Stopping an unstoppable service

I have antivirus service (Kaspersky) that occasionally becomes unresponsive to the normal stop/stop gui interface provided by said vendor. I would like to find a way to kill the service for a restart without rebooting, however all attempts I have tried result in failure with an 'Access is Denied' error. These include:

Services Control Panel (grayed out stop button)
Task Manager
Killing Process Explorer Killing
command line net and sc stopping
runas with domain admin using net stop

Some details include:

Machine: Windows Vista
Service Type: 10 WIN32_OWN_PROCESS
Service State: 4 Running (NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)

Nicholas

Posted 2009-11-02T06:04:54.480

Reputation:

Answers

@richard states:

If Process Explorer is unable to kill the process ... then it is really unkillable.

Not correct, there are certain processes I couldn't kill with Process Explorer but with other tools like rootkitunhooker.exe.

Also Process Explorer does not show RootKit processes, so it also can not kill them.

I usually use the "psexec -s" approach.

pskill.exe may not work within psexec -s, but I have described a workaround for that.

Peter Hahndorf

Posted 2009-11-02T06:04:54.480

Reputation: 10 677

Kaspersky is protecting itself from viruses like this.

Go into the settings of Kaspersky and remove the check at a setting, which is called somewhat like "Protect service from closing". I don't know the exact phrase, because I use the german UI.

Nyu

Posted 2009-11-02T06:04:54.480

Reputation: 11

If Process Explorer is unable to kill the process when running as administrator (this is important, non-admins can only kill their own processes), then it is really unkillable (Process Explorer will use all methods including debug APIs).

As an AV system it seems likely that it is unkillable because threads are blocked in the kernel (these have to return before they and their process can be terminated).

This is probably a problem in Kaspersky's driver mode code, check with them for updated software or consider a different anti-malware solution.

Richard

Posted 2009-11-02T06:04:54.480

Reputation: 8 152

A solution might be found in supershell, or the later grootshell from the same site:

A rootshell for nt/2k/xp. Well, actually a shell that runs in the security context of the NT SYSTEM/AUTHORITY, which means the user has ie. the right to use task manager to kill running services. Yipee! Idea originally from some MS sample sourcecode from the MSDN, NT only, adapted to work on both 2000 and XP. Whole lotta fun!

Note: You already need administrative (ie. debug) privileges to run it. The whole point is that you run a shell in the security context of the NT SYSTEM/AUTHORITY (the context a System service sees) not the context of an Administrator with GUI login. If that doesn't make sense to you, don't use supershell.

harrymc

Posted 2009-11-02T06:04:54.480

Reputation: 306 093

1"psexec -s" will run any process (including cmd or PowerShell) as a system process, and has existed for years. This saves learning a new shell. – Richard – 2009-11-02T11:34:30.023

1@Richard: absolutely right. Why don't you put it up as an answer? – harrymc – 2009-11-02T11:39:17.923