Tutorial Check if a process is critical or not [C++]

W

Wave

Guest
#1
Hello everyone!

I was looking back at the thread I recently wrote regarding Critical Processes (causing BugCheck crash on termination) (you can find it here - recommended you read it prior to reading this thread), and decided I would share some example source code which can be used to check if a program is set as critical or not.

Please note that the function used in the example source code was only introduced in Windows 8.1, therefore this code will not work on any Windows versions below Windows 8.1. Since a majority of people are using even Windows 10 now, that hopefully shouldn't be a problem. If you would like to check if a process is critical on an older version of Windows (e.g. Windows XP, Windows Vista, Windows 7 or Windows 8.0) then you can call NtQueryProcessInformation and pass in the value 29 which represents ProcessBreakOnTermination.

I also want to note before providing the source code that to use the code you must first obtain a handle to the process you want to check is critical or not - if you are on Windows 8.1 or above, system processes which are critical such as csrss.exe are actually protected, therefore you won't be able to obtain a handle to them to check if they are critical. However, if you are writing software which shall be responsible to terminate processes (like a Task Manager), or are working on a security product and have detected a malicious process, you should check if it is critical prior to terminating it, since terminating a critical process will result in BugCheck which means the system will crash with a Blue Screen Of Death (BSOD).

Here's the example source code, if you want to copy-paste it into an Empty C++ project to test it then it should work fine:
Code:
#include <Windows.h>
#include <iostream>
using namespace std;

BOOL WaveIsTheProcessCritical(HANDLE ProcessHandle)
{
    BOOL bCritical = FALSE; // used to store value to represent if process is critical or not
    BOOL bCheck = IsProcessCritical(ProcessHandle, &bCritical); // check and send result to the bCritical boolean variable
    if (!bCheck) // fail
    {
        cout << "The function failed: " << GetLastError() << endl;
        getchar(); // allow us to read the error before closing
        return 0; // exit program
    }
    if (!bCritical) // process isn't critical
    {
        return FALSE; // return false
    }
    return TRUE; // success and critical ;)
}

int main()
{
    // open handle to process we want to check
    HANDLE ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 376);
    if (WaveIsTheProcessCritical(ProcessHandle)) // check if critical
    {
        // process is critical
        cout << "The process is critical" << endl;
    }
    else
    {
        // not critical
        cout << "The process is not critical" << endl;
    }
    getchar(); // wait for input before closing
    return 0; // exit program
}
Soon I hope to update this thread with new code, which will check if the process is critical with support for older OS versions of Windows, but also remove the critical state from the process if it is critical. ;)

Stay safe,
Wave. ;)
 

DardiM

Level 26
AV-Tester
Verified
Joined
May 14, 2016
Messages
1,567
OS
Windows 10
Antivirus
Kaspersky
#2
Thanks for the share !
As usual : very interesting post :)
 
Likes: Wave