PG always thinks I'm terminating looknstop.exe

If I don't allow TaskManager to terminate applications, and then try and terminate an application with it I am always informed that taskmgr.exe was blocked from terminating looknstop.exe using End Task. This would be fine, but the application I was trying to quit was not looknstop.exe.

Why does PG always think I'm trying to terminate looknstop.exe ?

 

Hi Defenestration, You can add Task Manager to your protected list and give it Termination allow it will then be Allowed to kill L & S.
The reason TM is not on the Protection list &does not have the allow is because I doubt if many ppl run it whilst in Learning Mode.
Personally I do not use TM for this, as I find Process Explorer better and use it as aTM replacement.

HTH Pilli

 

It does sound a little weird. Which termination method are you using in Task Manager, the end task method in the applications tab or terminating a process?

 

It happens when using the End Task method to terminate any application in the applications tab. If I try to terminate a process, PG correctly displays the process I've chosen to terminate.


While I've got your attention, another problem I've had since around the time I installed PG and the other DCS products (although I'm not sure what's causing it) is that the Speaker Volume tray icon no longer works. eg. double-clicking it does nothing. Neither does right-clicking it and selecting Open Volume Control. However, selecting Adjust Audio Properties does bring up the Properties dialog. Selecting Sound Recorder from the Start menu does work and brings up the Volume Control dialog. Any ideas why the tray icon no longer brings up the Volume Control icon ?

EDIT: I'm on XP SP2

 

You must ensure that the program is stopped when adding SMH, to check if SMH is enabled you need to see of the procguard.dll has been injected into the protected process.
SysInternal's Process Explorer or Faber tools will allow you to see that this has occurred.

Not sure about your volume control problem maybe DCS can help there.

Pilli

 

Make sure sndvol32.exe isn't denied from running in the security list.

 

Please elaborate cos I didn't understand what you were saying. The problem is not that I can terminate a process, but that when I try to terminate an application, PG says that looknstop.exe was stopped from terminating, even though I had selected a different application, not looknstop.exe. What is SMH ? Sounds a bit like some kind of bondage session

sndvol32.exe is set as Permit Always. I have no problems running it from the Start Menu or a Shortcut, only from the tray icon.

 

Defenestration,

Now I do not understand Process and application can be one and the same thing - Explorer, when running, is a process and is also an application, so can you explain exactly what you were trying to do please?

SMH "Secure message handling" Please read the help file for more information about this feature
Here is the overview of SMH:
Due to the structure of the Windows operating system, it is possible for applications to control other applications using windows messages. There are many messages which mean a lot of different things, but a few of them allow an application to close another application. This is unwanted in most cases because you only want to close an application when YOU are ready, not when some other program on your system wants to. A message is generated for instance when you press the X button on a window. All a malicious program needs to do is mimic this message and Windows thinks you actually pressed the X button yourself.

Some malicious software can use this to their advantage, they can detect that you are running some security software that may possibly detect it and send a windows message to shut down the application. This means the malicious software can continue to run on your system even if your security software has the possibility of detecting it.

 

I was referring to what Jason had said earlier:

When I was saying application, I meant I had selected it from the Task Manager Applications tab and clicked End Task. When I said process, I meant I had selected it from the Task Manager Processes tab and clicked End Process. To rephrase -

When the Task Manager app is not authorized to terminate protected applications in PG, then when I select an application (not looknstop.exe) in the Applications tab of Task Manager and click End Task, a PG Alert pop-up balloon informs me that "taskmgr.exe was blocked from terminating looknstop.exe using End Task". Why is PG telling me I was trying to terminate looknstop.exe when I was, for example, trying to terminate Avant Browser ?

 

Ah..., yes I had read this before in the manual but forgot the acronym.

Currently I haven't got SMH enabled. From what I understand, it's main use would be to protect system critical apps (virus checker, firewall, TDS, WormGuard, proxomitron), but it is not really needed for anything else.

Is my thinking correct ?

Also, for apps that also have a service as well as (eg. KAV has two processes running - kav.exe which is the gui/tray icon, and kavsvc.exe which is the kav service) is it necessary to use SMH for the service since that does not have a GUI ? My guess would be no, but you might know otherwise.

EDIT: Should I also use SMH for PG itself or is it already protected ?

 

Ah! I thought I was missing something, I am not sure how L & S works in relation to ProcessGuard but am wondering if L & S is hooked into Avant for instance so trying to terminate Avant sets the alam bells going in L & S

Fortunately GKweb is an L & S user and a ProcessGuard beta tester, hopefully he will drop by and offer you an expert opinion or answer.

I'll send him a message ...

Pilli

 

Yes it is already protected, if the ProcessGuard GUI is closed down protection is still active.
KAV does not need SMH but most other Av's do as does TDS3 & Outpost 2

Basically if you can close an application using Advanced Process Termination K 7 & 8 then you probably need SMH enabled.

Pilli

 

It shows up as looknstop.exe for any app, even if it's not Internet related (eg. XnView, Crystal Player, TextPad etc.). I might re-install XP SP2 and all apps to see if that fixes this problem and the problem I'm having with the Volume tray icon not working.

Why doesn't KAV need SMH enabled ? Is it because the in-built protection is already very good ?

BTW, a BOT but what AV software do you run ?

 

I use KAV 5 and have tested it against APT and it appears to be very robust in protecting it's service. You could add SMH to KAV.exe though to protect the GUI but as with ProcessGuard, KAV will still be working as far as I can tell.

Please do not re-install SP2 - As you may have uncovered a nit, I am awaiting expert advice from both GKweb & DCS, hopefully this will be answered soon.

Pilli

 

I guess they've obviously got a few clever guys working for Kaspersky too! Hey DCS, why aren't they working for you ?!

OK. They're not major problems and I can live with them a bit longer. Let me know if you, the DCS guys, or anyone else needs any more info related to these problems, in the pursuit of an answer. I (modestly ) don't consider myself to be a computer novice ('scuse my SMH anomaly earlier ), so "...if you need info, and you've got no-one else to call..." let me know.

Anyway, enough of my balony......

 

There does appear to be a small naming problem with the End Task termination. In reality it is protecting the program you tried to End Task, but it is showing the name of another. This should affect learning mode either.

Thanks for finding this issue.

 

No probs, it's not a major issue, but an issue all the same.

Is it OK to re-install XP, or is there more info that you might require to solve this, and othe prroblems ?

I personally think that the Sound Volume tray icon problem is a system blip and would be solved by a re-installation of XP.