Make "System" process not modifiable from Task Manager like it is the case in Windows 8

0

0

FYI : I have Windows-7 Ultimate Ver 6.1 Service-Pack 1.

There is a tools in the Windows-7 that called Resource Monitor . You can find it in C:\Windows\System32 directory or you also can simply run it via resmon.exe in the Run.

In the list of processes there is a process named System and its PID is equal to 4 always.

enter image description here

If you right-click on it and click on Suspend Process , your computer will hang, your mouse and keyboard will disable, and you have to turn restart your system to getting back to normal state.

enter image description here

In the Windows-8 even if you logged with a Administrator account, you can't suspend this process (System) and when you try to suspend it, you receive Access Denied

Q1: Why Microsoft corporation provide this capability for Administrator to suspend System Process? When we need to suspend it and make or system hang?!

Q2: Is there any way in Windows-7 to config the system so that even Administrator can not suspend this process?

If you think there is no way to do that, please read the below :

We can have a list of *.dll files that are related to a process with below command in Command-Prompt :

>tasklist /FI "PID eq Number" /M

And you can have a list of PID numbers in the resmon.exe tool.(You can also use tasklist command in Command-Line windows).

In my system PID of resmon.exe is 1728 (Its process name is perfmon).

Let see a list of .dll files related to resmon.exe :

C:\Windows\system32>tasklist /FI "PID eq 1728" /M

Image Name                     PID Modules
========================= ======== ============================================
perfmon.exe                   1728 ntdll.dll, kernel32.dll, KERNELBASE.dll,
                                   ADVAPI32.dll, msvcrt.dll, sechost.dll,
                                   RPCRT4.dll, GDI32.dll, USER32.dll, LPK.dll,
                                   USP10.dll, ATL.DLL, ole32.dll, SHLWAPI.dll,
                                   SHELL32.dll, OLEAUT32.dll, credui.dll,
                                   Secur32.dll, SSPICLI.DLL, IMM32.DLL,
                                   MSCTF.dll, comctl32.dll, uxtheme.dll,
                                   dwmapi.dll, CRYPTBASE.dll, CLBCatQ.DLL,
                                   wdc.dll, DUser.dll, pdh.dll, pdhui.dll,
                                   COMDLG32.dll, ODBC32.dll, wevtapi.dll,
                                   VERSION.dll, PLA.dll, tdh.dll, NSI.dll,
                                   IPHLPAPI.DLL, WINNSI.DLL, WINSTA.dll,
                                   UTILDLL.dll, SETUPAPI.dll, CFGMGR32.dll,
                                   DEVOBJ.dll, NETAPI32.dll, netutils.dll,
                                   srvcli.dll, wkscli.dll, LOGONCLI.DLL,
                                   BROWCLI.DLL, SAMCLI.DLL, WTSAPI32.dll,
                                   VDMDBG.dll, odbcint.dll, DUI70.dll,
                                   xmllite.dll, OLEACC.dll, FirewallAPI.dll,
                                   profapi.dll, WS2_32.dll, msxml3.dll,
                                   ntmarta.dll, WLDAP32.dll, Perfctrs.dll,
                                   perfdisk.dll, mswsock.dll, DNSAPI.dll,
                                   dhcpcsvc6.DLL, dhcpcsvc.DLL, WINTRUST.dll,
                                   CRYPT32.dll, MSASN1.dll, pcwum.dll,
                                   rasadhlp.dll

C:\Windows\system32>

Note : You have to run Command-Prompt as Administrator

Q3: If I copy the above .dll files from Windows-8 directory and replace Windows-7 .dll files with them, does windows-7 will behave like Windows-8? (Prevent suspending System process)

Note: Assume that we use a live windows CD and a flash memory to Replace dll files. (Normally Windows-7 don't let you to replace .dll files)

Really appreciate your time and consideration :)

TheGoodUser

Posted 2014-08-10T06:08:01.363

Reputation: 1 045

3The System process is basically the operating system itself. As to why you can suspend it, only Microsoft can answer. Usually Windows tries to prevent users from doing harmful things, but it doesn't always succeed: users will eventually find new ways to break the system, be it intentionally or by mistake. Some people dislike a babysitting system, others don't; you can't really please both. No matter what method you use, copying Windows 8 system files over Windows 7 ones is a probably good idea if you want to make it unusable. Also, please avoid asking multiple questions in a single post. – and31415 – 2014-08-10T08:20:01.910

@and31415 Thank you dear friend. but this questions are deeply related and related to the title, I guess :) – TheGoodUser – 2014-08-10T08:22:32.697

explain why you want to do this (nonsense). Which issues do you have? – magicandre1981 – 2014-08-10T15:54:03.403

NO, probably if you copy it Windows 7 won't behave as Windows 8. But there is only one way to find out for sure .... ;) – Devid – 2014-08-10T23:48:23.600

3Now that sounds like a surefire plan to break a Windows installation – Daniel B – 2014-08-10T23:56:47.690

1The System process is NOT "basically the operating system itself". It is a wrapper for kernel mode threads used not just by the OS but also by many components in networking, file systems, ... many others. The reason that suspending it kills mouse and keyboard input is that the threads that read these devices are in this process. But many things in Windows can continue running even while this process is suspended. – Jamie Hanrahan – 2014-08-11T02:58:27.507

@magicandre1981 I want to change Windows 7 security policy and settings in a way that Administrator can not suspend System process! I think the questions are really clear! – TheGoodUser – 2014-08-11T04:06:04.060

no one can suspend the Kernel without killing Windows. Without the kernel nothing works. – magicandre1981 – 2014-08-11T04:10:33.787

@magicandre1981 would you please read the question carefully!? You misunderstand the question! As I said, I can suspend the System process and make my computer crash! I want to restrict this capability! Why admin must have this ability? – TheGoodUser – 2014-08-11T04:20:06.930

Answers

1

Q1: No good reason I can think of; it seems to be an oversight.

