Unable to kill process, "Access is denied". Why?

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   Hello there,

I've noticed that sometimes with Process Explorer there are strange rouge processes which can be "non-killable" and give the following message when you try to end them: "Error opening process: Access is denied." (Also holds true with taskmgr.exe, taskkill.exe, et al.)

The main example I can give which does this is "vsmon.exe" which is the actual firewall component (i.e. non-user front-end) of ZoneAlarm, although I have seen this behaviour in other applications as well.

The interesting thing is that although these applications are often run under alternate credentials (i.e. NT Authority\SYSTEM in this case) the ACL for the file allows my user account full access and ownership of it.

As you probably guessed this also prevents PE from doing basically anything with the process, such as showing open handles, DLLs, attaching a debugging tool, et cetera. Clearly this is a problem.

So I would appreciate it if somebody could enlighten my as to why how this happens and what I can do to fix these immortal processes.

I'm using PE v10.21 on WinXP Pro 5.1.2600_sp2_gdr.070227-2254.

Thank you.

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
CyberCat Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 26 August 2007 Location: United Kingdom Status: Offline Points: 11	Post Options Post Reply Quote CyberCat Report Post Thanks(0) Quote Reply Topic: Unable to kill process, "Access is denied". Why? Posted: 26 August 2007 at 6:37pm
	Hello there, I've noticed that sometimes with Process Explorer there are strange rouge processes which can be "non-killable" and give the following message when you try to end them: "Error opening process: Access is denied." (Also holds true with taskmgr.exe, taskkill.exe, et al.) The main example I can give which does this is "vsmon.exe" which is the actual firewall component (i.e. non-user front-end) of ZoneAlarm, although I have seen this behaviour in other applications as well. The interesting thing is that although these applications are often run under alternate credentials (i.e. NT Authority\SYSTEM in this case) the ACL for the file allows my user account full access and ownership of it. As you probably guessed this also prevents PE from doing basically anything with the process, such as showing open handles, DLLs, attaching a debugging tool, et cetera. Clearly this is a problem. So I would appreciate it if somebody could enlighten my as to why how this happens and what I can do to fix these immortal processes. I'm using PE v10.21 on WinXP Pro 5.1.2600_sp2_gdr.070227-2254. Thank you.

EP_X0FF Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 08 March 2006 Location: Russian Federation Status: Offline Points: 4753	Post Options Post Reply Quote EP_X0FF Report Post Thanks(0) Quote Reply Posted: 27 August 2007 at 12:44am
	Because firewall hooked many OS kernel-user functions and prevents 3rd party applications from opening firewall process.

CyberCat Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 26 August 2007 Location: United Kingdom Status: Offline Points: 11	Post Options Post Reply Quote CyberCat Report Post Thanks(0) Quote Reply Posted: 27 August 2007 at 1:08am
	So is there anyway to kill it? I mean of course in this particular case it's easy to close ZoneAlarm using the software's "Exit" functionality which will gracefully end vsmon.exe (and associated firewall services). But consider if a trojan, virus, worm, or other spyware program were to use this method? Surely there has to be some way to end it! Interesting thing with ZoneAlarm in particular is it seems close to invincible to manual uninstallation. Not only does it "lock" all its associated files preventing their deletion, but it incredibly even manages to lock all of its registry keys as well! You can try to stop it's primary service through services.msc, but similarly with receive an "Access Denied" message when trying to change anything about it. Even if you go into CurrentControlSet in the registry to manually edit the service it will still be "Access Denied"! (Safemode won't stop it either) Even specialized "delete on reboot" programs won't work. The only way I've figured to partially stop it is to set the ACL of its processes to deny all, then reboot. You can also do this for its driver, srescan.sys. This will at least prevent it from ever starting, however all of its files and registry keys will remain locked and unchangeable or deletable! This is incredible, imagine if a malware app were to use techniques like this! So this is why I'm curious how to deal with it, it does seem quite impressive!

zakk Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 13 June 2008 Status: Offline Points: 73	Post Options Post Reply Quote zakk Report Post Thanks(0) Quote Reply Posted: 15 January 2009 at 5:53pm
	So, there really no other way to force kill such processes? Edited by zakk - 15 January 2009 at 5:55pm

molotov Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Moderator Group Joined: 04 October 2006 Status: Offline Points: 17506	Post Options Post Reply Quote molotov Report Post Thanks(0) Quote Reply Posted: 15 January 2009 at 6:10pm
	Seems you could try something like RootRepeal's Force Kill function...
	Daily affirmation: net helpmsg 4006

zakk Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 13 June 2008 Status: Offline Points: 73	Post Options Post Reply Quote zakk Report Post Thanks(0) Quote Reply Posted: 16 January 2009 at 12:48pm
	Thank you. It seems though that it crashes all the time when I run it. (So I sent RootRepeal's maker a crash dump, as he suggests in his site)

molotov Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Moderator Group Joined: 04 October 2006 Status: Offline Points: 17506	Post Options Post Reply Quote molotov Report Post Thanks(0) Quote Reply Posted: 16 January 2009 at 1:28pm
	RootRepeal's "Force Kill" does warn of the potential for that behavior...
	Daily affirmation: net helpmsg 4006

zakk Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 13 June 2008 Status: Offline Points: 73	Post Options Post Reply Quote zakk Report Post Thanks(0) Quote Reply Posted: 16 January 2009 at 3:36pm
	No, I meant that RootRepeal doesn't start at all when I try to run it. It just creates the crash dump in it's folder.

molotov Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Moderator Group Joined: 04 October 2006 Status: Offline Points: 17506	Post Options Post Reply Quote molotov Report Post Thanks(0) Quote Reply Posted: 16 January 2009 at 3:37pm
	Ah! Gotcha...
	Daily affirmation: net helpmsg 4006

Matts_User_Name Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Senior Member Joined: 10 August 2006 Location: USA Status: Offline Points: 687	Post Options Post Reply Quote Matts_User_Name Report Post Thanks(0) Quote Reply Posted: 17 January 2009 at 5:49am
	Haha, before I knew about windows internals, I always wondered the same thing. What I would recommend doing is using Radix (Probably the best Anti-Rootkit tool that I know of) http://www.usec.at/rootkit.html If you go to the SDT Tab (Service Descriptor Table) the functions listed in red are those which have been hooked by the driver. The main ones which prevent process termination would be: ZwTerminateProcess ZwTerminateThread ZwOpenProcess ZwOpenThread With Radix you can have it fix the hooks, and once you do taskmgr, process explorer, or any other app will typically then be able to terminate vsmon.exe PS: I cannot recall if if the vsmon service has an "auto-restart on failure" config in the registry (like what Nod32 does for its ekrn service), but if it does do this: 1. Go to this regkey in regedit: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vsmon 2. Rename Failure actions to something else (Ex: Failure actions 1) This ensure that services.exe doesn't automatically restart the service Again, I doubt it configures this, but it wouldn't surprise me with how many freaking functions ZA's driver hooks (watch how many Red Zw_______ functions u see hooked with radix!) In any case, any good antirootkit tool (like Radix or Ice-Sword) is really good at terminating processes (even when the dirvers hook these kernel functions). I am not sure how they typically implement this but it probably either manually makes the kernel destroy the process, or calls some kind of function like PspTerminateProcess. No idea how this function works internally (probably frees all memory, handles, kills the _EProcess) but someone to better answer that would be the Guru EP_X0FF (I still have yet to find out what your username means, haha) I hope this helps anyone. Edited by Matts_User_Name - 17 January 2009 at 5:57am
	My PE Fix - Run On Startup