How can I make a service/executable that once loaded will never be
terminated, even by administrators through the task manager?
I see many of these processes, some of them have the owner as NT_AUTHORITY.
Is it possible to write code that makes my process also load as NT_AUTH?
–
Why would you want this ‘feature’?
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of amitr0
Sent: Friday, December 23, 2005 10:28 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Process termination
How can I make a service/executable that once loaded will never be
terminated, even by administrators through the task manager?
I see many of these processes, some of them have the owner as
NT_AUTHORITY. Is it possible to write code that makes my process also
load as NT_AUTH?
–
two things…
regards,
amitr0
Windows allows you to put ACLs on processes, so you can limit access to it.
However, whatever component can circumvent security checks (read: drivers)
can easily kill even such a process.
Furthermore you should not be able to kill services as a normal user - only
impersonation as NT_AUTHORITY will allow for that.
Is it possible to write code that makes my process also load as NT_AUTH?
Any service which does not specify particular credentials runs as
NT_AUTHORITY. Nothing special to do here
Cheers,
Oliver
–
- amitr0
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
May the source be with you, stranger 
ICQ: #281645
URL: http://assarbad.net
You cannot, and no sane purpose (except malware and virii writing) can
justify such a need.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “amitr0”
To: “Windows System Software Devs Interest List”
Sent: Friday, December 23, 2005 6:28 PM
Subject: [ntdev] Process termination
How can I make a service/executable that once loaded will never be
terminated, even by administrators through the task manager?
I see many of these processes, some of them have the owner as NT_AUTHORITY.
Is it possible to write code that makes my process also load as NT_AUTH?
–
- amitr0
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
>1. curiosity to know how to make processes owned by NT_AUTHORITY
Start them as services under LocalSystem account.
- I am writing a service that should never be terminated, not even by the
administrator.
Impossible in Windows.
MS has some services, for which termination == OS crash (like IIRC RPCSS in
some Windows versions). Nevertheless, they can be terminated.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
>2. I am writing a service that should never be terminated, not even by the
administrator.
Impossible in Windows.
MS has some services, for which termination == OS crash (like IIRC RPCSS in
some Windows versions). Nevertheless, they can be terminated.
Thanks everybody for the tips. However, can you pleae explain this
situation…
I have a process called dllhost running (nothing unusual about that I
guess), I do a righit click and try to treminate the process in task
manager. It saysOperation cannot be completed, access is denied.
How is this happening then. Ofcourse there are otehr methods of killing
processes.
Just curious … what if I reroute the system calls ( Well we are going in
the domain of rootkits, this has no sane use until you are writing something
like a DRM (remember Sony?) or really some malware …) and disallow all
the attempts to openprocess … can administrator still shutdown your
process…? ( Just curious … no intentions of writing such
things…)
On 12/26/05, amitr0 wrote:
>
> >2. I am writing a service that should never be terminated, not even by
> the
> >administrator.
>
> >Impossible in Windows.
>
> >MS has some services, for which termination == OS crash (like IIRC RPCSS
> in
> >some Windows versions). Nevertheless, they can be terminated.
>
> Thanks everybody for the tips. However, can you pleae explain this
> situation…
>
> I have a process called dllhost running (nothing unusual about that I
> guess), I do a righit click and try to treminate the process in task
> manager. It saysOperation cannot be completed, access is denied.
>
> How is this happening then. Ofcourse there are otehr methods of killing
> processes.
> — Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256 You are currently subscribed
> to ntdev as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank
> email to xxxxx@lists.osr.com
–
Ankit Raizada
Room No. 349
Boys Hostel
IIITA Campus
Deoghat Jhalwa
Allahabad - 211012
Email: xxxxx@iiita.ac.in
xxxxx@yahoo.com
xxxxx@gmail.com
> I have a process called dllhost running (nothing unusual about that I guess),
I do a righit click and try to treminate the process in task manager. It says
Operation cannot be completed, access is denied.
Security. You don’t have the right access rights to do that.
Loren
hey ankit,
this is precisely what is in my mind, they say that it is not possible to
stop users from terminating processes, well actually it is. Hook the
TernimateProcess Api, check for the PID to be that of your nitty witty
process and return error. 
no way loren, I am the administrator of the local machine !!!
“administrator” != “LocalSystem”. They are different access codes.
----- Original Message -----
From: amitr0
To: Windows System Software Devs Interest List
Sent: Sunday, December 25, 2005 11:27 PM
Subject: Re: [ntdev] Process termination
no way loren, I am the administrator of the local machine !!!
— Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email to xxxxx@lists.osr.com
so that is my question, if admin hving super user rights, cannot terminate a
process, and maxim says such processes can be terminated, how is it done.
and how to prevent it ( i dont want that hooking thingy I told of in my
otehr post)
First off, it can be done by other processes running under the same access code as the process that gets terminated. This isn’t necessarily the same as the administrator or any other user.
Second, it can often be done by another access code if it can gain the necessary privs to perform the action. Invesigate security tokens.
The idea of an unterminatable task/process/thread is basically evil. All this means is that the user eventually has to resort to a reboot to terminate the object. This isn’t polite.
The normal way to make an “unterminatable” process is exactly the same way as the ones you can’t kill from Task Mangler: install an access code to run the process under, and make sure that it is one that other users (possibly including admins) don’t normally have termination access rights to.
I would think moderately long and somewhat hard before implementing such a thing though. There are reasons for such things. But they are generally very few and very seldom. Most things an administrator should be able to kill. If you are making something that is intended to always be around to make sure that something does or doesn’t happen, it should normally be sufficient to make it an administrator-owned object, and insist that the normal system users are not administrators. For that matter, adjusting ACLs and security access rights is very often all that is required to protect things. Having ‘always running’ snooping softrware to try to catch changes and undo them, or hook things and prevent them is flatly the wrong way to go. The object access model is quite capable of preventing a great many actions; all you need to do is take the appropriate advantage of it - not make hacks to do kinda the same thing, poorly.
Loren
----- Original Message -----
From: amitr0
To: Windows System Software Devs Interest List
Sent: Monday, December 26, 2005 12:39 AM
Subject: Re: [ntdev] Process termination
so that is my question, if admin hving super user rights, cannot terminate a process, and maxim says such processes can be terminated, how is it done. and how to prevent it ( i dont want that hooking thingy I told of in my otehr post)
— Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email to xxxxx@lists.osr.com
thanks for the explanation loren.
Read Keith Brown’s book “Programming Windows Security”. He explains every
gory detail of what you need.
If you check out the following page, you will find the successor of the
above mentioned book for .NET as a wiki. Just read it, many things are
similar:
http://pluralsight.com/wiki/default.aspx/Keith.GuideBook.HomePage
Oliver
Windows allows you to put ACLs on processes, so you can limit access to it.
However, whatever component can circumvent security checks (read: drivers)
can easily kill even such a process.
Furthermore you should not be able to kill services as a normal user - only
impersonation as NT_AUTHORITY will allow for that.
Is it possible to write code that makes my process also load as NT_AUTH?
Any service which does not specify particular credentials runs as
NT_AUTHORITY. Nothing special to do here
May the source be with you, stranger
ICQ: #281645
URL: http://assarbad.net
thanks again, oliver.
>I have a process called dllhost running (nothing unusual about that I
guess), I do a righit click and try to treminate the process in task
manager. It saysOperation cannot be completed, access is denied.
KILL.EXE will still be able to terminate it.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com