I'm looking for a way to write an application. I use Visual C++ 6.0.
I need to prevent the user from closing this process via task manager.
+1. That's right. And you shouldn't be trying. It's not your machine, it belongs to the user.
paxdiablo
2009-06-14 12:35:24
And (as mentioned on the other question, which apparently got deleted) it also would prevent Windows from shutting down.
GalacticCowboy
2009-06-14 12:43:44
Thanks for all your +1s. It's quite amazing how you sometimes can spend hours to provide a good answer and get 0 upvotes. Yet it can be enough with five words in another context :)
Magnus Skog
2009-06-14 13:08:38
@Magnus » Four words. ;)
John Feminella
2009-06-14 15:14:15
"You can't do it" == "You can not do it" ;)
Magnus Skog
2009-06-14 15:26:19
Actually "You can't do it" == "You cannot do it" :-)
Mark Pattison
2009-06-15 09:34:09
Hehe seems I need to look up my old english teacher with a baseball bat :p
Magnus Skog
2009-06-15 09:42:36
We just had one, it is rather by accident, never mind. This post is quite old, but check out Mark Russinovich's blog post "Unkillable Processes" - http://blogs.technet.com/b/markrussinovich/archive/2005/08/17/unkillable-processes.aspx
flq
2010-09-01 09:27:15
+5
A:
That all depends on who shouldn't be able to kill that process. You usually have one interactively logged-on user. Running the process in that context will alow the user to kill it. It is her process so she can kill it, no surprise here.
If your user has limited privileges you can always start the process as another user. A user can't kill a process belonging to another user (except for the administrator), no surprise here as well.
You can also try to get your process running with Local System privileges where, I think not even an administrator could kill it (even though he could gain permission to do so, iirc).
In general, though, it's a terribly bad idea. Your process does not own the machine, the user does. The only unkillable process on a computer I know is the operating system and rightly so. You have to make sure that you can't hog resources (which can't be released because you're unkillable) and other malicious side-effects. Usually stuff like this isn't the domain of normal applications and they should stay away from that for a reason.
Joey
2009-06-14 11:47:33
+1 for the last paragraph. Interesting corollary - if you have to ask, you're not sufficiently skilled/knowledgeable to understand or correctly implement the answer...
GalacticCowboy
2009-06-14 12:49:51
+2
A:
Depends on the users permission. If you run the program as administrator a normal user will not have enough permissions to kill your process. If an administrator tries to kill the process he will in most cases succeed. If you really want someone not to kill you process you should take a look at windows system services and driver development. In any case, please be aware that if a user cannot kill a process he is stuck with it, even though it behaves abnormally duo to bugs! You will find a huge wealth of these kind of programs/examples on the legal! site rootkit.com. Please respect the user.
merkuro
2009-06-14 11:55:38
+11
A:
You can make an unkillable process, but it won't be able to accomplish anything useful while it's unkillable. For example, one way to make a process unkillable is to have it make synchronous I/O requests to a driver that can never complete (for example, by deliberately writing a buggy driver). The kernel will not allow a process to terminate until the I/O requests finish.
So it's not quite true that you "can't do it" as some people are saying. But you wouldn't want to anyway.
John Feminella
2009-06-14 12:01:46
This won't work either - it will make it harder to kill but not unkillable . The system will terminate the threads that can be terminated. Those threads that are 'stuck' in a driver will not be killed but they cannot do any work.
Foredecker
2009-06-14 14:39:42
@Foredecker » Right, but that's why I said "it won't be able to accomplish anything useful while it's unkillable".
John Feminella
2009-06-14 15:14:45
+16
A:
Raymond Chen on why this is a bad idea:
http://blogs.msdn.com/oldnewthing/archive/2004/02/16/73780.aspx
Ken Keenan
2009-06-14 12:08:46
The question was about how to do this (maybe to know why to protect against that), not about whether it is a good idea or not.
ya23
2009-06-14 13:01:25
@ya23: ok then - would you answer, "How can I write a program to kill my wife?" Nothing wrong with calling out a bad idea...
Shog9
2009-06-14 17:33:29
@Shog9: write the unkillable program. She'll have a brain aneurysm trying to figure out why her computer won't shut down...
GalacticCowboy
2009-06-15 20:21:29
@Shog9, there's nothing wrong with calling out a bad idea, but doing so isn't an answer to his question either.
mrduclaw
2009-10-18 03:54:30
+1
A:
When trying to close one of the processes of Symantec antivirus via Task Manager, the response is 'Access is denied'. How they do it?
believe Symmantec anti-virus processes run as one of the system accounts which gives these processes higher prvilages then any process started by a user, including an administratorIf the user does not have sufficient permissions to kill a process thentask manager will display an access denied message.
Crippledsmurf
2009-06-14 12:34:50
It typically runs as a service and an administrator can kill the service using services.msc.
sean e
2009-06-14 15:10:51
A:
There's not a 100% foolproof method, but it should be possible to protect a process this way. Unfortunately, it would require more knowlegde of the Windows security system API than I have right now, but the principle is simple: Let the application run under a different (administrator) account and set the security properties of the process object to the maximum. (Denying all other users the right to close the process, thus only the special administrator account can close it.) Set up a secondary service and make it run as a process guardian. It should have a lifeline to the protected application and when this lifeline gets cut (the application closes) then it should restart the process again. (This lifeline would be any kind of inter-process communications.) There are still ways to kill such an unkillable process, though. But that does require knowledge that most users don't really know about, so about 85% of all users won't have a clue to stop your process.
Do keep in mind that there might be legal consequences to creating an application like this. For example, Sony created a rootkit application that installed itself automatically when people inserted a Sony music CD or game CD in their computer. This was part of their DRM solution. Unfortunately, it was quite hard to kill this application and was installed without any warnings to the users. Worse, it had a few weaknesses that would provide hackers with additional ways to get access to those systems and thus to get quite a few of them infected. Sony had to compensate quite a lot of people for damages and had to pay a large fine. (And then I won't even mention the consequences it had on their reputation.)
I would consider such an application to be legal only when you install it on your own computer. If you're planning to sell this application to others, you must tell those buyers how to kill the process, if need be. I know Symantec is doing something similar with their software, which is exactly why I don't use their software anymore. It's my computer, so I should be able to kill any process I like.
Workshop Alex
2009-06-14 14:09:35
+1
A:
It's a Win32 FAQ for decades. See Google Groups and Und. boards for well-known methods.(hooking cs and others...)
Noobs who answer "You can't do it" know nothing to Win32 programming : you can do everything with Win32 api...
Everything, except creating unkillable processes. If you use a special account to give access denied, then just launch Task Manager with a higher account. If you have a watcher process, kill that watcher process. If you hide from Task Manager, use a different tool like process explorer. If you make it a system process or device driver somehow that takes down the entire system (think ntlogon et al), just remove it. It's as easy as removing a Virus or Rootkit.
Michael Stum
2009-06-15 09:39:07
+2
A:
Noobs who answer "You can't do it" know nothing to Win32 programming : you can do everything with Win32 api...
"+ 1" => It's ridiculus to answer "you can' do it", simply because the guy doesn't know himself how to do it... Unkillable process are done in rootkits since 16-bits !
Wrong. Rootkits are killable. They hide as a system process which makes the process a bit more complicated, but still rather easy and straight forward to do. Unkillable processes are not possible, there is ALWAYS a simple way, no exceptions.
Michael Stum
2009-06-15 09:38:18
A:
It's explained here: http://blogs.technet.com/b/markrussinovich/archive/2005/08/17/unkillable-processes.aspx
Thinker
2010-10-13 18:20:52