Gracefully terminate after force quit?

[Guest]

Hello,

I am looking for an article, or some information about how to get a C#
windows forms application to trap the "End Process" event from the Task
Manager?

Is such a thing possible, and if so, where is the information on the event
the would be raised located in the .NET framework?

Thanks in advance for your help and information.

Andrew S. Giles

 

[Nicholas Paldino [.NET/C# MVP]]

Andrew,

You can use the classes in the System.Management namespace to do this.
Basically, you would get all instances of the WMI class Win32_Process and
then attach to the event when an instance is deleted.

However, this might be pretty hefty in terms of performance. From what
I understand, it polls the process, instead of getting a notification.

Hope this helps.

 

[Guest]

Nicholas,

Thanks for the nudge int he right direction, I will look into the
System.Management namespace to see if I want to implement this.

Andrew

Andrew,

You can use the classes in the System.Management namespace to do this.
Basically, you would get all instances of the WMI class Win32_Process and
then attach to the event when an instance is deleted.

However, this might be pretty hefty in terms of performance. From what
I understand, it polls the process, instead of getting a notification.

Hope this helps.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Hello,

I am looking for an article, or some information about how to get a C#
windows forms application to trap the "End Process" event from the Task
Manager?

Is such a thing possible, and if so, where is the information on the event
the would be raised located in the .NET framework?

Thanks in advance for your help and information.

Andrew S. Giles

 

[Willy Denoyette [MVP]]

Hello,

I am looking for an article, or some information about how to get a C#
windows forms application to trap the "End Process" event from the Task
Manager?

Is such a thing possible, and if so, where is the information on the event
the would be raised located in the .NET framework?

Thanks in advance for your help and information.

Andrew S. Giles

There is no event to be catched when you kill a process, when Tasman "Ends a
Process", it calls Win32's TerminateProcess that does exactly that without
cooperating with the CLR's shutdown code.
Note that a process cannot prevent itself from being terminated, if this is
what you are looking for.

Willy.

 

[Mythran]

There is no event to be catched when you kill a process, when Tasman "Ends
a Process", it calls Win32's TerminateProcess that does exactly that
without cooperating with the CLR's shutdown code.
Note that a process cannot prevent itself from being terminated, if this
is what you are looking for.

Willy.

Haven't looked into it much, but what about system processes? How do they
keep from being shut down? This would be good to know if writing drivers
and such

Mythran

 

[Reginald Blue]

Haven't looked into it much, but what about system processes? How do
they keep from being shut down? This would be good to know if
writing drivers and such

Techically, system process can be shut down. The reason they cannot
"normally" is because they're running in a special space that requires more
privileges to shut down which, by default and by design, task manager
doesn't have.

It is quite possible to elevate task manager with the right permissions such
that it can terminate anything.

Note that this is exceptionally dangerous because if you terminate, for
example, CSRSS.exe, the entire system blue-screens.

To see how to do this, and the full details of what I'm talking about, check
here:

http://www.microsoft.com/msj/0398/win320398.aspx

As for how to get your own processes to run in this "protected space",
really, just make it a service.

--
Reginald Blue
"I have always wished that my computer would be as easy to use as my
telephone. My wish has come true. I no longer know how to use my
telephone."
- Bjarne Stroustrup (originator of C++) [quoted at the 2003
International Conference on Intelligent User Interfaces]

 

[Willy Denoyette [MVP]]

Haven't looked into it much, but what about system processes? How do they
keep from being shut down? This would be good to know if writing drivers
and such

Mythran

If you mean processes that run as SYSTEM, those can all except a few be
killed by administrators, those who can't are created with a Process token,
restricting access to SYSTEM only. As Administrator you can change such
token the P. Token using a Resource kit tool Pview.exe.
Drivers do not run in a process, they are hosted by the Kernel process.

Willy.

 

[Willy Denoyette [MVP]]

Haven't looked into it much, but what about system processes? How do
they keep from being shut down? This would be good to know if
writing drivers and such

Techically, system process can be shut down. The reason they cannot
"normally" is because they're running in a special space that requires
more
privileges to shut down which, by default and by design, task manager
doesn't have.

It is quite possible to elevate task manager with the right permissions
such
that it can terminate anything.

Note that this is exceptionally dangerous because if you terminate, for
example, CSRSS.exe, the entire system blue-screens.

To see how to do this, and the full details of what I'm talking about,
check
here:

http://www.microsoft.com/msj/0398/win320398.aspx

As for how to get your own processes to run in this "protected space",
really, just make it a service.

--
Reginald Blue
"I have always wished that my computer would be as easy to use as my
telephone. My wish has come true. I no longer know how to use my
telephone."
- Bjarne Stroustrup (originator of C++) [quoted at the 2003
International Conference on Intelligent User Interfaces]

Taskman runs in the context of the Interactive Logon user, if this happens
to be an administrator, you will be able to kill services unless they are
running with a restricted Process Token (mostly SYSTEM owner). In that case
the process can only be killed by SYSTEM.
Now, the question is how do I run as SYSTEM, too easy, run cmd.exe as a
service in the context of SYSTEM and bingo.


Willy.