Windows Shutdown Stops Processes

Discussion in 'ProcessGuard' started by Dazed_and_Confused, Jun 7, 2004.

Thread Status:
Not open for further replies.
  1. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Please excuse what is probably a dumb question. :doubt:

    I understand one of the goals of Process Guard is to protect selected processes from termination. I don't understand enough about programming to understand how PG does this, but when I shut down Windows, all processes are terminted by Windows. What's to keep malware from using the same methodology that Windows uses when it shuts itself down to terminate a process? o_O In other words, if PG were doing such a great job, wouldn't it protect Windows from closing these processes when it shuts down? Thanks in advance.
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Did you try to add the windows.exe under ProcessGuard protection to disable closing it? And if so, what happened?
     
  3. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    I'm sorry, Jooske. I'm using the evaluation version. Only one process. And I'm not sure I made myself clear. Let me try again, and please bare with me.

    When you add a process in the program protection screen, what this does is tell Process Guard to protect that process from being closed (or terminated) by malware. For example I have added NOD32 as my process to keep malware from shutting down NOD32. I'm not sure how malware might do this, or how PG keeps malware from doing this.

    Now, when I'm done working on my PC each day and I go to manually (on purpose) shutdown Windows, I can see the icons in my system tray disappear one-by-one (including my NOD32 icon) as Windows terminates each one, before the system is finally shut down.

    My question is: What methodology does Windows use when it shuts down these processes one-by-one, and what is keeping malware from using the same methodolgy that Windows uses? I'm thinking that if theese processes were truely protected by PG, during the Windows shut down process, shouldn't I get a message saying that Windows is unable to terminate whatever process PG is protecting (in my case NOD32)?
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi D & C, You are getting a little D & C :) Process Guard does protect all the protected processes from being shut down as can be seen by using Advanced Process Termination. What you are talking about is End session (Windows) which, quite obviously, you will notice. It is not the same as terminating a normal process and normally requires human input ie. the user.

    HTH Pilli
     
  5. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Ha. I told you it might be a dumb question. ;)

    End Session. I guess that's what I was talking about. It just appeared to me that End Session terminates each process individually, and I was wondering why malware couldn't use the same methodology that End Session uses. But if the methodology that End Process uses requires user input, then I guess it's not a concern. Sorry. :doubt:
     
  6. stalker

    stalker Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    152
    Location:
    Ljubljana, Slovenia


    Hum ...


    Never heard of Windows.exe process. I belive so, it doesn't exest on any OS (at least on those I am/was running in past), cause Windows is Operating System, and not one process (running with bunch of processes, if we can says that in very simplyfied way), like the thing "holding" processes to be able to comunicate between each other (NamedPipes), managing leyered structure (kernel), etc.



    I guess you were just joking, am I right ??
     
  7. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    It is not a dumb question! End Session could easily be triggered programatically, I have already written software which does that. Pilli says that you will notice the reboot.
    1) malware could detect when you are idle for 1 hour, and probably away, and it could reboot then. This may not be noticed by you.
    2) Noticing the reboot does not really helps. Lately there was a virus which caused repeating reboots still it was quite successful in spreading. Almost everyone had a spontaneous reboot sometime, so it's not that big surprise. Do you boot into safe mode every time after spontaneous reboot and do a full virus and trojan check? Even if you do, most people do not. The files of security softwares could be destoyed before reboot, so they will not load up correctly after reboot. Then the malware could start spreading, destroying, or sending around your private information.

    I have seen four arguments against this, none of them is satisfactory for me:
    1) Just don't get infected by only running purchased software. (impossible)
    2) Just encrypt all private info, and backup everything to enable restoration. (very inconvenient)
    3) No malware did this up to now. (although it is extra-easy to do)
    4) Trojans try to hide for a long time, so they can not be that destructive. (what about viruses!?)

    Conclusions: End Session should be protected with Human Identification Dialog. Files and registry areas of security softwares should be protected from overwriting. As PG does not provide these features I am constantly searching for software which could provide this.
    -hojtsy-
     
  8. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Thanks, Hojtsy. I was thinking there had to be a way to do that.

    Let me know when you find something like this Sounds more secure to me.
     
  9. dedd

    dedd Guest

    Wtf, I thought the idea was to block viruses...
     
  10. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Hello, Dedd,

    PG is designed to, among other things, protect applications from being terminated by malware. I guess that would include viruses. And if End Session can be tiggered programatically, then PG's protection is vunerable in that regard.
     
Thread Status:
Not open for further replies.