local admin cannot stop system started process

[tomavery]

I have a local admin who cannot stop and start local processes that have been started by SYSTEM.
Is there any policy settings that will allow this.
Thanks. Go Canucks! (rabid Vancouver Canucks Fan)

 

[GlenJohnson]

Is this a domain? Maybe domain admin rites needed? Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com


"Common sense is an instinct for the truth."
Max Jacobs (1876-1944); French writer.

 

[tomavery]

I tried with the domain admin and i cant stop it either.

The user has his own domain and says he can as local admin.

I think this is process related.
Go Canucks! (rabid Vancouver Canucks Fan)

 

[GlenJohnson]

The user has his own domain and says he can as local admin. Could you explain? Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com


"Common sense is an instinct for the truth."
Max Jacobs (1876-1944); French writer.

 

[tomavery]

This did it.

//code bastardized from an unknown author.
//use with caution as any process you kill may cause instability

#include <windows.h>
#include <stdio.h>
#pragma hdrstop

// killp forces a kill -- it will attempt to enable SeDebugPrivilege
// before opening its process handles, allowing it to kill processes
// running under builtin\system (LocalSystem, to the users out there).


int main( int argc, char *argv[] );
void getDebugPriv( void );



#define isBadHandle(h) ( (h) == NULL || (h) == INVALID_HANDLE_VALUE )
#define lenof(x) ( sizeof (x) / sizeof ((x)[0]) )



const int MAXPID = 1024;



int main( int argc, char *argv[] )
{
int pidCount, i, errors;
char *p;
HANDLE hProcess;
static DWORD pid[MAXPID];

// parse args, build PID list
errors = pidCount = 0;

for ( i = 1; i < argc; i ++ )
{
if ( pidCount == lenof( pid ) ) {
errors ++;
break;
}

pid[pidCount] = strtol( argv, &p, 0 );
if ( p == argv || *p )
errors ++;
else
pidCount ++;
}

if ( errors || pidCount == 0 )
{
puts( &quot;Usage: killp pid [...]&quot; );
puts( &quot;killp tries to kill the processes specified by the PIDs. If the&quot; );
puts( &quot;user has debug privileges, fkill is able to kill system processes.&quot; );
puts( &quot;PIDs may be decimal, octal (starts with 0), or hex (starts with 0x).&quot; );
puts( &quot; &quot;
puts( &quot;PLEASE be aware any process you kill may cause instability.&quot;
puts( &quot;NOT responsible for anything you may do to your machine.&quot;
return MAXPID + 1;
}

// try to acquire SeDebugPrivilege
getDebugPriv();

errors = 0;
// for each PID:
for ( i = 0; i < pidCount; i ++ )
{
printf( &quot;pid %lu: &quot;, pid );

// open process
hProcess = OpenProcess( PROCESS_TERMINATE, FALSE, pid );
if ( isBadHandle( hProcess ) )
printf( &quot;OpenProcess() failed, err = %lu\n&quot;, GetLastError() );
else
{
// kill process
if ( ! TerminateProcess( hProcess, (DWORD) -1 ) )
printf( &quot;TerminateProcess() failed, err = %lu\n&quot;, GetLastError() );
else
puts( &quot;killed.&quot; );

// close handle
CloseHandle( hProcess );
}
}

return 0;
}



void getDebugPriv( void )
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;

if ( ! OpenProcessToken( GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) )
return;

if ( !LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue ) )
{
CloseHandle( hToken );
return;
}

tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL );

CloseHandle( hToken );
}

Go Canucks! (rabid Vancouver Canucks Fan)