I want to kill a process as Process Hacker does (it can kill NT Authority/SYSTEM processes and processes that requires an extra password to be killed).
I am not sure what kind of black magic it does, apparently it uses another kill function that neither "Task Manager" nor "Process Manager" uses, as they mention here: https://www.bleepingcomputer.com/forums/t/750256/process-hacker-2-vs-nt-authority/
I have tried to also use taskkill /IM <process.exe> /F from an Administrator cmd, https://superuser.com/questions/1457137/how-can-i-kill-a-process-like-process-hacker-does and also, from a NT Authority / SYSTEM cmd, with: PsExec64.exe -i -s cmd.exeand also launching a "Task Manager" with SYSTEM with PsExec64.exe -i -s taskmngr.exe
The only thing that works, is Terminating it with Process Hacker.
Now, the thing is, when I terminate it, the process restarts over and over, and I want to keep it dead.
How could I emulate that behavior ?
Regards!
In the Windows context it is essential to understand that just by simply being Administrator does not mean that you have all the privileges. Every different program launches ran as Administrator may run with slightly different variations on the privileges. These privileges can be easily spotted on Process Hacker in the tab Token. As an example , this are the differences between the Process Hacker.exe token and the Task Manager token:
As it is clearly visible, although they were both run as Administrator, they hold different privileges. In particular, I would like to point out the SeLoadDriverPrivilege which has already been used in the wild as a privilege escalation method:
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges
Basically, this privilege allows the user to load/unload drivers. Which translated to this context means that you will be able to run arbitrary code as NT/System which means that you will have full control over the system. As per the Process Hacker FAQ (https://wj32.org/processhacker/faq.php) this is how it is able to effectively kill those protected processes.
Related
I'm trying to run some dynamic analysis routines on Windows programs, using things like Intel Pin and DynamoRIO. I am running Windows 11. A problem I am having is when I use cmd.exe to launch an interactive application, control returns immediately to the interpreter after the application has been launched. This means those apps don't get analyzed properly.
For example, if I use DynamoRIO to instrument the File Explorer like this:
drrun.exe -t drcachesim -- explorer.exe
Then DynamoRIO returns immediately after explorer.exe is launched, and it doesn't actually instrument File Explorer when the user can interact with it.
I've had similar issues with Intel Pin. It seems the root issue is cmd.exe detaches from processes immediately after launching them. I am a complete novice Windows developer, so there is probably some mechanism I am unaware of that is causing this. I would be grateful or any insight or feedback here.
Two things to note here.
cmd.exe waits for console programs but not GUI programs. Use the start command to wait on GUI programs: start /wait notepad.exe.
Explorer.exe will often communicate with an existing instance of itself and then just exit. Exit Explorer and then use Task manager to kill all Explorer.exe instances and then run your command.
The goal is to be able to test run a PowerShell script non-interactively with as little ceremony as possible.
It purposely runs differently on the CI server than it does when I run it interactively and I'd like to debug it. Ideally I could test this without having to set up a scheduled task. A command line utility would be fantastic.
What's different between the CI server (TFS build, non-interactive) and my machine (running interactively) is the value of [Environment]::UserInteractive. When I type powershell -c [Environment]::UserInteractive at the command line, I get True as expected. The goal is to be able to type someutility powershell -c [Environment]::UserInteractive and have it print False, just like it would print running under TFS build.
I'm willing to write the someutility in C++ if someone can outline how this works. I'm researching but an hour hasn't yielded anything. Everyone is already running non-interactive or wants to launch interactive, and I'm in the exact reverse scenario. It seems that there should be a way to do this from a non-administrator command line since the launched process should have the same user permissions but be restricted to non-interactive.
So far, I can get this desired [Environment]::UserInteractive = false behavior using a scheduled task and picking "Run whether user is logged on or not." But it's a pain, and I can't see the non-interactive stdout which I know is possible because TFS build shows it live. Also, the scheduled task doesn't end when run non-interactively so it's hard to tell when it's done.
The reference code for UserInteractive can be found here. It sets the property to false if and only if the window station for the process does not have the WSF_VISIBLE flag set. So your utility should create a new window station and desktop (see CreateWindowStation and CreateDesktop) and launch the child process there.
(Only the default window station for any given session is interactive, so presumably manually created window stations will not have WSF_VISIBLE set by default. If this does not turn out to be the case, you should be able to use SetUserObjectInformation to toggle the flag.)
To choose the window station and desktop for a child process, specify it in the lpDesktop member of the STARTUPINFO structure in the call to CreateProcess.
Is it possible to get a C++ application running in Windows to request administrator privileges from the operating system at run time?
I know it can be done at compile time, but can't seem to find anywhere whether it can be done at run time.
Thanks for your help!
EDIT: What if I want the current instance to have elevated privileges? For example, I might have data stored in memory which I want to keep.
If you want the application to always elevate, you can give it a manifest, either by building one in (not compiling technically) or by putting an external manifest in the same folder as the exe. If you want to decide, as a person, to run it elevated, you right click the exe or short cut and choose Run As Administrator. If you are launching it from code, then as #vcsjones comments, you use the runas verb when you launch that process. For example:
ShellExecute( NULL,
"runas",
"c:\\windows\\notepad.exe",
" c:\\temp\\report.txt",
NULL, // default dir
SW_SHOWNORMAL
);
You can elevate a process only during its creation. When a process already runs, there's no way to change its security token: it either runs elevated or not.
