Process Hacker and Windows discussion

 
Microwave89
Member
Posts: 9
Joined: 11 Jul 2015 15:47
OS: Windows 10 10586 x64

Entirely disable or deny driver for/to standard users

04 Apr 2016 15:42

Hi Process Hacker development team!

KProcessHacker is an extremely powerful "plugin" which in my opinion to a great extent gives Process Hacker its usefulness. Personally I would like see the option for KProcessHacker persist. :)
However, as already discussed way earlier is KProcessHacker installing kind of a backdoor into your system.
That's why in more recent installers we are recommended to not install the driver which is fine for the majority of users. As for me I would like to have the choice of keeping the driver installed on my machine always but only allow administrator's access to it. In the newly downloaded Process Hacker 2.39 I disabled KProcessHacker in the standard Process Hacker options but left it enabled in an elevated Process Hacker.
After a reboot the driver does not load until I run Process Hacker with administrative access which is as expected.
However, I noticed that it is possible to takeover KProcessHacker with a standard Process Hacker once it has been loaded by the admin Process Hacker.
My expectation was such that KProcessHacker would deny non-elevated access to its device. I'm able to open the device using a standard WinObj.exe instance as well.

Question: Is it possible for KProcessHacker to be exclusively opened only and automatically unload immediately after closing its device? Then Windows itself would take care no std user uses the driver or loads it again - since loading a driver always requires administrative privileges unless tampered with group policies for the std user group. Only an admin could load and use it again.
Maybe it is also possible to always load the driver (employing SERVICE_SYSTEM_START installation as usual) yet have it perform desired actions only if the calling process is elevated.

Fairly nice would be also to have the (elevated) user set the driver behavior (KProcessHacker usable by everyone, or only by admin) in the Settings --> Advanced panel.

Keep up the good work!

Kind regards,
Microwave89
 
User avatar
wj32
Founder
Posts: 948
Joined: 17 Jan 2011 05:19
OS: Windows
Location: Australia
Contact:

Re: Entirely disable or deny driver for/to standard users

04 Apr 2016 20:33

The newer KPH only allows PH itself to access any substantial functionality. If you've allowed unrestricted access, only PH is allowed to connect (or rather, a handle can be opened but no functionality is enabled). This is enforced via signature checking.
 
Microwave89
Member
Posts: 9
Joined: 11 Jul 2015 15:47
OS: Windows 10 10586 x64

Re: Entirely disable or deny driver for/to standard users

08 Apr 2016 00:52

Ok, thank you very much!