Click here to Skip to main content
15,867,453 members
Articles / Desktop Programming / Win32

"Protecting" Your Process with RtlSetProcessIsCritical

Rate me:
Please Sign up or sign in to vote.
4.55/5 (15 votes)
6 Nov 2009CPOL3 min read 80.7K   3.6K   40   16
Escalating a process to system critical status using a Win32 kernel function
Example

Introduction

RtlSetProcessIsCritical is yet another undocumented function hidden in the Windows kernel. It is one of the few which do not have a kernel32 equivalent. However, Microsoft has a good reason to not document this function - it should not be used in any application for any purpose whatsoever. I simply cannot imagine a circumstance where this function would actually come in useful. Thus:

Disclaimer: I am not responsible for any side-effects of calling this function on your computer. It may cause extreme system instability. The example is only presented as "proof-of-concept".

Background

What RtlSetProcessIsCritical does is set your process to a system critical status. This means that the process is now "critical" to the running of Windows, which also means that on termination of your process, Windows itself terminates as well. When a system critical process ends/terminates, the stop code is CRITICAL_PROCESS_DIED (0xEF) for process exiting, and CRITICAL_OBJECT_TERMINATION (0xF4) if the process was abnormally terminated. Although this can, technically, be used to "protect" a process against people terminating it, I recommend you find other methods of doing so, because if a user terminates a critical process by accident or a process crashes when it is critical, the system will crash instantly as well. This would be highly annoying to users.

This type of behavior can also be seen in processes such as winlogon.exe, csrss.exe, services.exe, smss.exe, and lsass.exe. All of these processes are known to call RtlSetProcessIsCritical.

Whether a process is critical or not can be obtained using a call to ZwQueryProcessInformation with the class ProcessBreakOnTermination (0x1D). Also, this function is only available in NTDLL versions 5.1 and higher.

Using the Code

The function definition for RtlSetProcessIsCritical is as follows:

C++
NTSTATUS 
RtlSetProcessIsCritical (
    BOOLEAN bNew,    	// new setting for process
    BOOLEAN *pbOld,    	// pointer which receives old setting (can be null)
    BOOLEAN bNeedScb);    	// need system critical breaks

This means that calling RtlSetProcessIsCritical(TRUE, NULL, FALSE) would make a process critical, while another call to RtlSetProcessIsCritical(FALSE, NULL, FALSE) would return the process to normal. When critical status is set, termination or ending of the process in any way will usually cause either a BSOD (if BSOD-ing is enabled), or will cause the system to reboot itself.

Obtaining this function from the kernel is simple. First, we define a prototype of the function:

C++
typedef long ( WINAPI *RtlSetProcessIsCritical ) (
        IN BOOLEAN    bNew, 
        OUT BOOLEAN    *pbOld, 
        IN BOOLEAN    bNeedScb );

Then, we obtain an open handle to NTDLL.DLL in order to obtain the function using GetProcAddress:

C++
HANDLE ntdll = LoadLibrary("ntdll.dll");
RtlSetProcessIsCritical SetCriticalProcess;

SetCriticalProcess = (RtlSetProcessIsCritical)
    GetProcAddress((HINSTANCE)ntdll, "RtlSetProcessIsCritical");

After this, we can simply call SetCriticalProcess with the appropriate parameters.

A more detailed and commented example is in the Example.zip download.

Note: The use of this function requires the SE_DEBUG_NAME privilege in the calling process. This can easily be obtained using AdjustTokenPrivileges, and an example of this can be seen in the example source code.

Points of Interest

I'm not sure about other compilers, but on my rather old MSVC++ 6.0 compiler, I get an error stating "The value of ESP was not properly saved across a function call...", and the program also crashes before exiting under the default Release mode. If you change the optimizations to Disable (Debug), these problems go away. I'm guessing some of VC++ 6.0's optimizations don't work properly.

History

I probably won't be updating this, unless there is a critical flaw anywhere in the code.

  • v1.0 - October 30th, 2009

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
Canada Canada
Just another programmer trying to make the world a better place.

Comments and Discussions

 
GeneralMy vote of 5 Pin
henry1lee7-Sep-22 0:29
henry1lee7-Sep-22 0:29 
GeneralMy vote of 1 Pin
Member-949016810-Oct-13 13:00
Member-949016810-Oct-13 13:00 
Questionthis code can't work under windows 7, the current process can be killed by task management Pin
cl606611-Aug-13 17:06
cl606611-Aug-13 17:06 
AnswerRe: this code can't work under windows 7, the current process can be killed by task management Pin
Member 1167880710-May-15 2:40
Member 1167880710-May-15 2:40 
GeneralRe: this code can't work under windows 7, the current process can be killed by task management Pin
SandPox23-Aug-15 17:49
SandPox23-Aug-15 17:49 
AnswerAmazing Trick Pin
EasyByTe14-Feb-13 0:27
EasyByTe14-Feb-13 0:27 
QuestionBSOD >.< Pin
lord4ev3r8-Feb-13 5:08
lord4ev3r8-Feb-13 5:08 
QuestionAny other state that protects the process other than "critical"? Pin
jlkdaslkfjd11-Sep-10 23:48
jlkdaslkfjd11-Sep-10 23:48 
AnswerRe: Any other state that protects the process other than "critical"? Pin
hxhl9512-Sep-10 9:24
hxhl9512-Sep-10 9:24 
Generalis it possible to export =>dotnet function Pin
gillardg10-Jun-10 0:15
gillardg10-Jun-10 0:15 
GeneralThe value of ESP was not properly saved across a function call... Pin
Shao Voon Wong1-Nov-09 2:33
mvaShao Voon Wong1-Nov-09 2:33 
GeneralRe: The value of ESP was not properly saved across a function call... Pin
hxhl951-Nov-09 7:17
hxhl951-Nov-09 7:17 
AnswerRe: The value of ESP was not properly saved across a function call... Pin
GreMiGen5-Oct-10 22:12
GreMiGen5-Oct-10 22:12 
GeneralJust to highlight your point... Pin
PeterMoon31-Oct-09 2:52
PeterMoon31-Oct-09 2:52 
Generalthnx Pin
Bartosz Wójcik31-Oct-09 0:39
Bartosz Wójcik31-Oct-09 0:39 
great finding, I just hope new malware won't use it too often Wink | ;)


GeneralRe: thnx Pin
Mauro Leggieri31-Oct-09 12:47
Mauro Leggieri31-Oct-09 12:47 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.