If your application needs to perform an administrative task, and it usually runs non-elevated, you have to create another .exe which will request elevation with its manifest. To start a process elevated, you have to use ShellExecute or ShellExecuteEx function. From your main process you will need a way to pass the commands to that new process that will run elevated.
For more information about UAC, read Designing UAC Applications for Windows Vista series.
Not quite, but you can do the opposite—you can drop privileges if you already have them. So, you can have your program start out running as an Administrator, using one of the methods listed by Kate Gregory. Then, drop your unneeded privileges; see Dropping privileges in C++ on Windows for how to do that.
Add a manifest file into your EXE as described here.
http://msdn.microsoft.com/en-us/library/bb756929.aspx
Your process (and threads) have a token assinged to them. That token already have all your groups set up. Under UAC, the Administrator group is disabled. UAC will remove that disabled group so you end up with a full administrator token.
To acheive the same, you must have the TCB priviledge. In other words, to elevate a process at runtime, you will need help from a process running under the SYSTEM account, and Microsoft isn't providing one, nor an API to control the current UAC implementation. Otherwise, it would defeat the purpose.
For the sake of completness, there is a whitelist of process that can perform some elevated operations without prompting. In short, your executable needs :
To be signed by Microsoft
To perform predefined operations, like with IFileOperation
The best explanation I found is this hack. It has been fixed since then, but is sheds some light on the whole thing.
The command powercfg -requests will provide a list of processes that are currently preventing a Windows 10 device from automatically entering sleep mode. However, the command requires administrator permissions. Asking for admin access just to perform a simple informational query seems far from ideal.
So is it possible to query the Windows 10 API for a similar list, in a user-space application?
These processes are passing SetThreadExecutionState() the flags ES_SYSTEM_REQUIRED or ES_DISPLAY_REQUIRED. But I don't see any function to query a list of registered execution states.
How can I start my program automatically if it crashes on windows 2003 server? Sometimes my program just crashes, is there a way in windows or settings that I can set?
There are several ways to create a process supervisor/guardian process on Windows.
First, is to leverage windows command line capabilities. Create a bat file:
#echo off
:start
start /w "your app to watch.exe"
goto start
start /w will wait for the process to exit. When the process crashes and exits, the bat script will relaunch it.
Another option is to use free supervisor tool https://github.com/chebum/Supervisor. It allows to restart the crashed app, plus it allows to monitor two or more apps at once and it will automatically close these apps when supervisor's window is closed.
The usual approach is to run what is known as a guardian process. This is a separate process, often a service, that monitors the state of the main process. When the guardian detects that the main service has died, it re-spawns it.
To the very best of my knowledge, there is not built in Windows functionality to do this for you.
Notice: running self-looping bat files can be useful, but unless you know what you're doing, they can wreak all kinds of havoc. This goes especially if you run them on startup. You have been warned.
Anyway. I just remembered something from my 286 days, when I played around a lot with BAT files. If you write the file
yourprogram.exe
some other event
the BAT file will run yourprogram, and then pause and wait around in the background until the program exits. After that it will run "some other event". This used to be kind of annoying if you wanted to run multiple things at once, but here it's actually useful. Using this, it's possible to make it run a loop that restarts the program (and reruns the bat file) as soon as it exits. Combine this with https://superuser.com/questions/62525/run-a-completly-hidden-batch-file, and you'll never even see it happening.
The final BAT file ("restart.bat" in this example) will look something like:
c:\[location]\yourprogram.exe
wscript "C:\[location]\invisible.vbs" "C:\[location]\restart.bat"
That's about it. Start the program (on startup via task or even just startup folder) with line 2, and this ought to solve your problem :)
Oh, if you want to stop the loop, just rename the bat file or put "// " in front of the two lines, save it, and exit the program.
If the program you are running requires admin rights, the solution I found was using psexec (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) to run both the program and the bat with elevated privileges. In that case the BAT will look like:
c:\[location]\psexec -h c:\[location]\yourprogram.exe
c:\[location]\psexec -h wscript "C:\[location]\invisible.vbs" "C:\[location]\restart.bat"
Then you run the bat as administrator, or run the second line (without the psexec part) from task scheduler with elevated privileges. BEWARE: running it as a normal user and clicking "no" on the UAC prompt gave me a BSOD, probably because it looped "can't run program because of lacking privileges" a couple of billion times or something :)
You can use RegisterApplicationRestart.
"If you register for restart and the application encounters an
unhandled exception or is not responsive, the user is offered the
opportunity to restart the application; the application is not
automatically restarted without the user's consent. "
For automatic restart without user intervention, there is also RestartOnCrash. Works with all Windows versions.
I was looking for something similar. There are two options to handle this - either you can write a small script by yourself or use something that is already existing.
After some googling I came across this nice list. The blogger has compiled about 8 tools to automatically restart a crashed or closed application.
Unfortunately there are no settings in Windows to automatically restart a regular program when it crashes.
Do you need to actively interact with your application's GUI? Some of the Service Wrappers (designed to run any application as a Windows Service) will monitor your application and restart it when it fails, but be sure investigate Session 0 Isolation to ensure that it won't get in the way.
You may use some special app like BDV SystemEvents or any other. It allows you to specify application which will be started if some another application is closed. Specify the same application as a Condition and as an Action and you will get expected results.