Question

prevent users from killing process in windows - Help needed urgently

Asked by: swanandingawale

Hi Experts,

We have our agent process that runs on windows clients, it acts like security service. I want to prevent users (if possible Administrator also) from killing that process from task manager. Its very urgent and causing us lot of issues...

I am very novice to C code, can anyone please tell me a way to do it in C; code for the same would be a great help. I have tried via ACL control but I was not successful...

Thanks in advance

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-06-02 at 01:23:37ID24455782
Tags

Process

,

Windows OS

Topics

Windows Programming

,

Microsoft Operating Systems

,

C Programming Language

Participating Experts
2
Points
500
Comments
12

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. kill processor
    now there is a processor running in my nt server, but I can't end task this processor, even if I login as administrator. what can i do to kill this processor.
  2. Urgent - kill process with VB
    I need to kill a process of an application whose task id I get with the Shell command in VB. For example: procID = Shell("C:\myprogam.exe", vbNormalNoFocus) Appactivate and sendkeys("%(F4)") doesn't always work because this application launches 2 other ...
  3. Killing a Thread
    I have a VB application in which I am calling a dll written in C. Basically, the dll is a Server program that is blocked on ReceiveFrom() routine of socket. I am calling this dll as a separate thread. My problem is even if I close my VB GUI, the dll is still inside the mem...
  4. killing a thread
    Hi, How can I kill a thread which is create by pthread_create function??? What I do is I create two threads by "pthread_create", server_thread and client_thread. And server_thread runs first, and then, client_thread will detect whether there is a socket connection...
  5. Kill a session
    Hello Experts, I have what I believe is a working application; well according to my return codes of zero it is working. Even if I play with the inputs by giving it the wrong client name or wrong username I get the correct error codes. Problem is my code will not kill the ses...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: abelPosted on 2009-06-02 at 01:44:57ID: 24524716

This is a very complex task and requires writing beyond the normal capabilities of services. Without intricate knowledge of both the language in which the service is written (I assume you wrote the service?) and the windows services architecture, I wouldn't go about doing this. You can of course ignore the stop signal, but really preventing an administrator from killing your service is, eventually really impossible. After all, why are they administrators?

Second thought you should consider is that this involves "misbehaving" of your service. Any administrator will recognize that and will uninstall your service.

If you are ill-intentioned (I'm sure you are not) then you can resort to researching holes in the OS. But that is beyond the scope of EE's guidelines to assist you there.

Just tell me, why is this causing you trouble and why is it so urgent? I'd assume that you can do most of it by setting rights on the service and make sure that the users that logon to your server do not have sufficient rights to shutdown a service or change its properties. Which would be a much easier task to accomplish if your users are misbehaving and stopping the service when they are actually not allowed to do so.

 

by: swanandingawalePosted on 2009-06-02 at 02:40:41ID: 24524951

Here is some more clarification on this:

1. It is not necessary for admin. If admin is killing process from task manager then also it is fine. I dont want same behavior to be applicable for administrator.

2. I want to do this in 2 ways
    a. Prevent non admin user from stopping service via Service Control Manager(SCM) : This is done...
    b. Prevent non admin user from killing service via task manager.

3. I am not having any other intention :-), I will explain it more, then u will realize the actual issue and its urgency.

3. This is needed because my service run onto clients. Its a sort of security service, something like McAfee, Nortan antivirus services. In case of these standard services i am not able to stop them or kill them if i m not administrator. In my case when i install my service then user is killing this service and also he is able to stop it from SCM.
            Now this is causing lot of issues for me, this service constantly reports to server once user stops it server will not receive any data from my service (which was running on client). This will result into failed delivery of security updates in between client and server...

Hope this clarifies, please let me know if u want further explanation....  

 

by: bcrosby007Posted on 2009-06-02 at 03:44:52ID: 24525235

Are you on an active directory domain? If so, you can disable task manager and the services via Group Policy.

 

by: swanandingawalePosted on 2009-06-02 at 03:50:38ID: 24525263

No i m not on an active directory domain, and i don't want to disable task manager.

 

by: abelPosted on 2009-06-02 at 04:04:21ID: 24525372

Thanks for the extensive follow-up.

As far as I remember, a non-admin user can use "End task" but cannot use "End process", which will give an Access Denied. The exception is for these users that have debugging privileges.

If you really want to prevent your app from being killed (but then you are behaving differently then antivirus software, which can simply be killed like that, just as any other process) you will have to use an API hook on the TerminateProcess, or on a lower level, the NtTerminateProcess. I cannot recommend such as in my world I want to be able to control my computer and not being able to kill a process means I have to disable the service and restart my computer. I wouldn't want that.

But that's just me. Perhaps your users don't know what they're doing when they deliberately try to kill your service. But if they know how to find it, they will also know how to workaround any efforts you put in to prevent this from happening. But here's your solution, use a library like MadCodeHook: http://www.madshi.net/madCodeHookDescription.htm (there are others).

-- Abel --

PS: an easier solution might be to disallow users access to the taskmgr.exe.

 

by: abelPosted on 2009-06-02 at 04:05:07ID: 24525379

oh, you don't want that last thing (didn't see your post before yet).

 

by: abelPosted on 2009-06-02 at 04:06:41ID: 24525391

Ah, and I forgot: if your process runs in a different security context and the user is not an admin user or not a user with debugging privileges, he can kill the process with kill.exe, but not with the task manager anymore. Alternative solution: use an alternative account for your service.

 

by: swanandingawalePosted on 2009-06-02 at 04:24:54ID: 24525504

Alter native solution of using different account for service looks good against API hook on the TerminateProcess. Do u have any code or example around the same??

 

by: abelPosted on 2009-06-02 at 06:10:31ID: 24526323

you don't need to change the code. Just go to Services window and select Properties for your service and change the startup user.

I think you actually are already there. If a user does not have the privilege to alter services, it will not have the privilege to kill the service either.

Btw, isn't easier to create a watch dog application that monitors your service from being stopped and then restarts it? It doesn't matter what you try, but unless the user is restricted by means of policies, he will always be able to kill your service eventually.

Also consider the Disable Task manager policy, but that will completely disable the task manager.

 

by: abelPosted on 2009-08-11 at 03:39:48ID: 25067557

Wow, that was a full six months back! And the question was urgent, ah well.

Suggestion: http:#24525372 as answer (contains hook TerminateProcess) and http:#24526323 as assist (contains suggestion on user rights and policies). Both are mine, but no other experts provided actual answers imo.

-- Abel --

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...