I need to find a way to prevent an application from being closed using crt+alt+del and ending the program in the "processes" list.

Does anybody know if this can be done, and how i go about doing it.

Cheers,
Chris

it cannot be done.

and the only reason i can see for that,
is that you are trying to make a virus-like program that is unterminateable by the attacked user

correct me if i'm wrong!

Well it is possible, technically. Having another process, or several other processes which would test to see if the other process was running and start it if it was not running. There are valid reasons for software such as this.

I for one was contracted to create network software which would load a file from the network which had a list of banned processes.. It would close them when they started and when someone tried to close the software a trio of backup processes relaunched it and also relaunched another copy of themselves if one was missing from the active processes list.

ctrl-alt-del is a hard wired interrupt. To be able to change how it works you will need to rewrite that interrupt in the core operating system.

ctrl-alt-del is a hard wired interrupt. To be able to change how it works you will need to rewrite that interrupt in the core operating system.

That isn't quite true, it is by no means hard wired, you can change it by using some assembly code in a program.

It isn't always usable either. There are some times in windows where alt+ctrl+del doesn't work but alt+ctrl+esc does.

Plus I am pretty sure that you can set network privileges for this no? That is to stop taskmgr.exe from showing. Also even if you did that, people on xp pro can use tasklist.exe and killtask.exe

hi, no i am not making a virus.

the reason i want to prevent the program from being closed is because i have a website blocker which prevents me from wasting time on the internet reading useless information & searching forums which i do too much of and wast most of my day.

But i always get the urge and just press ctrl+alt+del and end the program from the "processes list". Even when i created a new user with privelages, this application was still allowed to be closed using ctrl+alt+del.

I wonder if there is anyway to set it as a "system" task, where the "access is denied" to end it.

Cheers

Plus I am pretty sure that you can set network privileges for this no? That is to stop taskmgr.exe from showing.

Yeah Group Policy will let you disable task manager.

ctrl-alt-del is a hard wired interrupt. You can change what the interrupt does via assembler code that goes in and replaces what the operating system installed to be processed when the interrupt is triggered but you can't change the fact that the hardware is set up to recognise that key combination to trigger that specific interrupt. That is why pressing that key combination will still trigger the interrupt if you press it before the operating system loads. The IBM team working on the original PC needed a quick way to perform a warm boot and wired it in for that purpose.

ctrl-alt-del is a hard wired interrupt. You can change what the interrupt does via assembler code that goes in and replaces what the operating system installed to be processed when the interrupt is triggered but you can't change the fact that the hardware is set up to recognise that key combination to trigger that specific interrupt. That is why pressing that key combination will still trigger the interrupt if you press it before the operating system loads. The IBM team working on the original PC needed a quick way to perform a warm boot and wired it in for that purpose.

I have seen software that does that, Zone Alarm pro for instance, cannot be ctrl+alt+del ended, it comes up with an "access denied" type message. Im not sure quite how they accomplished this, as task manager hasnt been altered in any way, however i am curious as to how it works

I have no idea if this will do what you want but I used this to programatically elevate my program's admin priveleges to 'system' in order to copy files directly from System Volume Information (which is owned by 'system').

If you look at the code, you'll see you can elevate token priveleges of pretty much any program. This may or may not cause an 'access denied' if you attempt to close the process.

Keep in mind that the program you're using to kill the process (taskmanager) already has a 'system' token, so this might just be futile -but- there are several -other- token priveleges you can set/delete besides ownership, investigate the other possibilities.

Check MSDN for more infor.


//set system privileges
///////////////////////////////////////////////////////////////////
BOOL SetSystemPrivilege(HWND hdlg)
{

HANDLE hToken;
LPCTSTR lpszPrivilege =SE_TCB_NAME; // name of privilege to enable/disable
BOOL bEnablePrivilege=TRUE; // to enable or disable privilege

TOKEN_PRIVILEGES tp;
LUID luid;

HANDLE hProc;
BYTE* pBuf = NULL;

DWORD bufsize = 512;
DWORD ProcAccess = TOKEN_QUERY_SOURCE|TOKEN_READ|TOKEN_ADJUST_PRIVILEGES;


hProc = GetCurrentProcess();

if( !OpenProcessToken( hProc, ProcAccess, &hToken ))
{
MessageBox(hDlg,"OpenProcessToken Failed!","Error!",MB_OK|MB_ICONSTOP);
return FALSE;
}

if ( !LookupPrivilegeValue(
NULL, // lookup privilege on local system
lpszPrivilege, // privilege to lookup
&luid ) ) // receives LUID of privilege
{
MessageBox(hDlg,"LookupPrivilegeValue Failed!","Error!",MB_OK|MB_ICONSTOP);
return FALSE;
}

tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;

if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;

// Enable the privilege or disable all privileges.

if ( !AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES) NULL,
(PDWORD) NULL) )
{
MessageBox(hDlg,"AdjustTokenPriveleges Failed!","Error!",MB_OK|MB_ICONSTOP);
return FALSE;
}
else
MessageBox(hDlg,"System Privileges Enabled!","Got System!",MB_OK|MB_ICONINFORMATION);

CloseHandle(hProc);
return TRUE;
}


BTW, you can enumerate processes to get the handle of the one you want to change priveleges for, replace the call to GetCurrentProcess() with your enumeration routine to accomplish this.

To expand on the token notion a bit, the following is from Microsoft Journal:
http://www.microsoft.com/msj/0899/security/security0899.aspx

"...Have you ever wondered why you sometimes have difficulty killing a hung service or COM server from the task manager? It turns out that when the COM SCM or the System SCM launches a process, it sets the DACL on that process to be very restrictive. When configured to run as a distinguished principal (as opposed to running in the System logon session), the process's DACL looks something like this:

grant all permissions to <LogonSessionSID>
grant terminate, set info, and synch to SYSTEM

This means that even if you're interactively logged on as Bob, a service configured to run as Bob won't allow you to kill it. Note that in the previous DACL, it's not Bob (the principal) who is granted all permissions; it's a particular instance of Bob—specifically, the service logon session established for Bob by the SCM. ..."

It goes on to present example code, might be what you're looking for...