We help IT Professionals succeed at work.

Lock process in windows from kill / uninstall

optimaltest
optimaltest asked
on
Hello,

We have application that must run in production enviroment.
We need to prevent this application from kill or uninstall even for users with admin access.
For uninstall need to prevent using password protection and block user to kill the process.

We also have a service that need to prevent users with admin access to stop it.

I found several anti virus application that doing that, how I can do that ?

OS is windows (can be XP, Windows 7 , ETC)
Comment
Watch Question

For a proof of concept, download Process Explorer .  Run this program and the application you wish to protect.  Once you've located your process in Process Explorer, right-click and select properties, click the Security tab, then Permissions, then Advanced.

From here you may remove all entries with the exception of SYSTEM.  If you prefer you may explicitly deny all rights to the relevant users and groups.

Additionally, modify the ACL for all program files to only permit execute and read access.  The uninstall executable rights can deny all permissions.

Other than this you'd need to develop a "policy enforcement" resident helper application.  Without it any administration aware of these various ACL's could take ownership and/or remove the restrictions by the same method.

Author

Commented:
Thanks,
I need to run that on ~30 machines so do it with Process Explorer is a problem.
Also I need to this will be setting also after reboot the machine.

What do you mean develop a "policy enforcement" resident helper application
...Of course there is programming methods available, you may want to post this question in that area.
A companion program written to monitor various security aspects... like ensuring your app is always running, isn't suspended, verifies file and process ACL's are correct, locks files, etc.  With such an application an administrator taking ownership of files and attempting to change permissions would be blocked in the process (a response could be incorporated, such as auto locking the machine, sending alert to admin, etc.)

This would have to be programmed by a developer.

Author

Commented:
Can you please explain more ?
I would like to instruct our dev team
Sure,

Thread security and access rights:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms686769%28v=VS.85%29.aspx

Advapi32.dll is key here.

You can use the GetSecurityInfo and SetSecurityInfo functions, for example, with the following types of objects:
    Local or remote files or directories on an NTFS
    Named pipes
    Local or remote printers
    Local or remote Windows services
    Network shares
    Registry keys
    Semaphores, events, mutexes, and waitable timers
    Processes, threads, jobs, and file-mapping objects
    Window stations and desktops
    Directory service objects

If your application is written in-house then your dev dept could implement this within itself; otherwise a helper app is required which protects itself and modifies the relevant permissions (primarily thread) of the 3rd party app your protecting.

Another possible layer of security would be protecting the rshx32.dll, which is the "Security Tab" of any given file.  Deny rights here to prevent global permission changes.