OpenProcess: access denied error only on Windows 8.1

Question

I have a program which adjusts SeDebugPrivilege and then starts to iterate through system processes and calls OpenProcess for them (and does other stuff, but it's not important now). Also the program runs in administrator mode of course. On Windows XP and Windows 7 it works fine, but on Windows 8.1 OpenProcess fails for the following system processes with ERROR_ACCESS_DENIED(5): smss.exe, csrss.exe, services.exe. As I know with SeDebugPrivilege I should be able to open these processes and retrieve a handle for them. Does anybody have a clue, what kind of magic causes this error only on Windows 8.1?

(Anyway I have the same error with the same processes for CreateToolhelp32Snapshot)

Answer 1

Windows 8.1 introduces the concept of a system protected process. This is documented in the context of third-party anti-malware software, but it seems reasonable to suppose that it is also used to protect particularly critical system processes.

System protected processes are an extension of the Protected Process mechanism (Microsoft Word document) introduced in Windows Vista as a DRM measure.

You cannot obtain any of these access rights for a protected process, even with debug privilege:

• DELETE
• READ_CONTROL
• WRITE_DAC
• WRITE_OWNER
• PROCESS_CREATE_THREAD
• PROCESS_DUP_HANDLE
• PROCESS_QUERY_INFORMATION
• PROCESS_SET_QUOTA
• PROCESS_SET_INFORMATION
• PROCESS_VM_OPERATION
• PROCESS_VM_READ
• PROCESS_VM_WRITE

You should still be able to open the process by requesting PROCESS_QUERY_LIMITED_INFORMATION access. According to the documentation, SYNCHRONIZE and PROCESS_TERMINATE access are also permitted.