pssuspend winlogon (DWM-W8-KILLER.bat)

[epic]

I'm writing a batch script and unable to locate any information as to why pssuspend (pstools) is having difficulties suspending the winlogon.exe process. I also ran across the same problem with Process Explorer to suspend it, "Unable to suspend the process: The system cannot find the file specified." Though when I use ProcessHacker, I have no problems. Both pssuspend and processexplorer are running as admin.

The error when attempting to suspend the process with pssuspend:

G:\DATA\archive>pssuspend winlogon.exePsSuspend v1.06 - Process SuspenderCopyright ⌐ 2001-2003 Mark RussinovichSysinternalsUnable to suspend process winlogon.exe:G:\DATA\archive>

Edit:

Tried "process.exe" by Craig.Peacock and his app revealed what I suspected... access denied. Not sure if there is a way around this, other than changing permissions on Winlogon.exe, which I do not want to do. I'm looking for an easier approach, as I will be posting the final batch file here for members to use, if ever needed.

G:\DATA\archive>process -s winlogon.exeCommand Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.orgSuspending PID 824 'winlogon.exe'Threads [828]Error 0x5 : Access is denied.[1124]Error 0x5 : Access is denied.G:\DATA\archive>

Edited April 29, 2014 by epic

[jaclaz]

I presume that the most you can do is to try "becoming" System or TrustedInstaller, see:

http://www.msfn.org/board/topic/155910-taking-back-the-registry-from-trustedinstaller/

http://reboot.pro/topic/17501-runassystem-and-runfromtoken/

Though I wonder if it is possible at all to "suspend" Winlogon.exe and what would be the expected goal.

jaclaz

[epic]

That's way too much work and could very likely damange a system, if a normal user doens't know what they're doing, just for a simple batch file to suspend winlogon.

Anyway, I tried "RunasSystem" and "RunFromToken" and both of those scripts modified attributes of my system - it did more than it claimed to do, and still did not allow suspending winlogon.

As previously stated, both tools from Sysinternals (pssuspend and Process Explorer) are unable to suspend winlogon, even as administrator, BUT Process Hacker (by Wen Jia Liu) can, without issues, suspend winlogon as administrator.

I'll just post my broken batch file, well the batch file isn't really broken, Windows 8/8.1 is broken... the batch file ought to work without issues.

Tools a user will need:

1. Sysinternals PStools

• Preferably extract the folder to the root of a secondary drive, or C: drive
• Right click My Computer > Properties > Advanced System Settings, Select Environment Variables (located on the bottom), locate the text System variables, scroll down until you see "Path" *** STOP -- DO NOT DELETE ANYTHING WITHIN THE "PATH" , JUST ADD THE NEW LOCATION !!!! *** You've been warned... deleting entries in the path may break your system! Read next bullet point.
• Now copy the location where you extracted PsTools (e.g. G:\DATA\PsTools , obviously, yours may be different), now type or paste that location at the very end of the "Path" making sure you add a semicolon ; between the current content and the new WITHOUT a space. Once you have the path entered, click ok through the prompts.
• After this is completed, copy batch file into notepad and save as DWM-W8-KILLER.bat .... make sure you name it .BAT and NOT .TXT as notepad will append .TXT to the file, if it does rename it to .BAT

The batch file will is meant to terminate explorer, suspend winlogon, kill dwm, and restart explorer, then the batch file will pause requiring user input, which will then resume winlogon, and winlogon will automatically restart dwm.exe and the batch file will restart explorer. Very harmless to a system.

DWM-W8-KILLER.bat

@echo offecho ---------------------------------------------------echo epic Windows 8 / 8.1 DWM Killer v0.1betaecho ---------------------------------------------------:IsRunningecho ----------------------------------echo explorer.exe Foundecho ----------------------------------TASKKILL /F /IM explorer.exe /Tif errorlevel 1 goto Error1if errorlevel 0 goto WinlogonSupsend:Error1echo -------------------------------------------echo Failed to Kill explorer.exeecho -------------------------------------------goto End:WinlogonSupsendecho -------------------------------------------echo Attempting to Suspend Winlogon.exeecho -------------------------------------------pssuspend winlogon.exeif errorlevel 1 goto Error2if errorlevel 0 goto WinlogonSuspendsuccess:Error2echo -------------------------------------------echo Failed to Kill winlogon.exe err#2echo -------------------------------------------goto End:WinlogonSuspendsuccessecho --------------------------------------------echo Successfully Suspended winlogon.exeecho --------------------------------------------if errorlevel 1 goto Error2if errorlevel 0 goto DWMKILL:DWMKILLecho ----------------------------------echo Attempting to Kill dwm.exeecho ----------------------------------TASKKILL /F /IM dwm.exe /Tif errorlevel 1 goto Error3if errorlevel 0 goto dwmkilled:Error3echo -------------------------------------------echo Failed to Kill dwm.exe err#3echo -------------------------------------------goto End:dwmkilledecho ----------------------------------echo Successfully Killed dwm.exeecho ----------------------------------if errorlevel 1 goto Error3if errorlevel 0 goto Explorer:Explorerecho ----------------------------------echo Starting process explorer.exeecho ----------------------------------explorer.exeif errorlevel 1 goto Error4if errorlevel 0 goto fexplorer:Error4echo -------------------------------------------echo Failed to Start explorer.exe err#4echo -------------------------------------------goto End:fexplorerecho ----------------------------------echo Successfully started explorer.exeecho ----------------------------------if errorlevel 1 goto Error4if errorlevel 0 goto Pause:Pauseecho ------------------------------------------------echo Close this window or minimize it...... If youecho press any key the batch file will restart dwm.echo Please wait until you're finished with whatever.echo ------------------------------------------------pauseif errorlevel 1 goto ErrorPauseif errorlevel 0 goto WinlogonResume:ErrorPauseecho ------------------------------------------------echo Pause failed.... weird! Try again!echo ------------------------------------------------if errorlevel 1 goto ErrorPauseif errorlevel 0 goto WinlogonResume:WinlogonResumeecho ----------------------------------echo Resuming process winlogon.exeecho ----------------------------------pssuspend -r winlogon.exeif errorlevel 1 goto Error5if errorlevel 0 goto winlogonstart:Error5echo -------------------------------------------echo Failed to resume winlogon.exe err#5echo -------------------------------------------goto End:winlogonstartecho ----------------------------------echo Successfully Resumed winlogon.exeecho ----------------------------------if errorlevel 1 goto Error5if errorlevel 0 goto ExplorerRestart:ExplorerRestartecho ------------------------------------------------echo Restarting process explorer.exe:End ------------------------------------------------TASKKILL /F /IM explorer.exe /Texplorer.exeif errorlevel 1 goto Error6if errorlevel 0 goto explorerestartedecho ----------------------------------------------echo Failed to Restart explorer.exe err#6echo Press WIN+R , type EXPLORERecho ----------------------------------------------goto End:explorerestartedecho -----------------------------------echo Successfully Restarted explorer.exeecho -----------------------------------if errorlevel 1 goto Error6if errorlevel 0 goto End:End

