PG always thinks I'm terminating looknstop.exe

Discussion in 'ProcessGuard' started by Defenestration, Nov 14, 2004.

Thread Status:
Not open for further replies.
  1. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    If I don't allow TaskManager to terminate applications, and then try and terminate an application with it I am always informed that taskmgr.exe was blocked from terminating looknstop.exe using End Task. This would be fine, but the application I was trying to quit was not looknstop.exe.

    Why does PG always think I'm trying to terminate looknstop.exe ?
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Defenestration, You can add Task Manager to your protected list and give it Termination allow it will then be Allowed to kill L & S.
    The reason TM is not on the Protection list &does not have the allow is because I doubt if many ppl run it whilst in Learning Mode.
    Personally I do not use TM for this, as I find Process Explorer better and use it as aTM replacement.

    HTH Pilli
     
  3. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    It does sound a little weird. Which termination method are you using in Task Manager, the end task method in the applications tab or terminating a process?
     
  4. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    It happens when using the End Task method to terminate any application in the applications tab. If I try to terminate a process, PG correctly displays the process I've chosen to terminate.


    While I've got your attention, another problem I've had since around the time I installed PG and the other DCS products (although I'm not sure what's causing it) is that the Speaker Volume tray icon no longer works. eg. double-clicking it does nothing. Neither does right-clicking it and selecting Open Volume Control. However, selecting Adjust Audio Properties does bring up the Properties dialog. Selecting Sound Recorder from the Start menu does work and brings up the Volume Control dialog. Any ideas why the tray icon no longer brings up the Volume Control icon ?

    EDIT: I'm on XP SP2
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    You must ensure that the program is stopped when adding SMH, to check if SMH is enabled you need to see of the procguard.dll has been injected into the protected process.
    SysInternal's Process Explorer or Faber tools will allow you to see that this has occurred.

    Not sure about your volume control problem maybe DCS can help there.

    Pilli
     
  6. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Make sure sndvol32.exe isn't denied from running in the security list.
     
  7. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    Please elaborate cos I didn't understand what you were saying. The problem is not that I can terminate a process, but that when I try to terminate an application, PG says that looknstop.exe was stopped from terminating, even though I had selected a different application, not looknstop.exe. What is SMH ? Sounds a bit like some kind of bondage session :D

    sndvol32.exe is set as Permit Always. I have no problems running it from the Start Menu or a Shortcut, only from the tray icon.
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Defenestration,
    Now I do not understand :) Process and application can be one and the same thing - Explorer, when running, is a process and is also an application, so can you explain exactly what you were trying to do please?

    SMH "Secure message handling" Please read the help file for more information about this feature :)
    Here is the overview of SMH:
    Due to the structure of the Windows operating system, it is possible for applications to control other applications using windows messages. There are many messages which mean a lot of different things, but a few of them allow an application to close another application. This is unwanted in most cases because you only want to close an application when YOU are ready, not when some other program on your system wants to. A message is generated for instance when you press the X button on a window. All a malicious program needs to do is mimic this message and Windows thinks you actually pressed the X button yourself.

    Some malicious software can use this to their advantage, they can detect that you are running some security software that may possibly detect it and send a windows message to shut down the application. This means the malicious software can continue to run on your system even if your security software has the possibility of detecting it.
     
  9. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    I was referring to what Jason had said earlier:

    When I was saying application, I meant I had selected it from the Task Manager Applications tab and clicked End Task. When I said process, I meant I had selected it from the Task Manager Processes tab and clicked End Process. To rephrase -

    When the Task Manager app is not authorized to terminate protected applications in PG, then when I select an application (not looknstop.exe) in the Applications tab of Task Manager and click End Task, a PG Alert pop-up balloon informs me that "taskmgr.exe was blocked from terminating looknstop.exe using End Task". Why is PG telling me I was trying to terminate looknstop.exe when I was, for example, trying to terminate Avant Browser ?
     
  10. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    Ah..., yes I had read this before in the manual but forgot the acronym.

    Currently I haven't got SMH enabled. From what I understand, it's main use would be to protect system critical apps (virus checker, firewall, TDS, WormGuard, proxomitron), but it is not really needed for anything else.

    Is my thinking correct ?

    Also, for apps that also have a service as well as (eg. KAV has two processes running - kav.exe which is the gui/tray icon, and kavsvc.exe which is the kav service) is it necessary to use SMH for the service since that does not have a GUI ? My guess would be no, but you might know otherwise.

    EDIT: Should I also use SMH for PG itself or is it already protected ?
     
  11. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Ah! I thought I was missing something, I am not sure how L & S works in relation to ProcessGuard but am wondering if L & S is hooked into Avant for instance so trying to terminate Avant sets the alam bells going in L & S

    Fortunately GKweb is an L & S user and a ProcessGuard beta tester, hopefully he will drop by and offer you an expert opinion or answer.

    I'll send him a message ...

    Pilli
     
    Last edited: Nov 15, 2004
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Yes it is already protected, if the ProcessGuard GUI is closed down protection is still active.
    KAV does not need SMH but most other Av's do as does TDS3 & Outpost 2

    Basically if you can close an application using Advanced Process Termination K 7 & 8 then you probably need SMH enabled.

    Pilli
     
  13. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    It shows up as looknstop.exe for any app, even if it's not Internet related (eg. XnView, Crystal Player, TextPad etc.). I might re-install XP SP2 and all apps to see if that fixes this problem and the problem I'm having with the Volume tray icon not working.

    Why doesn't KAV need SMH enabled ? Is it because the in-built protection is already very good ?

    BTW, a BOT but what AV software do you run ?
     
  14. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    I use KAV 5 and have tested it against APT and it appears to be very robust in protecting it's service. You could add SMH to KAV.exe though to protect the GUI but as with ProcessGuard, KAV will still be working as far as I can tell.

    Please do not re-install SP2 - As you may have uncovered a nit, I am awaiting expert advice from both GKweb & DCS, hopefully this will be answered soon.

    Pilli
     
  15. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    I guess they've obviously got a few clever guys working for Kaspersky too! Hey DCS, why aren't they working for you ?! :D

    OK. They're not major problems and I can live with them a bit longer. Let me know if you, the DCS guys, or anyone else needs any more info related to these problems, in the pursuit of an answer. I (modestly :cool:) don't consider myself to be a computer novice ('scuse my SMH anomaly earlier :D), so "...if you need info, and you've got no-one else to call..." let me know.

    Anyway, enough of my balony...... :D
     
  16. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    There does appear to be a small naming problem with the End Task termination. In reality it is protecting the program you tried to End Task, but it is showing the name of another. This should affect learning mode either.

    Thanks for finding this issue.
     
  17. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    No probs, it's not a major issue, but an issue all the same.

    Is it OK to re-install XP, or is there more info that you might require to solve this, and othe prroblems ?

    I personally think that the Sound Volume tray icon problem is a system blip and would be solved by a re-installation of XP.
     
Thread Status:
Not open for further replies.