ObRegisterCallbacks fail to protect process (Win10)

SOS! Help!

Obcallback · Issue #462 · microsoft/Windows-driver-samples · GitHub.

Since you didn’t provide any code, or tell us what you actually did, or what you expected, how can you possibly expect anyone to help you? Did you start from the sample? What changes did you make? How did you test this? What app were you protecting? It’s patently silly for you blur out your Task Manager output like that. What do you think we’re going to learn?

@Tim_Roberts said:
Since you didn’t provide any code, or tell us what you actually did, or what you expected, how can you possibly expect anyone to help you? Did you start from the sample? What changes did you make? How did you test this? What app were you protecting? It’s patently silly for you blur out your Task Manager output like that. What do you think we’re going to learn?

Hey Roberts, I just build the sample [WDK/general/obcallback] and don’t change any code.
From readme:
C:> obcallbacktestctrl.exe -install (installs the kernel driver)
C:> obcallbacktestctrl.exe -name notepad (specifies that the string “notepad” will be watched as a protected executable)

After that, ob driver can protect the notepad process from killing in the [detail] tab of taskmgr.
However, the notepad process can be killed in the [process] tab.

However, the notepad process can be killed in the [process] tab.

Of course, just like it can be killed by clicking the X icon or pressing Alt-F4. Those things don’t “kill” the process, they just send normal “close window” messages. Presumably, if you were writing a process you wanted to protect, you wouldn’t be foolish enough to honor “close window” messages.

Perhaps you want to delete your bug report now, because there’s nothing wrong with the API.

@Tim_Roberts said:

However, the notepad process can be killed in the [process] tab.

Of course, just like it can be killed by clicking the X icon or pressing Alt-F4. Those things don’t “kill” the process, they just send normal “close window” messages. Presumably, if you were writing a process you wanted to protect, you wouldn’t be foolish enough to honor “close window” messages.

Perhaps you want to delete your bug report now, because there’s nothing wrong with the API.

Thanks. Roberts.

hi i found Solution for that issue
reset/remove all critical Access ( like Windows Protected Process )
https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
https://docs.microsoft.com/en-us/windows/win32/procthread/thread-security-and-access-rights

Task manager queues a “quit” window message to the UI message queue of your application and your application handles this message by exiting. This does not require a handle to your process… Using the “details” tab of task manager does use OpenProcess + TerminateProcess so it’s blocked by your “protection”.

You can see this code example to roughly understand what’s going on under the hood:

https://stackoverflow.com/a/16723837

EDIT: sorry didn’t see this is an old thread and Tim already explained the issue…