Skip to content

Instantly share code, notes, and snippets.

@ericlaw1979
Created March 10, 2023 15:12
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ericlaw1979/451424bf3a095321153387c38ddf5efe to your computer and use it in GitHub Desktop.
Save ericlaw1979/451424bf3a095321153387c38ddf5efe to your computer and use it in GitHub Desktop.
C# sample code to deny TerminateProcess rights to non-admin peers.
using System;
using System.Security.AccessControl;
using System.Security.Principal;
using System.Diagnostics;
using System.Runtime.InteropServices;
class Program
{
public class ProcessSecurity : NativeObjectSecurity {
public ProcessSecurity(SafeHandle processHandle)
: base(false, ResourceType.KernelObject, processHandle, AccessControlSections.Access) {}
public void AddAccessRule(ProcessAccessRule rule)
{
base.AddAccessRule(rule);
}
public void SaveChanges(SafeHandle processHandle)
{
Persist(processHandle, AccessControlSections.Access);
}
public override Type AccessRightType
{
get { return typeof(ProcessAccessRights); }
}
public override AccessRule AccessRuleFactory(System.Security.Principal.IdentityReference identityReference, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AccessControlType type)
{
return new ProcessAccessRule(identityReference, (ProcessAccessRights)accessMask, isInherited, inheritanceFlags, propagationFlags, type);
}
public override Type AccessRuleType {
get { return typeof(ProcessAccessRule); }
}
public override AuditRule AuditRuleFactory(System.Security.Principal.IdentityReference identityReference, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags,
PropagationFlags propagationFlags, AuditFlags flags) {
throw new NotImplementedException();
}
public override Type AuditRuleType {
get { throw new NotImplementedException(); }
}
}
public class ProcessAccessRule : AccessRule
{
public ProcessAccessRule(IdentityReference identityReference, ProcessAccessRights accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AccessControlType type)
: base(identityReference, (int)accessMask, isInherited, inheritanceFlags, propagationFlags, type) { }
public ProcessAccessRights ProcessAccessRights { get { return (ProcessAccessRights)AccessMask; } }
}
[Flags]
public enum ProcessAccessRights
{
Terminate = 1
}
static void Main(string[] args)
{
var hCurrentProcess = Process.GetCurrentProcess().SafeHandle;
var processSecurity = new ProcessSecurity(hCurrentProcess);
SecurityIdentifier sid = new SecurityIdentifier(WellKnownSidType.WorldSid, null);
// Create a rule to deny process termination.
ProcessAccessRule rule = new ProcessAccessRule(sid, ProcessAccessRights.Terminate, false,
InheritanceFlags.None, PropagationFlags.None, AccessControlType.Deny);
processSecurity.AddAccessRule(rule);
processSecurity.SaveChanges(hCurrentProcess);
// Keep the process running until the user hits a key.
Console.WriteLine("Press any key to exit... \n(Try terminating via taskkill.exe, observe it doesn't work unless you run as administrator.)");
Console.ReadKey();
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment