The topic of this blog post is already more than one and a half year old - have a look at the
thread posted at
BuHa forums (sry, German only). In fact it's pretty possible that this issue is much more longer known but regrettably I could not find any information regarding this topic.
If a user with unsufficient privileges (e.g. users in users or power users group) tries to terminate a privileged process using the Windows task manager `taskmgr.exe' (or another arbitrary task manager like Sysinternals's
process explorer) the manager will display an access denied message and nothing will happen. Alright, but how the system reacts if we try to kill it's system process with a privileged user account? Please note that I'm talking about the
real system process with PID 4 (at least if we use Windows XP). We would suppose that the task manager displays a message which informs the user that it's not possible to terminate this process like it does it for `winlogon.exe', `lsass.exe', `csrss.exe' and so on but it does not.
If we monitor the task manager's API calls with an API monitor like
Rohitab's API monitor we see that the task manager first tries to call
OpenThreadToken() on the System process. This function call always fails why the task manager calls
AdjustTokenPrivileges() to
enable the SeDebugPrivilege and kills the process with
TerminateProcess(). Both of these calls return successfully but I'm still not sure what the TerminateProcess() call does if it is called on the System process.
In fact it seems like Windows ignores the TerminateProcess() call. On the one hand that may could be explained because the system process is not a (usual) process. It contains a special kind of thread(s) - these so called kernel-mode system threads are created by the
PsCreateSystemThread() function and they have no user process address space which means they run in kernel-mode only. Maybe an explanation why OpenThreadToken() always fails too..
Whatever the attempt to terminate the system process leads to several inconvenient phenomena.
- No more sound - the system behaves as if there is no sound driver installed
- Broken network shares - it's not possible to connect to network shares anymore
I'm still not sure what exactly happens if a task manager is told to terminate the system process but I guess the system starts killing important resources before it recognizes that these objects are still needed..
This issue (I would definitely call it bug) is always reproducable and it doesn't make any difference whether we use a virgin Windows XP installation or a Windows XP SP2 with all patches applied. However this behavior is not present in Windows 2k.
Resources:
Microsoft Windows Internals, Fourth Edition