Prevent the process terminated

Hi,

I register callback for OB_OPERATION_HANDLE_CREATE, in pre-callback function,

I will check the process Id is my process and it is going to terminate, I will disable it as below:

processId = PsGetProcessId((PEPROCESS)OperationInformation->Object);

if ((OperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_TERMINATE) == PROCESS_TERMINATE)
{
OperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_TERMINATE;
}

If I try to kill the process from the task manager, it was blocked, but if I use the command in dos promt as below, the process still was terminated.

taskkill /pid processId

Anyone knows what else I missed?

Thanks in advance

Victor

Is there anyone knows that if there are a bug or something else?

Thanks
Victor

No, this is not a bug. Because “taskkill” is used “PostMessage”

Thanks for your reply.

Do you have idea how to prevent the termiation using “PostMessage”?

Thanks
Victor

I am using the example “obcallback” from WDK, so it can’t prevent the process from being terminated via the command “taskkill /pid processId”?

Is there walk around to prevent the process from being terminated?

Thanks
Victor

What you have seen could have very well been click on the X on the top right of the icon :slight_smile:
This is a “here we go again” post :slight_smile:

The short answer to what you are asking is: NO.

The long answer, I’m fairly sure you’ll get from someone here.

Cheers