BiggJohn

Disable ability of non-privileged user from killing script in Task Manager

23 posts in this topic

Hi,

I know there is some resistance to helping people with this particular problem, but I'm not asking for something foolproof, just regular-end-user-proof. 

We have a script which (nicely) reboots our systems.  We want to run it on a regular weekly schedule, but one of the issues we've discovered is that regular, non-privileged users can kill it from the applications tab of the Task Manager.  Since the script also does a countdown and gives them the option of postponing, we're being pretty flexible with our parameters, but still some people will just keep killing it and so software and updates which require a reboot will not get installed on a timely basis.  Is there a way that (nicely) prevents them from being able to kill it?  Local administrators can kill it without any issue, and we're ok with that as there may be a legitimate reason for them to occasionally prevent this reboot from taking place.

Thanks in advance

John

Share this post


Link to post
Share on other sites



Actually, that's what's strange.  It's not.  It's launched as System, and so I would have thought that it was unkillable by a non-privileged user, but it is.  You cant kill the process, but you can kill the application.  Two different tabs in task manager, two different results from the same user.

 

John

Share this post


Link to post
Share on other sites

Not sure what you mean by the application that can be killed not the task? Shouldn't there be just one pid for the started script running under the system credentials? 

Jos 


Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

If I start the program running, I can open up Task Manager and see it as both an Application and process.  If I try to kill the process as a normal user, it gives me access denied, but if I click on the application and then "End Task" it will actually kill it, even though it's running under the system context.  I didn't think it was possible to do this, but one of my end-users told me offhandedly they were able to accomplish this, and through testing I've confirmed it.  Again, I dont mind if a sysadmin can do it, but I have to be able to prevent end-users from killing this utility.

 

John

Share this post


Link to post
Share on other sites

No.  It has options to allow an "abort" but we have disabled that.  The actual utility is running from within our autoit script, which is basically a wrapper to pass along command line parameters as well as check things like the OS level and pre-requisites, but otherwise it is just an executable, kicked off from within our script using shellexecute ().

John

Share this post


Link to post
Share on other sites

Ok,  so they can close that shelled utility or do they close the AutoIt script?

Any reproduceren script you can share for us to get with? 

I won't be able to test at this moment  but hope others can help out. 

Jos 


Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

What if you fixed it so when they log in if a patch needs to run just prevent explorer.exe from launching and have the PC run the needed patches, then reboot? The upside to this method is the user has not got any work open and thus not lose anything. The downside is the user may try to do a force reboot to get to the desktop. I would have a flag set so it is not tripped until the patches are done.

A second thing to do is simply warn users that each evening their PCs WILL be rebooted no matter what. If they don't shutdown, then they run the risk of losing stuff. Yes, the user may be pissed however - security trumps user every time.

If we are dealing with mobile users, then they should be warned when booting up they may be hit with an update that can be postponed only once. The laptop will still be rebooted at say 2 AM no matter what.

Reboots can be handled in AD if I remember right. That way no task manager to fuss with.

Share this post


Link to post
Share on other sites

maybe copy it to shutdown scripts and shutdown /f /r /t 0?  They could still hold down the power button or unplug it from the wall or find a slick way to run shutdown /a, so you would probably want to keep a startup script that checks to see if it finished properly, and if not go again.


,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

just make this a formal rule of conduct: reboot or not, update or not, maintenance or not -

everyone logs-off when they leave the office.

as per my experience - enterprise users should be aware that their workstation is not their personal computer, it belongs to the enterprise. hence, if the enterprise says a reboot will occur, they have no say about it whatsoever. if they log-off, they will not lose anything when a reboot is imposed. how? remotely. you need not install anything on the target, you can force a reboot over network. means to do that are abundant - even shutdown.exe supports \\computername as a parameter, and no doubt whatever deployment solution you are using does too.

we are not living in the Windows XP era anymore. these days updates are pushed daily, if not hourly. no point in allowing users to decide when to reboot.

sorry if that sound a bit harsh, but if getting your machines updated is your responsibility, go and claim it.

Share this post


Link to post
Share on other sites

We use an enterprise tool to patch the systems, and the options for rebooting are not very user-friendly.  This provides us with a more flexible, user-friendly way for handling the reboots. 

To Orbs:  Life in an Enterprise environment isn't quite as simple as dictating things to end-users.  You can tell people all day long what they should do, but many wont do it, and if the result is a reboot in the middle of the workday, or patches installing while a presentation is being conducted, the blowback is usually not aimed at the user.  I am in complete agreement that being able to dictate how users can use their company-owned equipment is the best-case scenario, however it is not always possible for IT admins to be able to dictate policy, not without jumping through our own hoops first.  This tool is designed to force the reboot, with a countdown and other options.

