0

FYI : I have Windows-7 Ultimate Ver 6.1 Service-Pack 1.

There is a tools in the Windows-7 that called Resource Monitor . You can find it in C:\Windows\System32 directory or you also can simply run it via resmon.exe in the Run.

In the list of processes there is a process named System and its PID is equal to 4 always.

enter image description here

If you right-click on it and click on Suspend Process , your computer will hang, your mouse and keyboard will disable, and you have to turn restart your system to getting back to normal state.

enter image description here

In the Windows-8 even if you logged with a Administrator account, you can't suspend this process (System) and when you try to suspend it, you receive Access Denied

Q1: Why Microsoft corporation provide this capability for Administrator to suspend System Process? When we need to suspend it and make or system hang?!

Q2: Is there any way in Windows-7 to config the system so that even Administrator can not suspend this process?

If you think there is no way to do that, please read the below :

We can have a list of *.dll files that are related to a process with below command in Command-Prompt :

>tasklist /FI "PID eq Number" /M

And you can have a list of PID numbers in the resmon.exe tool.(You can also use tasklist command in Command-Line windows).

In my system PID of resmon.exe is 1728 (Its process name is perfmon).

Let see a list of .dll files related to resmon.exe :

C:\Windows\system32>tasklist /FI "PID eq 1728" /M

Image Name                     PID Modules
========================= ======== ============================================
perfmon.exe                   1728 ntdll.dll, kernel32.dll, KERNELBASE.dll,
                                   ADVAPI32.dll, msvcrt.dll, sechost.dll,
                                   RPCRT4.dll, GDI32.dll, USER32.dll, LPK.dll,
                                   USP10.dll, ATL.DLL, ole32.dll, SHLWAPI.dll,
                                   SHELL32.dll, OLEAUT32.dll, credui.dll,
                                   Secur32.dll, SSPICLI.DLL, IMM32.DLL,
                                   MSCTF.dll, comctl32.dll, uxtheme.dll,
                                   dwmapi.dll, CRYPTBASE.dll, CLBCatQ.DLL,
                                   wdc.dll, DUser.dll, pdh.dll, pdhui.dll,
                                   COMDLG32.dll, ODBC32.dll, wevtapi.dll,
                                   VERSION.dll, PLA.dll, tdh.dll, NSI.dll,
                                   IPHLPAPI.DLL, WINNSI.DLL, WINSTA.dll,
                                   UTILDLL.dll, SETUPAPI.dll, CFGMGR32.dll,
                                   DEVOBJ.dll, NETAPI32.dll, netutils.dll,
                                   srvcli.dll, wkscli.dll, LOGONCLI.DLL,
                                   BROWCLI.DLL, SAMCLI.DLL, WTSAPI32.dll,
                                   VDMDBG.dll, odbcint.dll, DUI70.dll,
                                   xmllite.dll, OLEACC.dll, FirewallAPI.dll,
                                   profapi.dll, WS2_32.dll, msxml3.dll,
                                   ntmarta.dll, WLDAP32.dll, Perfctrs.dll,
                                   perfdisk.dll, mswsock.dll, DNSAPI.dll,
                                   dhcpcsvc6.DLL, dhcpcsvc.DLL, WINTRUST.dll,
                                   CRYPT32.dll, MSASN1.dll, pcwum.dll,
                                   rasadhlp.dll

C:\Windows\system32>

Note : You have to run Command-Prompt as Administrator

Q3: If I copy the above .dll files from Windows-8 directory and replace Windows-7 .dll files with them, does windows-7 will behave like Windows-8? (Prevent suspending System process)

Note: Assume that we use a live windows CD and a flash memory to Replace dll files. (Normally Windows-7 don't let you to replace .dll files)

Really appreciate your time and consideration :)

Improve this question
9
  • 3
    The System process is basically the operating system itself. As to why you can suspend it, only Microsoft can answer. Usually Windows tries to prevent users from doing harmful things, but it doesn't always succeed: users will eventually find new ways to break the system, be it intentionally or by mistake. Some people dislike a babysitting system, others don't; you can't really please both. No matter what method you use, copying Windows 8 system files over Windows 7 ones is a probably good idea if you want to make it unusable. Also, please avoid asking multiple questions in a single post.
    – and31415
    Commented Aug 10, 2014 at 8:20
  • @and31415 Thank you dear friend. but this questions are deeply related and related to the title, I guess :)
    – TheGoodUser
    Commented Aug 10, 2014 at 8:22
  • explain why you want to do this (nonsense). Which issues do you have?
    – magicandre1981
    Commented Aug 10, 2014 at 15:54
  • 3
    Now that sounds like a surefire plan to break a Windows installation
    – Daniel B
    Commented Aug 10, 2014 at 23:56
  • 1
    The System process is NOT "basically the operating system itself". It is a wrapper for kernel mode threads used not just by the OS but also by many components in networking, file systems, ... many others. The reason that suspending it kills mouse and keyboard input is that the threads that read these devices are in this process. But many things in Windows can continue running even while this process is suspended.
    – Jamie Hanrahan
    Commented Aug 11, 2014 at 2:58

2 Answers 2

Reset to default
1

Q1: No good reason I can think of; it seems to be an oversight.

