AW: Anti End Task, not WM_Close?
 

If I want to kill your application and you will not allow ist, I just pull the plug after the administrator has removed your application from auto run. Or can you prevent the user from pulling the plug with your application?

AW: Anti End Task, not WM_Close?
 

Man, just write a service if you need something the user cannot close. Even if the user closes the "client" part (e.g. a visible GUI), the service will continue to run. Let's assume for a second that you succeed in achieving your goal of an application that cannot be closed. No application is bug-free. Once the user encounters a bug and your application prevents the user from closing it, you'll have a bunch of angry users. Besides, with a hook such as the one you describe it's likely that you introduce more potential issues into the user's session ... i.e. affecting other processes as well.

I think you should elaborate on the problem you're trying to solve, because so far it indeed sounds iffy. So let's hear ... ;)

AW: Anti End Task, not WM_Close?
 

I am making a security application for a policy. This app block unlisted/unwanted program from running (Admin/Guest Account). I hook in ring3, right now I have not implemented my app as a service/ring0, it's just a normal GUI app. I use ESET in my pc, Eset's GUI can be killed easily but eset's service is "self restarting" service. But.. I have not implemented yet my app as service. Making a service will consume more my time, maybe later I will working on it. So I just want to ask, is there any simple way to block End Task for GUI app?

AW: Anti End Task, not WM_Close?
 

It will be easier to implement a service rather than a application that can not be killed. Plus it would be the preferred way by Microsoft because that's why they introduced services. Hooks will strain the system. And if they are not properly implemented the application may influence other applications from running properly.

AW: Anti End Task, not WM_Close?
 

So, why do the users need administrative privileges? - You don't need any administrative privileges if you just use the computer and don't administrate it.

On top of that, Windows comes with a Software Policy Kit which allows you to block unwanted Programs by name and Hash. Your program can't do it in an better way. Those policies even apply to administrative accounts, if wanted.

Bernhard

AW: Anti End Task, not WM_Close?
 

Well, in this case it's neither secure nor is it the right approach. Sorry to say :zwinker:

Well, write a driver. If you can live with the prerequisites of Windows XP SP2 or Windows 2000 SP4+SRP+FltMgr and higher, you can easily use one of the mini-filter samples from the WDK. Mini-filters are rather easy to implement, compared with classic FSFDs.

Well, there is usually something like a failure action. But again, "self-restarting" and "invincible" processes suck!

Nope.

This should be Vista or higher, though?! The old approach was pretty unsecure and relied on particular means being used to execute a program. If a more subtle method was used one could circumvent the restriction. Done so myself as admin.

But otherwise I can recommend TrustNoExe, though it may not work on x64 or Vista and higher (due to signing policies).

Small note concerning TrustNoExe: the guy used a SSDT hook to see when images get loaded. Whenever something that was not allowed was about to be loaded, he'd exchange the section (aka MMF) handle with one of his own usermode executable. This way his executable could retrieve its "own" location (actually the one of the attempted execution) and display a nice message to the user. Simple but effective.

AW: Anti End Task, not WM_Close?
 

I just know that in Windows XP there was something like that. Tried it only once and i thought it works. I never had the idea to circumvent the blocking-policy.

Bernhard

AW: Anti End Task, not WM_Close?
 

I know I know: I'm paranoid. But just because you're not paranoid doesn't mean they aren't after you :zwinker:

As an admin I considered it my duty to make the machines luser-proof. However, for XP MS offered (until recently, I think it was withdrawn) something like a kiosk mode. I.e. you could lock down an XP quite thoroughly. Would have to ask in the forum whether someone still has a copy around. I don't even recall the name of the tool, but it got "advertised" on heise.de.

AW: Anti End Task, not WM_Close?
 

Don't we all are a bit paranoid? - If you want security you have to test it, not just think it will work.

Do you think of the "Shared Computer Toolkit"? - I have got a copy.

Bernhard

AW: Anti End Task, not WM_Close?
 

That could well be it (new name seems to be SteadyState). I don't need it, but the OP might appreciate to get his hands on a copy. Let's see when he returns to this topic ;)