[utsav.0202]

The EndTask function is called to forcibly close a specified window

How do I protect my window from this api?
I mean what routine do I hook?

Thanks and Regards
Utsav

[EP_X0FF]

Do you mean hooking? NtTerminateProcess.
See http://www.kernelmode.info/forum/viewto ... Task#p3368

[utsav.0202]

I hooked NtTerminateProcess
and tried to kill my process from "test.exe" that uses EndTask
The process that is calling NtTerminateProcess to kill my protected process is "csrss.exe" instead of "test.exe"
why is it so?

[EP_X0FF]

I hooked NtTerminateProcess
and tried to kill my process from "test.exe" that uses EndTask
The process that is calling NtTerminateProcess to kill my protected process is "csrss.exe" instead of "test.exe"
why is it so?

Because internally EndTask results in CsrClientCallServer call to csrss special API port. Csrss gets the message and proceeds it.

[Brock]

IIRC in order to stop EndTask() you would need to hook NtTerminateProcess and deny it as well as handle the WM_CLOSE message that it gently sends to a window of your process, assuming there even is one. Basically, if the window cannot be closed it then tries to force the process to terminate via NtTerminateProcess from what I recall if the Force parameter is specified as True

[utsav.0202]

I hooked NtTerminateProcess and returned STATUS_ACCESS_DENIED for my process

this resulted in "error" dialog box for each window in my process that says:
"This program cannot be closed because it is locked by the system."

I don't want this. Is there any other way?
can I prevent CsrClientCallServer call?

[newgre]

Have you tried you simply returning STATUS_SUCCESS without killing the process?

[utsav.0202]

Thanks. It worked :)