Q2: No, because I can do it in my Win8.1 system too. I just did. The Administrators group already does not have the "Suspend/resume process" access right to this process, so how this is working at all, I'm not sure.

Q3: See above. I get the same behavior on Win8.1 so obviously using files from Win8.1 won't help. Also, those DLLs are not likely to be at all happy in the Win8 environment, and are shared by many other programs. You'll break a whole bunch of stuff if you try that.

Sorry..

Improve this answer
5
  • If Remote Desktop was enabled in my system, then I suspend the System process LOCALLY, is there any way to resume System by remote desktop? thanks
    – TheGoodUser
    Commented Aug 11, 2014 at 8:33
  • FYI I have ping of the system when System suspended.
    – TheGoodUser
    Commented Aug 11, 2014 at 8:34
  • Ping - yes. Suspending the System process doesn't suspend everything in the OS, only those functions implemented in the System process's threads. Re rd, you would have to have a program ready to run that would call NtResumeProcess and could be triggered without needing anything from the System process. I don't know of anything offhand.
    – Jamie Hanrahan
    Commented Aug 11, 2014 at 17:22
  • I am very curious as to why, on my Windows 8.1 test system here, I can suspend the System process from TM (and from Process Explorer), but you cannot. Can you verify that this is the case for you?
    – Jamie Hanrahan
    Commented Aug 11, 2014 at 17:23
  • Oops! That's weird! Yes, I'm sure, In my Windows-7 Ultimate ver6.1 I can suspend System process, But my friend in Windows-8 can't suspend it (with Administrator user)- (I'm not sure about the version of his Windows-8 , but I think it is not important, the question is why?! and how we can change it?) Thanks
    – TheGoodUser
    Commented Aug 12, 2014 at 4:26
0
  1. Download and change permissions with Process Explorer.
  2. On the process properties view, select the security tab.
  3. Press the permissions button.
  4. Press the advanced button.
  5. If necessary, add yourself or a group you belong to.
  6. Edit your permisisons to include "Terminate". (you will need to already have the "Change Permissions" permisison, or you are out of luck.)

OR

It is because the permissions of System (ntoskrnl.exe), are set to "read and write", and are only editable by "Trusted Installer" to prevent noobs from doing damage to their own computer. This includes ending the process itself. You need "Full Control". To fix this simply go to "C:\Windows\System32", right click on "ntoskrnl.exe", and the properties, then click the "security" tab, then go to "Advanced", and then click on "Full Control" for administrator. Now you would be able to end it from Resource Monitor

Improve this answer
8
  • Sorry but... he doesn't WANT to "end it", he wants to NOT be able to suspend it. And besides, changing the permissions on ntoskrnl.exe will do nothing. The System process is not created to run an instance of ntoskrnl.exe (and there is no exe called "System"), nor does the ACL of an exe get propagated to its process anyway. The important access right here is "suspend/create process" and it cannot even be set for files.
    – Jamie Hanrahan
    Commented Aug 11, 2014 at 3:06
  • Ok then, why when I go into task manager and right click on "System" and click "Open File Location" it takes me to ntoskrnl.exe in system32?
    – Kirill2485
    Commented Aug 11, 2014 at 3:13
  • Also, why when I run all the ntoskrnl.exe (with the DLL's injected of course), in VMWare it restores the System process when it is suspended.
    – Kirill2485
    Commented Aug 11, 2014 at 3:19
  • @kirill2485 Thank you, but as Mr Jamie said, I want to not be able to suspend it .And when I use > tasklist /FI "PID eq 4" /M in Command-Line, It return no module for it! more when I right click on System and click on Open file location it opens Desktop!
    – TheGoodUser
    Commented Aug 11, 2014 at 3:42
  • Maybe you are not doing something I'm doing: drive.google.com/file/d/0B8cuDjumkkmQdmtteV93OHljY3c/…
    – Kirill2485
    Commented Aug 11, 2014 at 4:03

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .