防止用“结束进程”杀死用户进程。从Process Explorer [英] Prevent user process from being killed with "End Process" from Process Explorer

问题描述

我注意到，GoogleToolbarNotifier.exe无法从进程资源管理器中被杀死。它返回访问被拒绝。它以用户身份运行，运行正常优先级，并从程序文件运行。

I noticed that GoogleToolbarNotifier.exe cannot be killed from Process Explorer. It returns "Access Denied". It runs as the user, it runs "Normal" priority, and it runs from Program Files.

他们是如何做到的？

我认为可能有一种方法来修改ACL，或将进程标记为关键，但我似乎找不到任何东西。

I think there might be a way to modify the ACL, or mark the process as 'critical', but I cannot seem to locate anything.

更新：

我发现了一个有点挖掘的答案。 @Alex K.是正确的PROCESS_TERMINATE权限被删除的过程，但我想提供的代码中的答案：

I found the answer with a good bit of digging. @Alex K. was correct in that PROCESS_TERMINATE permission was removed for the process, but I wanted to supply the answer in code:

static const bool ProtectProcess()
{
    HANDLE hProcess = GetCurrentProcess();
    EXPLICIT_ACCESS denyAccess = {0};
    DWORD dwAccessPermissions = GENERIC_WRITE|PROCESS_ALL_ACCESS|WRITE_DAC|DELETE|WRITE_OWNER|READ_CONTROL;
    BuildExplicitAccessWithName( &denyAccess, _T("CURRENT_USER"), dwAccessPermissions, DENY_ACCESS, NO_INHERITANCE );
    PACL pTempDacl = NULL;
    DWORD dwErr = 0;
    dwErr = SetEntriesInAcl( 1, &denyAccess, NULL, &pTempDacl );
    // check dwErr...
    dwErr = SetSecurityInfo( hProcess, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pTempDacl, NULL );
    // check dwErr...
    LocalFree( pTempDacl );
    CloseHandle( hProcess );
    return dwErr == ERROR_SUCCESS;
}

推荐答案

已在 权限上设置 。

http://msdn.microsoft.com/en-us/library/aa379578%28v=vs.85%29.aspx> SetKernelObjectSecurity 更改/在进程加载时删除ACL。

Presumably they call SetKernelObjectSecurity to change/remove the ACLs when their process loads.

这篇关于防止用“结束进程”杀死用户进程。从Process Explorer的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！