Autohotkey script uses an unusual method of killing the process. I asked the author about it, and he said that he too had trouble killing the process with normal methods.

We suspect the reason normal process termination methods do not work is the HackShield software the game uses to attempt to combat cheating.

Here is the Autohotkey code the other guy's script uses for killing a process:

; kills all process instances of a given executable name
; COM AutoHotkey library code omitted
KillProcessInstances(exe)
{
  psvc := COM_GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
  pset := COM_Invoke(psvc, "ExecQuery", "Select * from Win32_Process Where Name = '" exe "'")
  penm := COM_Invoke(pset, "_NewEnum")
  Loop, % COM_Invoke(pset, "Count")
    If COM_Enumerate(penm, pobj)=0
    {
      COM_Invoke(pobj, "Terminate")
      COM_Release(pobj)
    }
  COM_Release(penm)
  COM_Release(pset)
  COM_Release(psvc)
}

I replaced the Process.KIll with the WMI calls in my program using the System.Management namespace and my program is now able to kill the process.

What I don't understand is what makes the WMI any different from Process.Kill. I would expect both to work or both to fail. In addition, Task Manager is able to kill the process just fine, but I would think it just uses a TerminateProcess win32 call just as Process.Kill surely does. Can anyone shed some light on the cause of the different behavior? If it matters, I'm running Windows XP.

Edit: wj32 explained why the WMI works, but can anyone explain why I can kill the process with Task Manager but not with my own program?

+1  A: 

WMI calls are not performed within the security context of your process. They are handled in another process (I'm guessing the Winmgmt service). This service runs under the SYSTEM account, and HackShield may be allowing the termination continue due to this.

wj32  2010-01-15 02:58:46
What about the fact that Task Manager can kill it? Is there anything special about Task Manager?
Greg Najda  2010-01-15 03:30:22

related questions

Verifying files for testing
How do you create your own moniker (URL Protocol) on Windows systems?
Windows Equivalent of 'nice'
Is this a good way to determine OS Architecture?
Dual vs. Quadcore on a Webserver
Is there a WMI Redistributable Package?
PHP Error - Uploading a file
Ruby On Rails with Windows Vista - Best Setup?
OpenVPN Config file to prevent timeout
How can I create Debian install packages in Windows for a Visual Studio project?
How do I configure and communicate with a serial port?
What's the best setup for Mono development on Windows?
Appropriate pagefile size for SQL Server
XML Editing/Viewing Software
Linux shell equivalent on IIS
What is a better file copy alternative than the Windows default?
Windows Help files - what are the options?
Heap corruption under Win32; how to locate?
Best way to access Exchange using PHP?
Get a preview jpeg of a pdf on windows?
WinForms ComboBox data binding gotcha
How do you schedule tasks in Windows?
Register Windows program with the mailto protocol programmatically
Embedding Windows Media Player for all Browsers
Best Subversion clients for Windows Vista (64bit)