How do I prevent a process or thread from being suspended or terminated?
The CBFS Filter toolkit's CBProcess component provides two events called ProcessHandleOperation and ThreadHandleOperation, which fire anytime some (other) process opens a handle to a process or thread.
To protect a process from suspension and/or termination, implement the ProcessHandleOperation and handle it by removing the PROCESS_SUSPEND_RESUME and PROCESS_TERMINATE flags from the DesiredAccess event parameter. This will prevent the newly-created handle from being used to suspend or terminate the process. A similar approach can be employed using the ThreadHandleOperation event to prevent a thread from being suspended or terminated.
The Process Monitor demo included with CBFS Filter includes code that shows how to perform these operations.
We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at firstname.lastname@example.org.