RtlSetProcessIsCritical 介绍

Introduction 

RtlSetProcessIsCritical is yet another undocumented function hidden in the Windows kernel. It is one of the few which do not have a kernel32 equivalent. However, Microsoft has a good reason to not document this function - it should not be used in any application for any purpose whatsoever. I simply cannot imagine a circumstance where this function would actually come in useful.  Thus: 

Disclaimer: I am not responsible for any side-effects of calling this function on your computer. It may cause extreme system instability. The example is only presented as "proof-of-concept".

Background  

What RtlSetProcessIsCritical does is set your process to a system critical status. This means that the process is now "critical" to the running of Windows, which also means that on termination of your process, Windows itself terminates as well. When a system critical process ends/terminates, the stop code is CRITICAL_PROCESS_DIED (0xEF) for process exiting, and CRITICAL_OBJECT_TERMINATION (0xF4) if the process was abnormally terminated. Although this can, technically, be used to "protect" a process against people terminating it, I recommend you find other methods of doing so, because if a user terminates the critical process by accident or the process crashes when it is critical, the system will crash instantly as well. This would be highly annoying to users.

This type of behavior can also be seen in processes such as winlogon.exe, csrss.exe, services.exe, smss.exe, and lsass.exe. All of these processes are known to call RtlSetProcessIsCritical.

Whether a process is critical or not can be obtained using a call to ZwQueryProcessInformation with class ProcessBreakOnTermination (0x1D). Also, this function is only available in NTDLL versions 5.1 and higher.

Using the code

The function definition for RtlSetProcessIsCritical is as follows:

 

Collapse | Copy Code

NTSTATUS RtlSetProcessIsCritical (    BOOLEAN bNew,// new setting for process    BOOLEAN *pbOld,// pointer which receives old setting (can be null)    BOOLEAN bNeedScb);// need system critical breaks

This means that calling RtlSetProcessIsCritical(TRUE, NULL, FALSE) would make a process critical, while another call to RtlSetProcessIsCritical(FALSE, NULL, FALSE) would return the process to normal. When critical status is set, termination or ending of the process in any way will usually cause either a BSOD (if BSOD-ing is enabled) or will cause the system to reboot itself.

Obtaining this function from the kernel is simple. First, we define a prototype of the function:

 

Collapse | Copy Code

typedef VOID ( _stdcall *RtlSetProcessIsCritical ) (IN BOOLEANbNew, OUT BOOLEAN*pbOld, IN BOOLEANbNeedScb );

Then, we obtain an open handle to NTDLL.DLL in order to obtain the function using GetProcAddress:

 

Collapse | Copy Code

HANDLE ntdll = LoadLibrary("ntdll.dll");RtlSetProcessIsCritical SetCriticalProcess;SetCriticalProcess = (RtlSetProcessIsCritical)GetProcAddress((HINSTANCE)ntdll, "RtlSetProcessIsCritical");

After this, we can simply call SetCriticalProcess with the appropriate parameters.

A more detailed and commented example is in the Example.zip download.

Note: The use of this function requires the SE_DEBUG_NAME privilege in the calling process. This can easily be obtained using AdjustTokenPrivileges, and an example of this can be seen in the example source code.  

Points of Interest 

I'm not sure about other compilers, but on my rather old MSVC++ 6.0 compiler, I get an error stating "The value of ESP was not properly saved across a function call..." and the program also crashes before exiting under the default Release mode. If you change the optimizations to Disable (Debug), these problems go away. I'm guessing some of VC++ 6.0's optimizations don't work properly.

History

I probably won't be updating this, unless there is a critical flaw anywhere in the code.

• v1.0 - October 30th, 2009.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)