Reputation: 1951
Kill process as Process Hacker does and make process stay dead
I want to kill a process as Process Hacker does (it can kill NT Authority/SYSTEM processes and processes that requires an extra password to be killed).
I am not sure what kind of black magic it does, apparently it uses another kill function that neither "Task Manager" nor "Process Manager" uses, as they mention here: https://www.bleepingcomputer.com/forums/t/750256/process-hacker-2-vs-nt-authority/
I have tried to also use taskkill /IM <process.exe> /F from an Administrator cmd, https://superuser.com/questions/1457137/how-can-i-kill-a-process-like-process-hacker-does and also, from a NT Authority / SYSTEM cmd, with: PsExec64.exe -i -s cmd.exeand also launching a "Task Manager" with SYSTEM with PsExec64.exe -i -s taskmngr.exe
The only thing that works, is Terminating it with Process Hacker.
Now, the thing is, when I terminate it, the process restarts over and over, and I want to keep it dead.
How could I emulate that behavior ?
Regards!
Upvotes: 0
Views: 3175
Answers (1)
Reputation: 137
In the Windows context it is essential to understand that just by simply being Administrator does not mean that you have all the privileges. Every different program launches ran as Administrator may run with slightly different variations on the privileges. These privileges can be easily spotted on Process Hacker in the tab Token. As an example , this are the differences between the Process Hacker.exe token and the Task Manager token:
As it is clearly visible, although they were both run as Administrator, they hold different privileges. In particular, I would like to point out the SeLoadDriverPrivilege which has already been used in the wild as a privilege escalation method:
Basically, this privilege allows the user to load/unload drivers. Which translated to this context means that you will be able to run arbitrary code as NT/System which means that you will have full control over the system. As per the Process Hacker FAQ (https://wj32.org/processhacker/faq.php) this is how it is able to effectively kill those protected processes.
Upvotes: 1
Related Questions
- Really killing a process in Windows
- Alternative methods to kill a running process in C#
- Windows - Script to end a process like the task manager does
- How to prevent process from being killed on Windows
- Prevent Process Kill From Task Manager, Reversed
- Force kill on process
- How to kill my process? Without killing process which belong another users
- How to create hard to kill app/process in .net?
- Killing a process
- Can I handle the killing of my windows process through the Task Manager?