我注意到无法从Process Explorer中杀死GoogleToolbarNotifier.exe.它返回"拒绝访问".它以用户身份运行,运行"正常"优先级,并从Program Files运行.
他们是如何做到的呢?
我认为可能有一种方法可以修改ACL,或者将进程标记为"关键",但我似乎找不到任何东西.
更新:
我找到了一个很好的挖掘答案.@Alex K.是正确的,因为该进程已删除PROCESS_TERMINATE权限,但我想在代码中提供答案:
static const bool ProtectProcess()
{
HANDLE hProcess = GetCurrentProcess();
EXPLICIT_ACCESS denyAccess = {0};
DWORD dwAccessPermissions = GENERIC_WRITE|PROCESS_ALL_ACCESS|WRITE_DAC|DELETE|WRITE_OWNER|READ_CONTROL;
BuildExplicitAccessWithName( &denyAccess, _T("CURRENT_USER"), dwAccessPermissions, DENY_ACCESS, NO_INHERITANCE );
PACL pTempDacl = NULL;
DWORD dwErr = 0;
dwErr = SetEntriesInAcl( 1, &denyAccess, NULL, &pTempDacl );
// check dwErr...
dwErr = SetSecurityInfo( hProcess, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pTempDacl, NULL );
// check dwErr...
LocalFree( pTempDacl );
CloseHandle( hProcess );
return dwErr == ERROR_SUCCESS;
}