We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Need a single-process soluton to prevent a normal user from terminating my process via Task Manager preferably by removing security rights from it.  Admins are ok.  WinXP solution needed.

Medium Priority
301 Views
Last Modified: 2013-12-04
ACL acl;
BOOL B = InitializeAcl(&acl, sizeof acl, ACL_REVISION);
int Xerr = SetSecurityInfo(GetCurrentProcess(), SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION, 0, 0, &acl, 0);

This is my existing code and it works properly on Windows 2000.  But on Windows XP, SetSecurityInfo() returns 0 (success) but the user can still terminate the process from task manager.

Having two processes keeping each other alive, or having one process launch another, is not an option.  The tool is ran on logon-script from a network share and without this process running, the company-wide internet filtering will deny all access to this user.  The idea here is to keep curious users from terminating the unknown process and generating helpdesk calls.

Why is this not working on Windows XP and what is a good solution?  I understand what DACLs do but using the SDK functions together to get what I want is more complex and maybe I'm not doing it right.
- Max
Comment
Watch Question

Commented:
As far as I can tell the

DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION

part only prevents the process from inheriting access control entries, but the user is still the owner of the process and can thus terminate it. Maybe this behaviour is different from Windows 2000. All I know from SetSecurityInfo is from here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/setsecurityinfo.asp

Can you set the owner to S-1-5-32-544 (Administrators SID) so users are not the owner of the process anymore?

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Generally speaking, when giving answers, it would be nice if examples on how to do it (properly) were included.  But this general answer was enough for me to solve the problem with a fair amount of research to figure out how to change the owner.

Thanks for the help.

Commented:
I'm not a programmer ;-)
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.