To Jos: They are closing the tool itself, which was launched by the Autoit Script.  What I'm trying to do is somehow put some code in the script that launches the tool to prevent it from being kill-able.  So far all I've been able to find is code which effectively disables the task manager, and while it looks promising, I'm not sure how to include it in my code, it looks like this:

; Disable Task Manager without Popups!

Opt("WinWaitDelay",1)

While 1
    WinWaitActive("Windows Task Manager")
    ControlDisable("Windows Task Manager", "", "&End Process")
    ControlDisable("Windows Task Manager", "", "SysListView321")
    ControlDisable("Windows Task Manager", "", "SysTabControl321")
    ControlDisable("Windows Task Manager", "", "SysHeader324")
    WinWaitClose("Windows Task Manager")
Wend

My launch code is quite simple, it simply does a Shellexecute like this:

;Run the Shutdown Command
$ShutCOMMAND = "c:\windows\Shut\Shutcommand.exe"
$ShutOptions = ' -c:"Reboot in progress" -t:100 -mm:500 -r'
ShellExecute ($ShutCOMMAND, $ShutOptions,"c:\windows\shut")

Thanks for all the feedback so far, please keep it coming.

 

John

 

 

Share this post


Link to post
Share on other sites

#13 ·  Posted (edited)

What if you fixed it so when they log in if a patch needs to run just prevent explorer.exe from launching and have the PC run the needed patches, then reboot? The upside to this method is the user has not got any work open and thus not lose anything. The downside is the user may try to do a force reboot to get to the desktop. I would have a flag set so it is not tripped until the patches are done.

A second thing to do is simply warn users that each evening their PCs WILL be rebooted no matter what. If they don't shutdown, then they run the risk of losing stuff. Yes, the user may be pissed however - security trumps user every time.

If we are dealing with mobile users, then they should be warned when booting up they may be hit with an update that can be postponed only once. The laptop will still be rebooted at say 2 AM no matter what.

Reboots can be handled in AD if I remember right. That way no task manager to fuss with.

The problem is that sometimes we're installing dozens of patches with multiple reboots, so all patching is done at night.  But there are also other scenarios which call for a reboot of the client machine, and thats where this tool comes in.  Thats a very interesting thought though, I'll keep that in my toolbox for other issues.

Edited by BiggJohn

Share this post


Link to post
Share on other sites

I think the problem is that the application shelled interacts with the user session and that allows them to send a close window message to the application which then closes.  Doubt they would be able that hard kill the application running in system credentials. 

Jos 


Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

Interesting thought.  The program does run with an allowance for the user to interact with it.  I'll try kicking off just the application directly and see if it can still be killed.  In the meantime, would you be able to offer advice on how to join the two examples of code I posted?  I'd like to try disabling the task manager while the script is running, but I'm a bit of a rookie at coding and could use assistance in connecting the dots.

Thanks!

John

Share this post


Link to post
Share on other sites

Couldnt you simply monitor the shelled task and when killed reshell it with your autoit3 script? You just leave the autoit script running and the reboot will take care of stopping it.

i am not so much fan of supporting things like disabling taskmanagers as that could easily be used for "other" type scripts.

jos


Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

I thought about doing that, the only issue is it would automatically reset the timer, which is currently set to expire at the best time of day for a reboot. 

Thanks for the help, I think I'll try to muddle my way to getting the task manager to be disabled.  It's not my favourite method of solving this either as I dont like the idea of them not being able to use it for anything else while the program is running, but so far it's the best I have.

Thanks again.

John

Share this post


Link to post
Share on other sites

At that point you trying to stop a determined individual, who could still run taskkill.  Making your script more invasive on execution is just asking for it to be circumvented more than it already is,  I would work the other direction and attempt to execute it in a fashion where it is more transparent and less optional.  You shouldnt have to dick dance with security, explain to them what is occurring and that they will potentially be identified as a risk and lose network access if they circumvent the processes in place.


,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

I understand what you're saying, but task manager is pretty widely known, whereas taskkill isn't, so I'm really just trying to close the one door that *most* users know about.  I know I cant make this unkillable, but I do want to make it difficult and not worth the effort to circumvent.  Security is on my side, however with tens of thousands of machines to administer, we would like to make this as robust and reliable as possible.  I really dont want to spend much time chasing down and admonishing the few individuals who are going to get cute with it.

Share this post


Link to post
Share on other sites

Here's something I thought of. Since you're saying you don't mind administrators being able to kill it, there is a way to disable task manager via registry. You could disable it and perhaps have an option for users to be able to activate task manager again using a username and a password, which would only be known to administrators. And if your users are somewhat "advanced", there is also a way to disable registry editor, via regedit(ironically). I won't openly mention the ways here, but they're pretty well known. Tell me if that works.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now