Anti End Task, not WM_Close?
 

To prevent WM_Close, I use

Try to click End Task with TaskManager, after several seconds, there will be an end task dialog then the app can be killed. How to prevent this? I just want to prevent End Task.

AW: Anti End Task, not WM_Close?
 

Call getsystemmetrics with SM_SHUTTINGDOWN and set CanClose to true in such a case.

BTW: Your app is not user friendly. However, in the end the user will always be able to close your application. It just takes a little more effort.

AW: Anti End Task, not WM_Close?
 

I'll try "getsystemmetrics with SM_SHUTTINGDOWN". Yeah I just want to prevent end task. I know there are many ways to kill an app. No I'm not making virus! :)


edited :
The code is right?

AW: Anti End Task, not WM_Close?
 

Can't be right. You don't set CanClose to true in any case. It has to be
Bernhard

AW: Anti End Task, not WM_Close?
 

Still not working. I also change the value of SM_SHUTTINGDOWN to 2000 (referenced from MSDN). I am using 7 32 bit.

AW: Anti End Task, not WM_Close?
 

And what's the use of it? If I want to end your application I just will call ProcessTerminate and that's it. Even a normal user cab do this. He just has to switch to the process panel of the taskmanager. Users ain't silly.

AW: Anti End Task, not WM_Close?
 

I already hook TerminateProcess.

AW: Anti End Task, not WM_Close?
 

Why hook ProcessTerminate? - You just need to hook OpenProcess.
But why do you do so? - Just create a process with Admin-Account and don't let the user get Admin-Rights and your process acts like it should, cause a Non-Admin can't terminate Processes from an Admin-Account. Or create a service.

Bernhard

AW: Anti End Task, not WM_Close?
 

Yes, hooking XxOpenProcess maybe better than hooking XxProcessTerminate. I'll implement that later. No, user can use my app in Admin-Account. My problem is user can kill my app from end task.

AW: Anti End Task, not WM_Close?
 

Why do you need a not-closable Application?

Bernhard

AW: Anti End Task, not WM_Close?
 

If I want to kill your application and you will not allow ist, I just pull the plug after the administrator has removed your application from auto run. Or can you prevent the user from pulling the plug with your application?

AW: Anti End Task, not WM_Close?
 

Man, just write a service if you need something the user cannot close. Even if the user closes the "client" part (e.g. a visible GUI), the service will continue to run. Let's assume for a second that you succeed in achieving your goal of an application that cannot be closed. No application is bug-free. Once the user encounters a bug and your application prevents the user from closing it, you'll have a bunch of angry users. Besides, with a hook such as the one you describe it's likely that you introduce more potential issues into the user's session ... i.e. affecting other processes as well.

I think you should elaborate on the problem you're trying to solve, because so far it indeed sounds iffy. So let's hear ... ;)

AW: Anti End Task, not WM_Close?
 

I am making a security application for a policy. This app block unlisted/unwanted program from running (Admin/Guest Account). I hook in ring3, right now I have not implemented my app as a service/ring0, it's just a normal GUI app. I use ESET in my pc, Eset's GUI can be killed easily but eset's service is "self restarting" service. But.. I have not implemented yet my app as service. Making a service will consume more my time, maybe later I will working on it. So I just want to ask, is there any simple way to block End Task for GUI app?

AW: Anti End Task, not WM_Close?
 

It will be easier to implement a service rather than a application that can not be killed. Plus it would be the preferred way by Microsoft because that's why they introduced services. Hooks will strain the system. And if they are not properly implemented the application may influence other applications from running properly.

AW: Anti End Task, not WM_Close?
 

So, why do the users need administrative privileges? - You don't need any administrative privileges if you just use the computer and don't administrate it.

On top of that, Windows comes with a Software Policy Kit which allows you to block unwanted Programs by name and Hash. Your program can't do it in an better way. Those policies even apply to administrative accounts, if wanted.

Bernhard

AW: Anti End Task, not WM_Close?
 

Well, in this case it's neither secure nor is it the right approach. Sorry to say :zwinker:

Well, write a driver. If you can live with the prerequisites of Windows XP SP2 or Windows 2000 SP4+SRP+FltMgr and higher, you can easily use one of the mini-filter samples from the WDK. Mini-filters are rather easy to implement, compared with classic FSFDs.

Well, there is usually something like a failure action. But again, "self-restarting" and "invincible" processes suck!

Nope.

This should be Vista or higher, though?! The old approach was pretty unsecure and relied on particular means being used to execute a program. If a more subtle method was used one could circumvent the restriction. Done so myself as admin.

But otherwise I can recommend TrustNoExe, though it may not work on x64 or Vista and higher (due to signing policies).

Small note concerning TrustNoExe: the guy used a SSDT hook to see when images get loaded. Whenever something that was not allowed was about to be loaded, he'd exchange the section (aka MMF) handle with one of his own usermode executable. This way his executable could retrieve its "own" location (actually the one of the attempted execution) and display a nice message to the user. Simple but effective.

AW: Anti End Task, not WM_Close?
 

I just know that in Windows XP there was something like that. Tried it only once and i thought it works. I never had the idea to circumvent the blocking-policy.

Bernhard

AW: Anti End Task, not WM_Close?
 

I know I know: I'm paranoid. But just because you're not paranoid doesn't mean they aren't after you :zwinker:

As an admin I considered it my duty to make the machines luser-proof. However, for XP MS offered (until recently, I think it was withdrawn) something like a kiosk mode. I.e. you could lock down an XP quite thoroughly. Would have to ask in the forum whether someone still has a copy around. I don't even recall the name of the tool, but it got "advertised" on heise.de.

AW: Anti End Task, not WM_Close?
 

Don't we all are a bit paranoid? - If you want security you have to test it, not just think it will work.

Do you think of the "Shared Computer Toolkit"? - I have got a copy.

Bernhard

AW: Anti End Task, not WM_Close?
 

That could well be it (new name seems to be SteadyState). I don't need it, but the OP might appreciate to get his hands on a copy. Let's see when he returns to this topic ;)

AW: Anti End Task, not WM_Close?
 

Hi,

do you mean this one:
http://www.microsoft.com/presspass/n...ToolkitFS.mspx

Bye,
Frederic

AW: Anti End Task, not WM_Close?
 

Yes, meant this one.

Bernhard

AW: Anti End Task, not WM_Close?
 

Policy from that place. I can't say any reason about this because I just make the program. I am not the boss :p

I guess by writing service, my problem easier to solve. Thanks for the mini-filter.

Ehmmm... no thanks :) , I can't use product from other.

That's the answers! :-D

I am still trying to block End Task, if I found the way, I'll post to this board :wink:

AW: Anti End Task, not WM_Close?
 

Then search for all ways how to terminate a process and block them. The easiest way to do so is to block OpenProcess for all matters (and to handle OnCloseQuery). To let Windows shutdown, Windows is issuing a broadcast message on WM_ENDSESSION. After this message (and the check, that this message came from Windows and not from anybody else issuing WM_ENDSESSION to your window) your program needs to be terminatable.

Bernhard

ADD: Which implies: If someone hooks GetSystemMetrics, and tells your program after issuing the WM_ENDSESSION-Message to your window, your process becomes terminateable even if Windows does not really shut down.

AW: Anti End Task, not WM_Close?
 

A mini-filter is going to make it even harder than some UM hooks, but if the users have admin privileges, nothing will keep them from circumventing any of those measures, given they have the necessary know-how.