tskill command

Discussion in 'ProcessGuard' started by Thomas Fleetwood, Mar 17, 2004.

Thread Status:
Not open for further replies.
  1. Hello,

    I have recently learned you can shutdown a program by using the tskill command in xp home (and taskkill in pro). So I tried this against a program I am protecting with process guard and much to my surprise - the program shut down without so much as a hint of warning from process guard. Do I need to have some special setting to stop a malware program from being able to take advantage of this? The specific command I used is:

    tskill "program name" /a

    I typed it into the 'run' command line.

    Thanks for any info,

    Tom Fleetwood
     
  2. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Perhaps it sees its only human intervention ;)
     
  3. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Go to SVCHOST.EXE in Process Guard and remove TERMINATE access, then try again. :)
     
  4. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    TaskKill can be prevented by enabling Close Message Handling on the specific app.

    TSKILL is a terminal services related EXE which only works if terminal services is enabled. But if you need terminal services (fast user switching and remote desktop) then removing terminate access on svchost will prevent it from closing down your application.

    -Jason-
     
  5. Excellent, that took care of it - thank you for the quick response.

    I will say that I had assumed PG took care of all methods of closing a program by default. Are there other ways that one can be shutdown and recommended settings for any other Windows services? In other words, I would've never known to deselect 'terminate' in svchost without your input - is there a recommended 'default' setup?

    Thanks again,

    Tom
     
  6. Little Mike

    Little Mike Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    29
    Wayne, Jason,

    Do you mean:

    1. Add Taskkill/Tskill to PG protection list, and enable Close Message Handling to Taskkill/Tskill ? Or are you referring to another application for Close Message Handling?

    and,

    2. Disable "Terminate" on Svchost.exe "Allow Priviledges"?

    Best regards,
    Little Mike
     
  7. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    Resetting the Terminate ALLOW for svchost.exe causes this on Version 9.0 Optimized of AOL.

    18 Mar 00:15:01 - Window Log Started
    18 Mar 09:22:49 - [P] c:\windows\system32\svchost.exe [988] tried to gain TERMINATE access on c:\program files\common files\aol\acs\aolacsd.exe [308]
    18 Mar 09:22:49 - [P] c:\windows\system32\svchost.exe [988] tried to gain TERMINATE access on c:\program files\common files\aol\acs\aolacsd.exe [308]
    18 Mar 10:06:08 - [P] c:\windows\system32\svchost.exe [988] tried to gain TERMINATE access on c:\program files\common files\aol\acs\aolacsd.exe [308]
    18 Mar 10:06:08 - [P] c:\windows\system32\svchost.exe [988] tried to gain TERMINATE access on c:\program files\common files\aol\acs\aolacsd.exe [308]
     
  8. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I think it is harmless.

    Svchost requests may be a full access to the process instead of trying to kill it, but PG prevent it to have the TERMINATE privilege, which doesn't mean that svchost was trying to terminate AOL i think.
     
  9. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Yes GKWEB is correct, it will only log what access it CANNOT get, so by not allowing it to get Terminate access that will be the only log you see from it.

    @Little Mike
    1) No I mean add Close Message Handling to whichever apps you don't want to be shutdown with Task Kill
    2) Yes, uncheck Terminate allow privileges for svchost.

    We will be changing the default install procedure so svchost.exe does not have Allow Terminate.

    -Jason-
     
  10. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    My svchost has only the following allowances :
    READ
    WRITE
    GET INFO

    and is working very well on my comp as is, without more privileges :)
     
  11. Little Mike

    Little Mike Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    29
    Thank you all for the clarification; I understand it now.

    Best regards,
    Little Mike
     
  12. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Is this change done? Does the default privileges changed for svchost.exe in PG 2.0?
    -hojtsy-
     
  13. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    When looking at the Program Protection, Process Path they are only listed as System 32 or Eset or what ever. How can you tell which EXE each one is?
     
  14. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    No it wasn't done since we decided against people complaining against the logs if it generated any. Educated users should remove allow Terminate from SVCHOST.exe.

    -Jason-
     
  15. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Thanks for the info, Jason!
    Wouldn't it be a good idea to explicitely mention Terminate for SVCHOST.exe in the help file? Preferably on the page displayed during installation. The same place where you should mention the Read blocking for procuard.exe. ;)
    -hojtsy-
     
  16. Procguard.exe should have 'read' blocking checked??

    Tom
     
  17. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    So yes, "educated users" should restrict READ access to procguard.exe, partly because it has Close Msg Handling.

    -hojtsy-
     
  18. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Yes it would probably be a good idea to list a few things in the helpfile, unfortunately the amount of people who should be reading the helpfile are low, whilst the amount of people who read the forum are high. :)

    We will be adding a lot more items to the helpfile for next release.

    -Jason-
     
  19. the mul

    the mul Registered Member

    Joined:
    Jul 31, 2003
    Posts:
    1,703
    Location:
    scotland
    I have followed your advise and have stopped svchost .exe from having allow terminate access but as u know this has caused some log entries as for example
    30 Mar 09:02:53 - [P] c:\windows\system32\svchost.exe [724] tried to gain TERMINATE access on c:\program files\aol 8.0\waol.exe [3452]
    30 Mar 09:02:53 - [P] c:\windows\system32\svchost.exe [724] tried to gain TERMINATE access on c:\program files\aol 8.0\waol.exe [3452].

    There are some other entries as well is this ok and I take it we will have to put up with some entries.

    Thanks

    The Mul
     
  20. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    svchost just doesn't success to retrieve the TERMINATE privilege on your processes, that isn't harmfull in itself, my system works very well like that.
     
Thread Status:
Not open for further replies.