Q2: No, because I can do it in my Win8.1 system too. I just did. The Administrators group already does not have the "Suspend/resume process" access right to this process, so how this is working at all, I'm not sure.

Q3: See above. I get the same behavior on Win8.1 so obviously using files from Win8.1 won't help. Also, those DLLs are not likely to be at all happy in the Win8 environment, and are shared by many other programs. You'll break a whole bunch of stuff if you try that.

Sorry..

Jamie Hanrahan

Posted 2014-08-10T06:08:01.363

Reputation: 19 777

If Remote Desktop was enabled in my system, then I suspend the System process LOCALLY, is there any way to resume System by remote desktop? thanks – TheGoodUser – 2014-08-11T08:33:20.010

FYI I have ping of the system when System suspended. – TheGoodUser – 2014-08-11T08:34:21.443

Ping - yes. Suspending the System process doesn't suspend everything in the OS, only those functions implemented in the System process's threads. Re rd, you would have to have a program ready to run that would call NtResumeProcess and could be triggered without needing anything from the System process. I don't know of anything offhand. – Jamie Hanrahan – 2014-08-11T17:22:39.617

I am very curious as to why, on my Windows 8.1 test system here, I can suspend the System process from TM (and from Process Explorer), but you cannot. Can you verify that this is the case for you? – Jamie Hanrahan – 2014-08-11T17:23:23.663

Oops! That's weird! Yes, I'm sure, In my Windows-7 Ultimate ver6.1 I can suspend System process, But my friend in Windows-8 can't suspend it (with Administrator user)- (I'm not sure about the version of his Windows-8 , but I think it is not important, the question is why?! and how we can change it?) Thanks – TheGoodUser – 2014-08-12T04:26:57.810

0

  1. Download and change permissions with Process Explorer.
  2. On the process properties view, select the security tab.
  3. Press the permissions button.
  4. Press the advanced button.
  5. If necessary, add yourself or a group you belong to.
  6. Edit your permisisons to include "Terminate". (you will need to already have the "Change Permissions" permisison, or you are out of luck.)

OR

It is because the permissions of System (ntoskrnl.exe), are set to "read and write", and are only editable by "Trusted Installer" to prevent noobs from doing damage to their own computer. This includes ending the process itself. You need "Full Control". To fix this simply go to "C:\Windows\System32", right click on "ntoskrnl.exe", and the properties, then click the "security" tab, then go to "Advanced", and then click on "Full Control" for administrator. Now you would be able to end it from Resource Monitor

Kirill2485

Posted 2014-08-10T06:08:01.363

Reputation: 847

Sorry but... he doesn't WANT to "end it", he wants to NOT be able to suspend it. And besides, changing the permissions on ntoskrnl.exe will do nothing. The System process is not created to run an instance of ntoskrnl.exe (and there is no exe called "System"), nor does the ACL of an exe get propagated to its process anyway. The important access right here is "suspend/create process" and it cannot even be set for files. – Jamie Hanrahan – 2014-08-11T03:06:20.503

Ok then, why when I go into task manager and right click on "System" and click "Open File Location" it takes me to ntoskrnl.exe in system32? – Kirill2485 – 2014-08-11T03:13:44.130

Also, why when I run all the ntoskrnl.exe (with the DLL's injected of course), in VMWare it restores the System process when it is suspended. – Kirill2485 – 2014-08-11T03:19:46.033

@kirill2485 Thank you, but as Mr Jamie said, I want to not be able to suspend it .And when I use > tasklist /FI "PID eq 4" /M in Command-Line, It return no module for it! more when I right click on System and click on Open file location it opens Desktop! – TheGoodUser – 2014-08-11T03:42:00.920

Maybe you are not doing something I'm doing: https://drive.google.com/file/d/0B8cuDjumkkmQdmtteV93OHljY3c/edit?usp=sharing

– Kirill2485 – 2014-08-11T04:03:12.190

Also, Process Explorer works vise-versa, you can prevent the access – Kirill2485 – 2014-08-11T04:07:06.740

kirill: You might ask yourself why, if the System process is launched as an instance of ntoskrnl.exe, that is not displayed as the "image" name? It's a very special case. ("Idle" is another, there is no idle.exe, the idle thread routine is part of ntoskrnl.) It is true that a great many of the threads in the process are running routines in ntoskrnl... but many come from other modules. ntoskrnl is not "run" like any other image, it is simply mapped into the kernel address space of ALL processes. This is all well documented in Windows Internals. – Jamie Hanrahan – 2014-08-11T07:08:13.670

TheGoodUser: Tasklist is giving you a more "real" look at things than Task Manager does. The actual ImageFileName field in "System"'s EPROCESS structure contains "System", but there is no system.exe, so it shows nothing. That TM takes you to ntoskrnl.exe is due to special-case code in TM. – Jamie Hanrahan – 2014-08-11T07:26:53.910

Asked: 2014-08-10T06:08:01.363

Viewed: 520 times

Active: 2016-03-25T23:12:18.657