Unable to protect Taskmgr.exe

Discussion in 'ProcessGuard' started by Yogi'sFirst, Feb 23, 2005.

Thread Status:
Not open for further replies.
  1. Yogi'sFirst

    Yogi'sFirst Registered Member

    Joined:
    Feb 23, 2005
    Posts:
    6
    Hi all, new to the forum. Apologies if this is asked before, but I couldn't find the info related to my question.

    Running XP SP2, Outpost 2.5, TDS-3, NOD32, and PG.

    I'm using PG full (3.100). I'm very happy with it, I think it's one of the most valuable pieces of software around. Lately I was reading this forum and followed some tips and tricks. I stumbled on this thread https://www.wilderssecurity.com/showthread.php?t=54360&highlight=tray icon where Siliconman01 wrote a simple "alert test" using Taskmanager.exe.

    Somehow this isn't working for me, if I try to do it that way I can End Task Taskmgr.exe without any alert or problem. It is included in the protection list, protected from termination and modification, and allowed to modify and read from other protected apps (default settings). What am I doing wrong? PG seems to ignore it despite it is listed as a protected app.

    Also, if it DOES give an alert (the rest works fine), icon turning red plus balloon popping up, that event seems to freeze the system for 30 seconds or so. There is no need to allow the DCUserprot app to access physical memory, or is there?

    Thanks in advance! :)
     
  2. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Please check that TaskMgr.exe is not authorised to Terminate in the Protection tab. This is the most likely cause of not seeing any alerts - also try running the PG-Demo file or DiamondCS' Advanced Process Terminator to test PG.

    Also note that PG 3.150 is out so upgrading to that may fix any problems - DCSUserProt does not need Physical Memory access on my setup (it has just modify and read privileges).
     
  3. Yogi'sFirst

    Yogi'sFirst Registered Member

    Joined:
    Feb 23, 2005
    Posts:
    6
    Hi P2K, nice to see you here too ;)

    TaskMgr.exe is not authorized to terminate in the protection tab. Only read and modify are ticked. I tested PG with the APT utility as you suggested. Kill methods 1-6 are blocked by PG (which in case of 6 is strange, I understand that this is the method used to terminate apps in TaskManager), 7-8 (WM_CLOSE and SC_CLOSE) close TaskMgr.exe without warning. Any idea's?

    Also I noticed the "freeze" (which is actually 100% CPU use) to occur when the icon turns red. After opening PG to read the alerts, after the icon turns blue again, CPU use drops to normal. Maybe it has something to do with writing to the logfile? To test I've permitted DCSUserProt.exe access to physical memory, but it makes no difference.

    Thanks.
     
  4. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Are you using TaskMgr to close itself? If so try running it on another (protected) application to see if the same thing happens. APT methods 7-8 can only be blocked if you enable SMH for a protected application.

    With respect to the freeze, if you run anti-virus/anti-trojan background scanners, check that they are excluding the PG logfiles (these are text files so cannot harbour a virus or trojan).

    Forgot to check your post count - welcome to the forums. :) You should find PG and Outpost complement each other well, check out the PG and Outpost 2.5 thread for some suggests about configuring SMH with Outpost.
     
  5. Yogi'sFirst

    Yogi'sFirst Registered Member

    Joined:
    Feb 23, 2005
    Posts:
    6
    Yes, I was following a simple test in the tread I linked to above. Basically you test PG by terminating a program which is in the protected list, in this case TaskMgr itself. The other terminations using TaskMgr on protected programs are blocked by PG, as they should. What I don't understand is that when using APT, kill method 6, it is blocked by PG, while it is the same thing as ending a task by using TaskMgr, which PG ignores. If this program is so intelligent as to see the difference between manipulating TaskMgr from a distance and real user interaction by means of keyboard and mouse (that's what it looks like) I'm really impressed (I am already :) )

    I'll exclude checking PG logfiles by the other programs I have running.

    Thanks for the welcome, and as always for your great help.
     
  6. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    PG won't stop Task Manager from terminating itself - it will stop it from terminating other programs, which is really what should count.
     
  7. Yogi'sFirst

    Yogi'sFirst Registered Member

    Joined:
    Feb 23, 2005
    Posts:
    6
    Thanks for explaining that. Obviously the suggestion in the test isn't a valid one.

    Never too old to learn.
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Yogi'sFirst & welcome, Please take some time to read through ProcessGuards help file. As you are going to add Secure Message handling, pay particular attention to the help file regarding SMH's own learning mode.

    @P2K. Thanks for the excellent replies.

    Have fun. Pilli
     
  9. Yogi'sFirst

    Yogi'sFirst Registered Member

    Joined:
    Feb 23, 2005
    Posts:
    6
    Thanks Pilli, I'll do that. It's a great program.
     
Thread Status:
Not open for further replies.