Hi,
I have windows service which need to be run from system start to shutdown.
If it crashes, it needs to restart. If the user (or admin) tries to close
(terminate) it, it shouldn’t be possible. I have seen this behavior in
some antivirus (eg. Kaspersky) software. Can this be achieved using some
kernel mechanism?
Thanks,
Lloyd
Well,I am already holding my breath in anticipation of an “exciting” thread…
Anton Bassov
It’s a bad idea, for all kinds of reasons.
I was once asked for something similar; it was a salesman’s attempt to solve a problem for a customer which didn’t need to be solved that way, so I didn’t.
Please share the use case in which this requirement is an attempt to address.
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Lloyd
Sent: 22 May 2015 11:40
To: Windows System Software Devs Interest List
Subject: [ntdev] Unkillable process
Hi,
I have windows service which need to be run from system start to shutdown. If it crashes, it needs to restart. If the user (or admin) tries to close (terminate) it, it shouldn’t be possible. I have seen this behavior in some antivirus (eg. Kaspersky) software. Can this be achieved using some kernel mechanism?
Thanks,
Lloyd
This email message has been delivered safely and archived online by Mimecast.
For more information please visit http://www.mimecast.com
There are literally tens of questions like this asked here. Why did you not
search first. This thread will be a mess.
Use Ob callbacks and clear the process delete access mask whenever some1
requests it, but that does not mean anything, it is still killable by other
means.
Please research before asking.
Good luck in your endeavors.
On May 22, 2015 16:41, “David Boyce” wrote:
> It’s a bad idea, for all kinds of reasons.
>
>
>
> I was once asked for something similar; it was a salesman’s attempt to
> solve a problem for a customer which didn’t need to be solved that way, so
> I didn’t.
>
>
>
> Please share the use case in which this requirement is an attempt to
> address.
>
>
>
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] *On Behalf Of *Lloyd
> Sent: 22 May 2015 11:40
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Unkillable process
>
>
>
> Hi,
>
>
>
> I have windows service which need to be run from system start to shutdown.
> If it crashes, it needs to restart. If the user (or admin) tries to close
> (terminate) it, it shouldn’t be possible. I have seen this behavior in
> some antivirus (eg. Kaspersky) software. Can this be achieved using some
> kernel mechanism?
>
>
>
> Thanks,
>
> Lloyd
>
>
> ------------------------------
> This email message has been delivered safely and archived online by
> Mimecast.
> For more information please visit http://www.mimecast.com
> ------------------------------
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Windows will automatically restart a service if it crashed (or is killed), if configured to do so. See “Recovery” tab in the service properties.
More so, it can even run some EXE before service restart.
wrote in message news:xxxxx@ntdev…
> Windows will automatically restart a service if it crashed (or is killed), if configured to do so. See “Recovery” tab in the service properties.
>
This is suitable for antimalware stuff too. To nothing else.
In any other branch of industry, users/admins will HATE the unkillable stuff and will press your Tech Supp a lot about this, so sooner or later your management will tell to get rid of the misfeature.
For antimalware: at least provide your own (not Windows standard) means, using your own UI, to stop the service.
–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
“Lloyd” wrote in message news:xxxxx@ntdev…
Hi,
I have windows service which need to be run from system start to shutdown. If it crashes, it needs to restart. If the user (or admin) tries to close (terminate) it, it shouldn’t be possible. I have seen this behavior in some antivirus (eg. Kaspersky) software. Can this be achieved using some kernel mechanism?
Thanks,
Lloyd
This is really a - pain point. For any security product that worth a salt does have the feature. Many moons ago, in 2001/2 time frame I had to deal with this. Unfortunately no known methods were available that would please any and all user(s). So guess, we had to take the undocumented steps, to make sure a service can not be killed. And when multiple vendors goes after it, situation becomes ugly.
Not sure, if there is any filtering mechanism can be used to route Create/Terminate Process. That would be perfect, and well of course any user should have opt out options (with admin privilege).
-Pro
On May 22, 2015, at 12:32 PM, Maxim S. Shatskih wrote:
> This is suitable for antimalware stuff too. To nothing else.
>
> In any other branch of industry, users/admins will HATE the unkillable stuff and will press your Tech Supp a lot about this, so sooner or later your management will tell to get rid of the misfeature.
>
> For antimalware: at least provide your own (not Windows standard) means, using your own UI, to stop the service.
