Jump to content











Photo
- - - - -

ProcessCritical

Started by joakim , Sep 15 2012 10:08 PM
ntdll; bsod;

  • Please log in to reply
1 reply to this topic

#1 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 15 September 2012 - 10:08 PM

Posted Image

File Name: ProcessCritical
File Submitter: joakim
File Submitted: 15 Sep 2012
File Category: Tools

System critical processes

A process can be set as critical, which means that if the process exits, then system will also stop. The system will thus BSOD. Getting and setting this information is done through NtQueryInformationProcess and NtSetInformationProcess, and specifying the ProcessBreakOnTermination (0x1d) as ProcessInfoClass. In order to do this one must have the debug privilege assigned. Little to no documentation about this seems provided by Microsoft.

There are usually 3 processes that have this flag set on Windows 7:

smss.exe

csrss.exe

wininit.exe

But these processes can vary depending on the Windows version.

With the program you can remove the flag from any of the processes that have it configured, or you can set it on an arbitrary process. The program is compiled as a console application, and its syntax is:

ProcessCritical.exe -pid value -CriticalFlag value

-pid is the process id of target process

-CriticalFlag is the value to put into ProcessBreakOnTermination (0 or 1). 0 means process is not critical.

Example to remove the critical flag from smss.exe on my system (pid may vary of course):

ProcessCritical.exe -pid 244 -CriticalFlag 0

Example to set the critical flag to 1 for process with ID 2366:

ProcessCritical.exe -pid 2366 -CriticalFlag 1

Dump the critical flag configuration for all processes:

ProcessCritical.exe

Now if you want to know what happens if you remove the critical flag for any of those process that have it configured, and then terminate the process, then go ahead and try. I can tell you that your system will start behaving in a very strange way, and you may ultimately have no other choice than to do a hard reset of your system. Preferrably do this in virtual test machine. The only practical use of this, that I can think of is:
  • a very nasty, rude, nonelegant and possibly devastating way of making sure your process stays with the system.
  • ability to terminate processes that was initially marked as critical.
Attached is a PoC called BSOD.exe, that will simply BSOD your system. The point is that it sets the critical flag on itself, and then exit. That will instantly throw a Blue Screen Of Death.

Your screen may end up like this in Windows 7:
Posted Image

And like this in Windows 8:
Posted Image

Final words is to no surprise, that you need to be careful with this as you may crash your system, and it may become unbootable in certain cases. I take absolutely no responsibility for what you may cause with this code. You have been warned.

Hope you find the information useful.

Click here to download this file
  • Max_Real Qnx likes this

#2 Max_Real Qnx

Max_Real Qnx

    Gold Member

  • Patrician
  • 1382 posts
  • Location:Istanbul
  • Interests:To be or not to be that is the question.
  •  
    Turkey

Posted 16 September 2012 - 07:28 AM

Interesting but it useful for me. Thank you for this good software :cheers:
Back to Project forge


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. reboot.pro
  2. Groups
  3. Project forge
  4. Privacy Policy
  5. Site policies ·