Prevent User Process from Being Killed with "End Process" from Process Explorer

  • Home
  • Languages
  • C++
  • Prevent User Process from Being Killed with "End Process" from Process Explorer

Prevent user process from being killed with End Process from Process Explorer

When running my copy of that has Deny set on the Terminate permission (Process Explorer shows this).

Presumably they call SetKernelObjectSecurity to change/remove the ACLs when their process loads.

how to forbid process termination by regular user?

after long digging I found acceptable answer here: Prevent user process from being killed with "End Process" from Process Explorer

works fine if you're logged in as a regular user, you cannot kill the process from Process Explorer. Admin still can kill it because has sufficient privileges. it's exactly what I needed

Prevent a process from being killed in C#?

Sorry, I can't comment so I've posted this as a 'answer'.

A few things to consider:

  • Is a 13 year old or his friends going to notice a process in taskmanager that shouldn't be there? (for example a second explorer.exe, svchost.exe etc.)

  • What are you trying to actually achieve as there may be other ways to do what it is you want. Are you trying to block them from going on certain sites? Are you trying to monitor what they do? Are you trying to prove to your mum what they are doing? Something else?

  • Unless you are trying to block them, will they care about anything you may have running? Would they bother to look for 'logging' software running on the PC? I would guess that they wouldn't bother to even open task manager unless the sites weren't working.

If you are trying to give proof or monitor your pc, running a VNC service in the background allows you to connect a viewer from another computer so that you/your mum can watch a live view of what they are up to.

If you want to monitor the sites then you have a wide range of options: keylogging software, browser logging software, proxy software or logging software on your router

If you want to block the sites then you also have a wide range of solutions: hosts file, dns based blocking (e.g. openDNS), blocking software on the pc (e.g. netnanny), blocking software on the router, etc.

Remember: If you are trying to block sites remember that nothing will block 100% of websites. You will only achieve 1 of 2 things: (Ideally) it becomes too much effort trying to find sites not blocked and they use another computer for their porn -or- they persist and find a way around it/to disable it/sites that it doesn't catch

Delphi 7 - Prevent User From Killing Process in Task Manager

You can do it.

See the canonical answer on security StackExchange:

  • Create a unterminable process in Windows

Short version:

  1. Pre-NT RegisterServiceProcess trick - marks your process as a "critical system service"
  2. Process naming tricks - TaskMgr refused to kill processes named rpcss.exe
  3. Keep-alive processes - two processes keep relaunching each other
  4. User-mode hook TerminateProcess via loaded DLLs - block calls to terminate your process
  5. User-mode hook TerminateProcess via injected threads - block calls to terminate your process
  6. Kernel-mode call hooks - takeover any calls to TerminateProcess inside the kernel from a driver
  7. Direct kernel object manipulation (DKOM) - modify the kernel process list so your process is invisible
  8. Debugger tricks - if you debug your own process it cannot be killed
  9. Windows Protected Services - the OS feature to make a process unkillable
  10. Tool manipulation - modify TaskMgr, Process Explorer, pskill, taskkill binaries directly

Yes, anti-virus, anti-malware, and DRM software should not be able to defend itself from malware that gains administrative privileges. But Microsoft, McAfee, Cylance, WildVine, and the rest do it - and Microsoft endorses and enabled with with protected services. So here we are.

How do I prevent end process tree from terminating the programs mine has started?

I think you need to create an intermediate process which in turn spawns two.exe. You then need the intermediate process to terminate immediately, at which point the relationship between the original process and two.exe is broken.


Related Topics

May Std::Vector Make Use of Small Buffer Optimization

Cannot Convert 'Std::Basic_String<Char>' to 'Const Char*' for Argument '1' to 'Int System(Const Char*)'

Measuring Memory Bandwidth from the Dot Product of Two Arrays

Why Does Gcc Generate 15-20% Faster Code If I Optimize for Size Instead of Speed

What Is the Idiomatic Way in Cmake to Add the -Fpic Compiler Option

Does C++ Pass Objects by Value or Reference

Why Is My Log in the Std Namespace

C#-Like Properties in Native C++

Parameter Pack Must Be at the End of the Parameter List... When and Why

C++11: the Range-Based for Statement: "Range-Init" Lifetime

C++: Safe to Use Longjmp and Setjmp

What Is the Precision of Long Double in C++

Construct Path for #Include Directive with MACro

*.H or *.Hpp for Your Class Definitions

Run an Application in Gdb Until an Exception Occurs

How to Generate a Random Double Uniformly Distributed Between 0 and 1 from C++

Difference Between <String> and <String.H>

Is the Backslash Acceptable in C and C++ #Include Directives


Leave a reply



Submit