---

Below is my previous batch file for Vista and 7.

3 lines.... and practically no errors would occur while disabling dwm.exe. It works as administrator with aboslutely NO issues whatsoever. It will kill and restart dwm.exe if it isn't currently running. Kinda pathetic 3 lines vs 100+ lines.

Simple!:

@echo offtaskkill /f /IM dwm.exedwm.exe

----

I forgot to mention that while DWM is disabled and explorer restarted you'll notice, on your main display, a weird split. That split is Windows split screen for metro... it's unavoidable unless you totally kill explorer and continue running your apps. Alt+Tab still works while explorer is killed.

I really really really wish METRO/MODERN could be removed from f***ing Windows 8/8.1

Edited April 29, 2014 by epic

[bphlpt]

So it seems your real goal was to temporarily kill dwm, right? And you used to also do this in Vista and Win7? Just curious as to why? Does this provide a benefit in certain circumstances? Does dwm need to not be running in order to accomplish some other task? If so, there might be some better solution to do that task rather than killing dwm.

Cheers and Regards

[epic]

So it seems your real goal was to temporarily kill dwm, right? And you used to also do this in Vista and Win7? Just curious as to why? Does this provide a benefit in certain circumstances? Does dwm need to not be running in order to accomplish some other task? If so, there might be some better solution to do that task rather than killing dwm.

Cheers and Regards

DWM is fairly useless, not only consumes a ton of ram. It's notibly used, killing dwm, for system performance gains.

All DWM does is add transparancies and customization to the gui, its nothing spectacular. It's Desktop Windows Managment... silly "Management" ... far and beyond from that term. DWM is asctetics.

Edited April 29, 2014 by epic

[jaclaz]

BUT Process Hacker (by Wen Jia Liu) can, without issues, suspend winlogon as administrator.

Well, than use it instead:

http://processhacker.sourceforge.net/faq.php

Why is Process Hacker able to kill processes that no other tools can kill?

Process Hacker loads a driver that searches memory for an internal Microsoft kernel function and calls it. This special function is not known to be hooked by any malware and security software.

http://processhacker.sourceforge.net/forums/viewtopic.php?p=282

Command line reference

What is the actual problem? (besides the actual goal)

jaclaz

[epic]

What is the actual problem? (besides the actual goal)

jaclaz

The actual problem, as stated previously, is that pssuspend does not suspend winlogon.... the goal is to suspend winlogon using the batch file, unless there is an alternative automated method via command line that requires no user interaction just like my batch file does (or ought to, but doesn't).

I have no problems using Process Hacker to suspend the process, killing dwm, but I'd like to use a batch file to automate the process and eliminate all the other steps that require time to complete. A simple command line batch file will save time.

Edited April 29, 2014 by epic

[Blackbird256]

So it seems your real goal was to temporarily kill dwm, right? And you used to also do this in Vista and Win7? Just curious as to why? Does this provide a benefit in certain circumstances? Does dwm need to not be running in order to accomplish some other task? If so, there might be some better solution to do that task rather than killing dwm.

Cheers and Regards

Some old games have gpu glitches with DWM running.

[jaclaz]

Ok, I am missing evidently something.

What is the reason why you cannot automate ProcessHacker via batch?

ProcessHacker supports command line parameters (that's the essence of the link in my previous post).

jaclaz

Edited April 29, 2014 by jaclaz

[epic]

Ok, I am missing evidently something.

What is the reason why you cannot automate ProcessHacker via batch?

ProcessHacker supports command line parameters (that's the essence of the link in my previous post).

jaclaz

I'm not using ProcessHacker via command-line, I'm suspending the process via the GUI, along with all the other required steps.

If I use ProcessHacker via command-line and add the argument "ProcessHacker.exe -c -ctype process -cobject Winlogon.exe -caction suspend," (without the comma) replacing "pssupsend winlogon.exe," the batch file executes and kills explorer along with everything else (that means ALL open apps) for that matter, so the batch file doesn't have any chance to complete. Besides, it doesn't even suspend winlogon.exe...

Though, now, after adding that line to the batch file, executing it, and experiencing that issue... I'm unable to run my original batch, as previously posted, file without it killing all open apps. What the hell......

Edited April 29, 2014 by epic