why Task Manager can kill my protected process easily?

My service was protected by my driver (turn off PROCESS_TERMINATE flag in Object Callback routine).
Task manager can’t terminate my process in “Details” tab, but in “Processes” tab, it can kill my service with “End Task” option easily (tested on windows 10).
What mechanism behind that? How i can prevent that action in my driver?
thank you.

You might also need to protect the threads owned by the process.
Closing every threads owned by a process will end up “terminating” that process.

the short answer is, don’t try to do this. If I am admin or have physical access to the system, there is nothing you can do except delay and frustrate me. I can always press the power button to terminate your process. and prevent it from running again by deleting the .sys / .exe files from another OS.

non-admin users can’t terminate service processes because of simple ACL checks. So this is malware

1 Like

Mr. Bond makes an important point. It’s not your computer, it’s MY computer. If I want to kill your process, and I have suitable authority, I need to be able to do so. Otherwise, as he says, you are malware.

How i can prevent that action in my driver?

As Marion and Tim pointed out already, there is nothing that you can (and, in fact, should be able to) do against the Admin user’s actions.
Any process that tries to protect itself against the termination or the deletion of its files by the Admin user automatically classifies as a piece of malware. We have discussed it so many times in this NG…

Anton Bassov

how about AVs? They must protect themself from malware (with Admin privilege) and always be active, don’t they?.

If malware has admin privilege, the game is over. You have lost. There is no hope.

Antivirals use the normal system mechanisms to protect themselves. Again, if an antiviral gets in the way, I (as the admin) need to be able to kill it temporarily.

well, isn’t that what ring 2 was for? lol. Do not take this post seriously. It is Friday night and I’m tired, but to address the suggestion of protecting the threads:

By default administrators have the ‘debug programs’ right. This can be controlled by group policy etc. But any sufficiently knowledgeable user with this right can effectively render useless any UM program of any kind. KM is different story of course, but no software of any sort should try to thwart the administrators

well, isn’t that what ring 2 was for?

Many years ago, when I worked for Control Data Corporation, the operating system for their first virtual memory mainframes (NOS/VE for the Cyber 180) used 15 rings, borrowing the concept from MULTICS. Every pointer had a ring number in the high-order bits. User apps ran in ring 13, the kernel ran in ring 3, utility subsystems ran in ring 8. In order to call inward, you called through a gate in the next ring down. It really didn’t get in the way very much, and it did increase security.

My service was protected by my driver (turn off PROCESS_TERMINATE flag in Object Callback routine).
Task manager can’t terminate my process in “Details” tab, but in “Processes” tab, it can kill my service with “End Task” option easily (tested on windows 10).
What mechanism behind that? How i can prevent that action in my driver?
thank you.

If you want to understand “what is the mechanism behind it” I recommend you open a debugger and take a look at the callstack in the process exit callback.

Anyway, If your application has a UI, Maybe the reason this “bypassed” your “protection” is because Task Manager is sending a window message like WM_SYSCOMMAND + SC_CLOSE to your the application. Sending this message does not require the caller to have PROCESS_TERMINATE permissions or even a handle to your process - It only needs to get a handle to a Window inside your process. I’m actually not sure about the security mechanisms that are used to protect Window Handles, so maybe someone else can elaborate on that. Anyway, Your application has a “message loop” that handles messages of this kind and kindly services this message by stopping the message loop and terminating itself.

I agree with the rest of the comments on this thread - trying to “protect” against a process that have admin privileges is hopeless. For example, the attacker can install a driver and remove your protection altogether…

1 Like

Hi @tanda996
I have Windows service and observing the same. Could you please share the solution if you already found it?
Thanks

Well, I really don’t want to get involved in this. But I will say that there’s no real reason to believe clearing PROCESS_TERMINATE should work against an elevated process. We’ve repeatedly discussed that this is not any sort of an acceptable way to prevent a process from being terminated. Those discussions go back at least 5 years among some very clever folks.

Peter