I have a program which adjusts SeDebugPrivilege and then starts to iterate through system processes and calls OpenProcess for them (and does other stuff, but it's not important now). Also the program runs in administrator mode of course. On Windows XP and Windows 7 it works fine, but on Windows 8.1 OpenProcess fails for the following system processes with ERROR_ACCESS_DENIED(5): smss.exe, csrss.exe, services.exe. As I know with SeDebugPrivilege I should be able to open these processes and retrieve a handle for them. Does anybody have a clue, what kind of magic causes this error only on Windows 8.1?
(Anyway I have the same error with the same processes for CreateToolhelp32Snapshot)
Windows 8.1 introduces the concept of a system protected process. This is documented in the context of third-party anti-malware software, but it seems reasonable to suppose that it is also used to protect particularly critical system processes.
System protected processes are an extension of the Protected Process mechanism (Microsoft Word document) introduced in Windows Vista as a DRM measure.
You cannot obtain any of these access rights for a protected process, even with debug privilege:
DELETEREAD_CONTROLWRITE_DACWRITE_OWNERPROCESS_CREATE_THREADPROCESS_DUP_HANDLEPROCESS_QUERY_INFORMATIONPROCESS_SET_QUOTAPROCESS_SET_INFORMATIONPROCESS_VM_OPERATIONPROCESS_VM_READPROCESS_VM_WRITE
You should still be able to open the process by requesting PROCESS_QUERY_LIMITED_INFORMATION access. According to the documentation, SYNCHRONIZE and PROCESS_TERMINATE access are also permitted.
It can only be done in the kernel. The best way to get the info you need would be to:
PsLookupProcessByProcessId()
KeStackAttachProcess()
ZwQueryInformationProcess() or whatever other functions you need to now call within the context of the attached process.
KeStackDetachProcess()
Or if you are just experimenting and not putting anything into production code, you can traverse the various semi-opaque structures (EPROCESS, PEB, VAD, etc) to get the information you need.
来源:https://stackoverflow.com/questions/28303436/openprocess-access-denied-error-only-on-windows-8-1