Explorer and Iexplorer set for alow global hooks?

Discussion in 'ProcessGuard' started by md411, Aug 1, 2004.

Thread Status:
Not open for further replies.
  1. md411

    md411 Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    24
    two things... I noticed to the far right Process guard is allowing global hooks for Explorer and Iexplorer and outlook... are these set by default? Are global hooks necessary for these files? Since I dont use Outlook or Iexplorer I disabled global hooks... Can i disable this (global hook) in explorer?

    2) I noticed when using task manager that I can still end process even with the options Block End Tasks such as task manager... is this a bug in the software?
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi MD411,
    No Windows explorer should be left at the default settings:
    First four blocks, first two allows and the allow global hook option. Explorere is very much a part of the operating system & it's settings are best left alone ;)
    What process did you kill?
    If you have Task Manager on your protection list and have given it the "Allow Terminate" flag it can then kill any protected process.
    Have you tried Advanced Process Termination from here?:
    http://www.diamondcs.com.au/index.php?page=products
    This is a good way of testing the various Process Guard defences.

    HTH Pilli

    Here is an example: Note I use Process Explorer as a TM replacement.

    1 Aug 09:28:07 - [EXECUTION] c:\documents and settings\***\desktop\utils\procexp.exe with commandline "c:\documents and settings\alan\desktop\utils\procexp.exe" taskmgr.exe was ALLOWED to run
    1 Aug 09:28:13 - [P] c:\documents and settings\***\desktop\utils\procexp.exe [1792] tried to gain TERMINATE access on c:\program files\lavasoft\ad-aware 6\ad-watch.exe [1932]
    1 Aug 09:28:48 - [P] c:\documents and settings\***\desktop\utils\procexp.exe [1792] tried to gain TERMINATE access on c:\winnt\system32\smss.exe [468]
     
    Last edited: Aug 1, 2004
  3. md411

    md411 Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    24
    I killed processes that dont need to run like cdaemon, ciscv (spelling?) and other files that stay in task manager running after a program is closed and no longer needs those files... another run is agentsvr, etc...

    I thought allow terminate was needed so other programs can not terminate taskmanager? (specify what access other programs can not obtain on the selected program) And yes Task manager is on the protected program list and because I noticed task manager can still end other tasks I go back into program checksum and block priveleges.....

    So would unchecking "terminate" in the program protect list solve this problem of task manager able to end other taskso_O I think I am understanding if the program is irunning in task manager and in the protected program list then task manager can NOT end those programs correct?

    I use Task manager from time to time to monitor cpu useage
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    If Task Manager is on the protected list and has the "Allow Terminate" flag enabled it can kill any programme on the protected list.
    Without the flag enabled it can kill any normal process that is not on the protected list.
    If Task Manager is on the protection list, it cannot be terminated unless another application on the protected list has the Terminate flag enabled such as Process Explorer or TDS3 for example or the first three General options are not enabled depending on what method a program uses to terminate a process.

    TRY advanced Process Termination for a fuller understanding of thes termination processes. :)

    I use Sys Internals Process Explorer as a TM replacement and it is on the protection list with all the allows except for Terminate which I only enable when necessary.
    Using Process Exploerer also allows me to see that procguard.dll is injected into any program that has "Close Message Handling" enabled - A very useful check. :)

    Pilli
     
Thread Status:
Not open for further replies.