Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > Process Explorer
  New Posts New Posts RSS Feed - Unable to kill process, "Access is denied". Why?
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Unable to kill process, "Access is denied". Why?

 Post Reply Post Reply Page  123 4>
Author
Message
CyberCat View Drop Down
Newbie
Newbie


Joined: 26 August 2007
Location: United Kingdom
Status: Offline
Points: 16
Post Options Post Options   Thanks (1) Thanks(1)   Quote CyberCat Quote  Post ReplyReply Direct Link To This Post Topic: Unable to kill process, "Access is denied". Why?
    Posted: 26 August 2007 at 6:37pm
Hello there,

I've noticed that sometimes with Process Explorer there are strange rouge processes which can be "non-killable" and give the following message when you try to end them: "Error opening process: Access is denied." (Also holds true with taskmgr.exe, taskkill.exe, et al.)

The main example I can give which does this is "vsmon.exe" which is the actual firewall component (i.e. non-user front-end) of ZoneAlarm, although I have seen this behaviour in other applications as well.

The interesting thing is that although these applications are often run under alternate credentials (i.e. NT Authority\SYSTEM in this case) the ACL for the file allows my user account full access and ownership of it.

As you probably guessed this also prevents PE from doing basically anything with the process, such as showing open handles, DLLs, attaching a debugging tool, et cetera. Clearly this is a problem.

So I would appreciate it if somebody could enlighten my as to why how this happens and what I can do to fix these immortal processes.

I'm using PE v10.21 on WinXP Pro 5.1.2600_sp2_gdr.070227-2254.

Thank you.
Back to Top
EP_X0FF View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Status: Offline
Points: 4753
Post Options Post Options   Thanks (0) Thanks(0)   Quote EP_X0FF Quote  Post ReplyReply Direct Link To This Post Posted: 27 August 2007 at 12:44am
Because firewall hooked many OS kernel-user functions and prevents 3rd party applications from opening firewall process.
Back to Top
CyberCat View Drop Down
Newbie
Newbie


Joined: 26 August 2007
Location: United Kingdom
Status: Offline
Points: 16
Post Options Post Options   Thanks (0) Thanks(0)   Quote CyberCat Quote  Post ReplyReply Direct Link To This Post Posted: 27 August 2007 at 1:08am
So is there anyway to kill it? I mean of course in this particular case it's easy to close ZoneAlarm using the software's "Exit" functionality which will gracefully end vsmon.exe (and associated firewall services). But consider if a trojan, virus, worm, or other spyware program were to use this method? Surely there has to be some way to end it!

Interesting thing with ZoneAlarm in particular is it seems close to invincible to manual uninstallation. Not only does it "lock" all its associated files preventing their deletion, but it incredibly even manages to lock all of its registry keys as well!

You can try to stop it's primary service through services.msc, but similarly with receive an "Access Denied" message when trying to change anything about it. Even if you go into CurrentControlSet in the registry to manually edit the service it will still be "Access Denied"! (Safemode won't stop it either) Even specialized "delete on reboot" programs won't work.

The only way I've figured to partially stop it is to set the ACL of its processes to deny all, then reboot. You can also do this for its driver, srescan.sys. This will at least prevent it from ever starting, however all of its files and registry keys will remain locked and unchangeable or deletable!

This is incredible, imagine if a malware app were to use techniques like this! So this is why I'm curious how to deal with it, it does seem quite impressive!
Back to Top
zakk View Drop Down
Groupie
Groupie


Joined: 13 June 2008
Status: Offline
Points: 87
Post Options Post Options   Thanks (0) Thanks(0)   Quote zakk Quote  Post ReplyReply Direct Link To This Post Posted: 15 January 2009 at 5:53pm
So, there really no other way to force kill such processes?

Edited by zakk - 15 January 2009 at 5:55pm
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17516
Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 15 January 2009 at 6:10pm
Seems you could try something like RootRepeal's Force Kill function...
Daily affirmation:
net helpmsg 4006
Back to Top
zakk View Drop Down
Groupie
Groupie


Joined: 13 June 2008
Status: Offline
Points: 87
Post Options Post Options   Thanks (0) Thanks(0)   Quote zakk Quote  Post ReplyReply Direct Link To This Post Posted: 16 January 2009 at 12:48pm
Thank you.

It seems though that it crashes all the time when I run it.
(So I sent RootRepeal's maker a crash dump, as he suggests in his site)

Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17516
Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 16 January 2009 at 1:28pm
RootRepeal's "Force Kill" does warn of the potential for that behavior...
Daily affirmation:
net helpmsg 4006
Back to Top
zakk View Drop Down
Groupie
Groupie


Joined: 13 June 2008
Status: Offline
Points: 87
Post Options Post Options   Thanks (0) Thanks(0)   Quote zakk Quote  Post ReplyReply Direct Link To This Post Posted: 16 January 2009 at 3:36pm
No, I meant that RootRepeal doesn't start at all when I try to run it.
It just creates the crash dump in it's folder.
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17516
Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 16 January 2009 at 3:37pm
Ah! Gotcha...
Daily affirmation:
net helpmsg 4006
Back to Top
Matts_User_Name View Drop Down
Senior Member
Senior Member
Avatar

Joined: 10 August 2006
Location: USA
Status: Offline
Points: 687
Post Options Post Options   Thanks (0) Thanks(0)   Quote Matts_User_Name Quote  Post ReplyReply Direct Link To This Post Posted: 17 January 2009 at 5:49am

Haha, before I knew about windows internals, I always wondered the same thing.

What I would recommend doing is using Radix (Probably the best Anti-Rootkit tool that I know of)
http://www.usec.at/rootkit.html


If you go to the SDT Tab (Service Descriptor Table) the functions listed in red are those which have been hooked by the driver.
The main ones which prevent process termination would be:
ZwTerminateProcess
ZwTerminateThread
ZwOpenProcess
ZwOpenThread

With Radix you can have it fix the hooks, and once you do taskmgr, process explorer, or any other app will typically then be able to terminate vsmon.exe


PS: I cannot recall if if the vsmon service has an "auto-restart on failure" config in the registry (like what Nod32 does for its ekrn service), but if it does do this:
1. Go to this regkey in regedit: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vsmon

2. Rename Failure actions to something else (Ex: Failure actions 1)
This ensure that services.exe doesn't automatically restart the service

Again, I doubt it configures this, but it wouldn't surprise me with how many freaking functions ZA's driver hooks (watch how many Red Zw_______ functions u see hooked with radix!)



In any case, any good antirootkit tool (like Radix or Ice-Sword) is really good at terminating processes (even when the dirvers hook these kernel functions). I am not sure how they typically implement this but it probably either manually makes the kernel destroy the process, or calls some kind of function like PspTerminateProcess.
No idea how this function works internally (probably frees all memory, handles, kills the _EProcess) but someone to better answer that would be the Guru EP_X0FF (I still have yet to find out what your username means, haha)

I hope this helps anyone.


Edited by Matts_User_Name - 17 January 2009 at 5:57am
Back to Top
 Post Reply Post Reply Page  123 4>
  Share Topic   

Forum Jump Forum Permissions View Drop Down