Stopping resistant Windows services.

24 March 2010

Some third party Windows Services think they are very important.
They do not give you the option to stop them in the Services MMC console.
You can kill the process using Process Explorer but you get an "Access Denied" message or the services are coming back right away after you killed them. That is because they have their Recovery options set to "Restart Service". When you try to changes this or even disable the service, you get an another "Access Denied".

One way around this is, to open Autoruns.exe, go to the Services tab and double-click the entry in question. This will open the registry editor with the key for the service selected. Delete the "FailureActions" value, this will reset the recovery options to the default which is 'do nothing', now you can kill the services and it wont come back.

If you want to disable it, set the Start value from 2 (Automatic) to 4 (Disabled).

However they are services that think they are super important, one of these is "Service for G-Buster Browser Defense". Access to its configuration in Windows tools is denied. When you change the start value in the registry to 'disabled', within seconds it is changed back to 'Automatic'.
This is done by the winlogon.exe process, one of the core Windows services. A dll of the G-Buster software 'gbiehAbn.dll' is loaded into the winlogon.exe process. (I think this happens because of the entry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GbPluginAbn\DllName). The Software also comes with a kernel mode driver that starts even earlier in the startup process. However it does not come with an un-installer.

The Software comes from a Brazilian bank and does not seem to do any harm.

Deleting the FailureActions registry value and killing the process with RootkitUnhooker.exe works, but so far I have not figured out how to get rid of it permanently.

Pages in this section

Categories

ASP.Net | Community | Development | IIS | IT Pro | Security | SQL (Server) | Tools | Web | Work on the road | Windows