26 Jan 17:52:54 - [END TASK] g:\windows\explorer.exe [840] was blocked from terminating an application using End Task 26 Jan 17:52:58 - [END TASK] g:\windows\explorer.exe [840] was blocked from terminating an application using End Task 26 Jan 17:55:37 - [END TASK] g:\windows\explorer.exe [840] was blocked from terminating an application using End Task 26 Jan 17:55:37 - [END TASK] g:\windows\explorer.exe [840] was blocked from terminating an application using End Task 26 Jan 17:55:38 - [END TASK] g:\windows\explorer.exe [840] was blocked from terminating an application using End Task 26 Jan 17:55:43 - [END TASK] g:\windows\explorer.exe [840] was blocked from terminating an application using End Task Okay, this was evidentally something I was trying to "End Task" on - is this a situation where you have to wait until you have a problem closing something, then give it permission to do so through PG? Am I able to do this on a case-by-case basis - or, if I give explorer.exe "end task" permission, isn't it global? And would that result in a vulnerability or not? (I know explorer.exe is itself protected by PG). Pete
Hi Pete, Could it be the case that another App needs to be added to the list? Maybe an App linked through Explorer.
Done. After a couple of hours of analysis in ntdll.dll and its stack we finally managed to find a way to determine which process was being terminated (this is a lot trickier than it sounds, especially as End Task doesn't work by process ID, but Window Handles instead, and as we're working at the kernel-level - not user-level - the parameters that are parsed to the EndTask function don't really trickle down to the level we're at). Anyway that's all finished now so now finally you can see which task was the target of the End Task termination (this will be in the next public release, Jason has already added the code):
In the meantime - Pilli was right - I had to add the app's exe (which turned out to be Kazaa++ ) to the list in PG. problem solved. Pete