question

TkTech avatar image
0 Votes"
TkTech asked RLWA32-6355 answered

Prevent app from closing by task manager

I am creating an application in VS 2019. It should not be closed by task manager.
For ex, McAfee does not get closed in Windows task manager even when user tries to kill it. Same logic I want to implement in my app.

Should I create a C# Windows Service to achieve this ? But, I see a 'Services' tab in task manager, so I think Windows service also can be killed by task manager. Any help in this regard .

Tried below, but it didn't work-
https://stackoverflow.com/questions/10579446/capturing-application-exit-event-winforms

Thanks.

dotnet-csharpwindows-10-general
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

To get some perspective on "unkillable" programs I suggest you read the various blog entries available here -
https://devblogs.microsoft.com/oldnewthing/?s=unkillable


0 Votes 0 ·
cooldadtx avatar image
1 Vote"
cooldadtx answered RLWA32-6355 edited

Services cannot have a UI so you cannot create a service with a UI. There is no such thing, outside an OS process, that cannot be killed in Task Manager. Given an admin they can kill any process except hose trusted apps that the OS defines. And no you cannot add to the trusted apps list.

You can configure any Windows app to ignore normal close requests by ignoring the request when receiving WM_CLOSE message to the main window. This would prevent a normal user from closing the app. But again an admin can kill the entire process via Task Manager, or via pskill or via TerminateProcess, etc.

Services can be terminated in Task Manager by an admin. Again, any process can be terminated by an admin except OS trusted processes and that list is not changeable.

Note that it is important that if you do block a user from closing the app then you must ensure you look at the reason code. When Windows shuts down all running processes also get notified to close and you do not want to prevent that. An app must shut down when Windows starts its shutdown process otherwise users will get notified and that isn't good.

Not sure why you want a UI to always show up. In general nobody cares about the UI. If you have an app that needs to run constantly (no UI) then create a service (or perhaps use Task Scheduler). A UI is just for if a user needs to interact with it and that should be something that can be started and stopped as needed.

· 14
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for reply.
I don't intend to create UI. A c# windows service will do, but again can it be prevented from being killed by task manager?

0 Votes 0 ·

Non-admins cannot terminate a service. Admins can terminate anything, including services. Again, this is required in order for Windows to shut down properly. You can configure a service to restart if it fails but terminating it will leave it off. If this weren't the case then you couldn't upgrade the service in your installer either.

If you're really, really concerned about having your service stopped then you can also add a scheduled task that runs periodically to ensure the service is running. Of course that task would need to run as an admin in order to restart.

0 Votes 0 ·

Of course an Admin can disable or delete the scheduled task. Yet another possibility in the arms race to create the "unkillable" process.

So I'm curious as to why the OP need an "unkillable" process?

0 Votes 0 ·

Hi @cooldadtx , @RLWA32-6355
One of my customer's requirements wants their program should not be closed by TASK Manager. So they want same logic as McAfee or bitdefender .
Even an admin user cannot close McAfee programs from task manager. I need similar solution for my .Net app. Any suggestions would be really helpful.
Thank you.

0 Votes 0 ·
Show more comments
MotoX80 avatar image
0 Votes"
MotoX80 answered

They have to monitor their employee's activities in his/her computer.

When the program initializes, display a big red warning to the user that says "If you terminate this process, your employment will be terminated.". Fear can be a useful tool.

What do you know about the user community? Are they call center users, shop floor users, or programmers and system analysts? Or will this program run on a kiosk machine where individual users do not sign on? Do the users even know what task manager is?

The easiest solution, I would think, is to implement a watcher process that executes in the user context. See "3. Keep-alive processes."

https://security.stackexchange.com/questions/30985/create-a-unterminable-process-in-windows

That should account for all but the most technically saavy users who would know how to use a tool like Process Explorer to find and kill both the main process and the keep-alive process.

As cooldadtx suggested with the "call home" comment, you don't necessarily need to go to great lengths to prevent the process from being terminated, you just need to identify when (and for how long) the user was logged on and the program was not running. Again, fear can be very useful. Getting called into the managers office to explain why they were logged on, but the program wasn't running should solve the behavior problem.

Use a database and track key events like user logon, PC reboot, monitor program startup/heartbeat, etc. Generate a report for management to list users who might be shutting the program down.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RLWA32-6355 avatar image
0 Votes"
RLWA32-6355 answered

As long as users are not members of the Administrators group a Windows service can be used to start the desired monitor process in the users interactive session when they log on. It doesn't matter if the user kills the monitor process because the service can easily detect that it was terminated and immediately restart it. A separate watcher process wouldn't be needed. And if the service detects the monitor process was killed it can record the event for management.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.