I have a program that configures SeDebugPrivilege, and then iterates through system processes and calls OpenProcess for them (and does other things, but that doesn't matter now). The program also works in administrator mode, of course. On Windows XP and Windows 7, it works fine , but on Windows 8.1 OpenProcess does not work for the following system processes using ERROR_ACCESS_DENIED (5): smss.exe, csrss.exe, services.exe. As I know, with SeDebugPrivilege I have to open these processes and get a handle for them. Does anyone know what magic causes this error only for Windows 8.1?
(Anyway, I have the same error with the same processes for CreateToolhelp32Snapshot)
Windows 8.1 introduces the concept of a system-protected process . This is documented in the context of third-party malware protection programs, but it seems reasonable to assume that it is also used to protect critical system processes.
Processes protected by the system are an extension of the Protected Process mechanism (Microsoft Word document) introduced in Windows Vista as a DRM measure.
You cannot get any of these access rights for a protected process, even with the privilege of debugging:
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
PROCESS_CREATE_THREAD
PROCESS_DUP_HANDLE
PROCESS_QUERY_INFORMATION
PROCESS_SET_QUOTA
PROCESS_SET_INFORMATION
PROCESS_VM_OPERATION
PROCESS_VM_READ
PROCESS_VM_WRITE
, PROCESS_QUERY_LIMITED_INFORMATION . , SYNCHRONIZE PROCESS_TERMINATE.
PROCESS_QUERY_LIMITED_INFORMATION
SYNCHRONIZE
PROCESS_TERMINATE
. :
PsLookupProcessByProcessId() KeStackAttachProcess() ZwQueryInformationProcess() or whatever other functions you need to now call within the context of the attached process. KeStackDetachProcess()
, , (EPROCESS, PEB, VAD ..), .