morph3us.org

The topic of this blog post is already more than one and a half year old - have a look at the thread posted at BuHa forums (sry, German only). In fact it's pretty possible that this issue is much more longer known but regrettably I could not find any information regarding this topic.

If a user with unsufficient privileges (e.g. users in users or power users group) tries to terminate a privileged process using the Windows task manager `taskmgr.exe' (or another arbitrary task manager like Sysinternals's process explorer) the manager will display an access denied message and nothing will happen. Alright, but how the system reacts if we try to kill it's system process with a privileged user account? Please note that I'm talking about the real system process with PID 4 (at least if we use Windows XP). We would suppose that the task manager displays a message which informs the user that it's not possible to terminate this process like it does it for `winlogon.exe', `lsass.exe', `csrss.exe' and so on but it does not.