>
> –
> Maxim S. Shatskih
> Microsoft MVP on File System And Storage
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> “Lloyd” wrote in message news:xxxxx@ntdev…
> Hi,
>
> I have windows service which need to be run from system start to shutdown. If it crashes, it needs to restart. If the user (or admin) tries to close (terminate) it, it shouldn’t be possible. I have seen this behavior in some antivirus (eg. Kaspersky) software. Can this be achieved using some kernel mechanism?
>
> Thanks,
> Lloyd
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
For an unkillable process, require that the users don’t have Administrator privileges.
If your users have Administrator privileges, you might as well hire Ed Snowden as your domain administrator.
> require that the users don’t have Administrator privileges.
Believe me or not, but when I saw your name in context of this thread I was 99+% sure that you had not missed your chance to repeat your favorite mantra. One does not really need to be a phychic/clairvoyant/etc in order to make a prediction like that, don’t you think…
you might as well hire Ed Snowden as your domain administrator.
Let’s see what our “World Politics enthusiast” says to this…
Anton Bassov
>had not missed your chance to repeat your favorite mantra.
Is it wrong?
Some of the comments thrown at it are completely wrong !
Personal choices are different, but if some does not show any perspective ( or context) and preach a line, it is a bad taste. Nothing else.
My request - (1) If some one knows for sure that the question has no basis, completely absurd or whatever, put real context. Just that product gives an head-ache so the idea is completely wrong is not quite digestible by some others ! (2) If someone does not have any context, there is no need to answer these questions.
Pro
Date: Sat, 23 May 2015 11:39:47 -0400
From: xxxxx@broadcom.com
To: xxxxx@lists.osr.com
Subject: RE:[ntdev] Unkillable process>had not missed your chance to repeat your favorite mantra.
Is it wrong?
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>>had not missed your chance to repeat your favorite mantra.
Is it wrong?
Well, it is not the question of being “right” or “wrong” - instead, it is the quesion of being relevant in a given context. In context of this discussion your mantra is simply irrelevant…
Anton Bassov
For context, please see the discussions ad nauseum (sp?) about this exact same topic at least a dozen times over the past few years. This question comes up so often it should just be answered with “Standard dialog #5” and leave it to the OP to do some homework and search the archives.
Asked and answered (repeatedly). Next…
Greg
— xxxxx@outlook.com wrote:
From: Sinha Prokash
To: “Windows System Software Devs Interest List”
Subject: RE: [ntdev] Unkillable process
Date: Sat, 23 May 2015 11:13:50 -0500
Some of the comments thrown at it are completely wrong !
Personal choices are different, but if some does not show any perspective ( or context) and preach a line, it is a bad taste. Nothing else.
My request - (1) If some one knows for sure that the question has no basis, completely absurd or whatever, put real context. Just that product gives an head-ache so the idea is completely wrong is not quite digestible by some others ! (2) If someone does not have any context, there is no need to answer these questions.
Pro
> Date: Sat, 23 May 2015 11:39:47 -0400
> From: xxxxx@broadcom.com
> To: xxxxx@lists.osr.com
> Subject: RE:[ntdev] Unkillable process
>
> >had not missed your chance to repeat your favorite mantra.
>
> Is it wrong?
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
> For context, please see the discussions ad nauseum (sp?) about this exact same topic
at least a dozen times over the past few years.This question comes up so often
it should just be answered with “Standard dialog #5” and leave it to the OP to do
some homework and search the archives.
Well, the above statement applies to I would say around 90% of questions that are asked
in this NG - practicaly everything that we discuss had been rehashed at least few dozensof times anyway, so thta we keepon going ruminating over the same stuff again and again and again.
Concerning Mr.Grig’s manta about the users and admin privilege level, it happens to be a truly special case - I guess he had repeated it more times than Cato the Elder uttered his famous “Furthermore, I consider that Carthage must be destroyed” phrase…
Anton Bassov
>I have windows service which need to be run from system start to shutdown. If it crashes, it needs to restart.
See service recovery options.
If the user (or admin) tries to close (terminate) it, it shouldn’t be possible.
An administrator can kill any process because the Administrator account has debug privilege by default. Live with it. If an administrator kills a service process, it will restart according to its recovery options.
You can set an ACL on a service to not allow an administrator to stop and/or disable it. An administrator can override the service ACL, though.
Protected processes exist (CreateProcess with CREATE_PROTECTED_PROCESS), but only Microsoft executables can run in them.