How to change the parent process when calling CreateProcess API
Usually, the parent process is the process that creats the new process. But you can change this behavior by setting STARTUPINFOEX.lpAttributeList.
HANDLE hParentProcess{ nullptr };
LPPROC_THREAD_ATTRIBUTE_LIST attrList{ nullptr };
// Initialize LPPROC_THREAD_ATTRIBUTE_LIST
hParentProcess = OpenProcess(PROCESS_CREATE_PROCESS, FALSE, parentProcessId);
SIZE_T attrListSize = 0;
InitializeProcThreadAttributeList(nullptr, 1, 0, &attrListSize);
attrList = (LPPROC_THREAD_ATTRIBUTE_LIST)malloc(attrListSize);
InitializeProcThreadAttributeList(attrList, 1, 0, &attrListSize);
UpdateProcThreadAttribute(attrList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &hParentProcess,
sizeof(hParentProcess), nullptr, nullptr);
// Set LPPROC_THREAD_ATTRIBUTE_LIST to the STARTUPINFOEX
STARTUPINFOEX si = { sizeof(si) };
si.StartupInfo.cb = sizeof(si);
si.lpAttributeList = attrList;
PROCESS_INFORMATION pi = { 0 };
CreateProcess(nullptr, argv[1], nullptr, nullptr, FALSE, EXTENDED_STARTUPINFO_PRESENT, nullptr, nullptr, &si.StartupInfo, &pi);
How to open Control Panel Items in the separate explorer.exe
If you want to open 'This PC\All Control Panel Items\Programs and Features'
First you need to convert each items to GUID
- This PC -> 20d04fe0-3aea-1069-a2d8-08002b30309d
- All Control Panel Items -> 21ec2020-3aea-1069-a2dd-08002b30309d
- Programs and Features -> 7b81be6a-ce2b-4676-a29e-eb907a5126c5
Then launch exporer.exe with /separate paramter
For example:
C:\Windows\explorer.exe /separate, ::{20d04fe0-3aea-1069-a2d8-08002b30309d}\::{21ec2020-3aea-1069-a2dd-08002b30309d}\::{7b81be6a-ce2b-4676-a29e-eb907a5126c5}
Then the above process will be terminated and the below process shows up with ' Programs and Features'
C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
If you want to launch explorer.exe as your descendant process, there is a way
- Run: C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
- This process is your descendant process and it is invisible.
- Run: C:\Windows\explorer.exe /separate, ::{20d04fe0-3aea-1069-a2d8-08002b30309d}\::{21ec2020-3aea-1069-a2dd-08002b30309d}\::{7b81be6a-ce2b-4676-a29e-eb907a5126c5}
- This process will be terminated and 'Programs and Features' will be showed in the previous explorer.exe.
- But if there is one more explorer.exe /factory, there is no gurantee which one shows 'Programs and Features'.
How to prevent a services from being stopped by administrative users.
It is almost impossible to prevent administrators from stopping services.
But there are some ways to make it difficult for them.
- Ignoring the stop notification
SetServiceStatus function (winsvc.h) - Win32 apps
Updates the service control manager's status information for the calling service.
learn.microsoft.com
If you call this function without 'SERVICE_ACCEPT_STOP' in dwControlsAccepted member in SERVICE_STAUS structure, the service ignores the stop notification.
- Chaning the access control on the service
// Get an acl of the service
ATL::CDacl dacl;
bool result = ATL::AtlGetDacl(L"serviceName", SE_SERVICE, &dacl);
// Traverse all access masks
for (UINT index = 0; index < count; ++index) {
CSid aceSid;
ACCESS_MASK mask = 0;
BYTE type = 0;
BYTE flags = 0;
GUID objectType;
GUID inheritedObjectType;
dacl.GetAclEntry(index, &aceSid, &mask, &type, &flags, &objectType, &inheritedObjectType);
}
// Change & Set acess mask
// Remove old ace
dacl.RemoveAce(speciifcIndex);
// Remove permissions(SERVICE_CHANGE_CONFIG & SERVICE_STOP)
specificMask &= ~SERVICE_CHANGE_CONFIG;
specificMask &= ~SERVICE_STOP;
// Add new ace
result = dacl.AddAllowedAce(specificSid, specificMask, specificFlags);
Prev
Rss Feed