How to prevent a process from being killed in task manager?

Question

2.33/5 (3 votes)

See more:

We are trying to create a security application as a part of our college project.

We understand there is are no real unkillable processes. What we are trying to create is a process that can't be killed from task manager (or any other easy way).

For example, try killing Kaspersky's AVP process. You will always end up with "Unable to terminate process" and "Operation could not be performed".

What I have tried:

Been searching around the web for days and always kept ending at results like "No, you cannot do it", "No, you should not do it"

And keep on ending up here Unterminable process

What we would like

Some help on identifying the issues we need to address, or tricks others have used, or links or pointers to help us get a handle on this problem.

Posted 29-Jun-17 19:50pm

T.s. Arun

Updated 10-Nov-21 8:31am

Chris Maunder772.8K

v2

Add a Solution

Comments

Afzaal Ahmad Zeeshan 30-Jun-17 5:05am

You cannot do that. Why would you even want to do that?

If you want Windows to automatically start the process, why not consider Windows Services?

T.s. Arun 4-Jul-17 1:42am

planning on developing a security suite. what good would it be worth, if it is going to killed easily by any rookie malware out there?

2 solutions

Solution 2

You can do that in 5 ways.

1. have a signed kernel driver and run your process as protected through it. (the most recommended)

2. use RtlSetProcessIsCritical Function in ntdll.dll to flag your process as a critical system process.

3. Make 2 processes if the other terminates the another one starts it.

4. Use System Exploits to gain Kernel Privilges or to load an unsigned kernel driver.

5. this technique which i will tell you are being used by usermode rootkits which hooks functions in task manager (some other rootkits hooks all processes that it can hook) and the function that they hook are TerminateProcess to return ERROR_ACCESS_DENIED if it tried to terminate your process or if it wasn't your process then you will continue with termination normally, and i don't recommend this technique cause a lot of AV's will flag you as a rootkit.

Posted 10-Nov-21 8:31am

guafa a

Updated 10-Nov-21 8:34am

v3

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

**`Randor`** · Accepted Answer · 2017-07-01T09:43:00

Solution 1

Hi,

You can absolutely do this but it is a lot of work and will require a very high level of expertise.

1.) You will need to create a signed ELAM driver[^]. You can put your workstation in Test Mode[^] and generate a self-signed EKU certificate.

2.) You will need to create a system service that runs as a protected service[^].

3.) From the protected system service you may launch child processes which will run as a protected process. Note that protected processes cannot have any GUI threads.

All of the DLL's and executables involved need to be signed by the same certificate. You will need to generate special certificates with the 1.3.6.1.5.5.7.3.3 (codesigning) and 1.3.6.1.4.1.311.61.4.1 (early-launch) EKUs.

Something like this:

makecert.exe -a SHA256 -r -pe -ss YourCertStore -n "CN=YourTestElam" -eku 1.3.6.1.4.1.311.61.4.1,1.3.6.1.5.5.7.3.3 -sr localmachine YourTestElam.cer

Good luck. There are a lot of missing steps in this brief summary.

Best Wishes,
-David Delaune

Posted 1-Jul-17 9:43am

Randor

Updated 1-Jul-17 9:45am

v2

Comments

T.s. Arun 4-Jul-17 1:45am

But windows protected service are up from windows 8.1. But we are primarily developing for XP and Vista. Read something about its backward compatibility with vista. But what about XP?

[no name] 4-Jul-17 9:38am

First: There are two ways to kill a process on Microsoft Windows.

1.) Nicely with a WM_CLOSE message.
2.) Forcefully with a TerminateProcess which kills and destroys the process potentially leaving much of the processes handles and objects remaining in the kernel. In other words this one can cause a resource leak.

To handle the NICE method: For Windows XP you simply need to handle/intercept the WM_CLOSE window message in a GUI app or the CTRL_CLOSE_EVENT on a console application to prevent 'End Task' from the Windows XP Task manager.

Task manager on Windows XP calls the EndTask function to kill a process.
https://msdn.microsoft.com/en-us/library/windows/desktop/ms633492(v=vs.85).aspx

The forceful method to kill a process: To prevent your process from the forced termination on Windows XP you can hook NtTerminateProcess from a kernel-mode device driver and filter by process id (PID).

You are encouraged to not do these things... the method I gave in my original answer is how anti-virus and security products protect their usermode process. My original answer is the only Microsoft sanctioned method for protecting a process from usermode termination.

Best Wishes,
-David Delaune

T.s. Arun 6-Jul-17 6:34am

Sorry for my ignorance.
Are you suggesting as to develop different product implementation for different OS?

It is legit to go with Windows Protected Service. But what shall we do about XP computers?
And Does windows protected service even compatible with Windows 7 and Vistas?

Should we develop a separate EXE for XP that hooks itself with NtTerminateProcess?

[no name] 6-Jul-17 17:21pm

There is no such thing as a stupid question. Everyone has to start somewhere.

Yes, if you plan on supporting outdated operating systems such as Windows XP and a modern OS then you will most likely need to implement multiple techniques.

I believe protected processes are only supported on Vista and above. There are additional requirements for Windows 10... it's a moving target.

In the old XP days it was common for nearly all commercial security vendors to implement SSDT hook of NtTerminateProcess and NtCreateProcess via device driver to both protect the anti-malware process and filter process creation/termination. Today these techniques are frowned upon and completely unsupported. You cannot do this on Vista+ operating systems due to KPP/PatchGuard.

Again, the only Microsoft sanctioned technique for protecting a process is the Microsoft ELAM program outlined in my solution above.

T.s. Arun 7-Jul-17 2:05am

Thank you for your patience.

Since Microsoft has dropped its support for Windows XP, I understand that's why they are not extending Protected Service to XP.

Can you elaborate a bit about how to register one product as windows protected service? Is it only available for anti - malwares? How about a security suite that provides USB management, Data Protection and similar stuffs? Does Windows protected service can be extended to Security suites like that?

[no name] 7-Jul-17 8:31am

You should refer to the Microsoft documentation for Early Launch Anti-Malware and have a look at the code sample:

https://github.com/Microsoft/Windows-driver-samples/tree/master/security/elam

The instructions for installing as a system service is there.

I do not have an answer for the second part of your question; You are asking me to define what 'Anti-Malware' covers.

Keep in mind that there is a difference between 'University Research Projects' and commercial product development. If your team intends to release a commercial product there are many prerequisites:

https://docs.microsoft.com/en-us/windows-hardware/drivers/install/elam-prerequisites

Best Wishes,
-David Delaune

[no name] 6-Jul-17 20:21pm

An interesting and useful answer about something new to me. As for the voting??