Severity: Warning
File: src/Servy.Core/Helpers/ProcessKiller.cs
Lines: 20-24
private static readonly HashSet<string> CriticalSystemProcesses = new HashSet<string>(StringComparer.OrdinalIgnoreCase)
{
\"system\", \"idle\", \"csrss\", \"lsass\", \"wininit\", \"services\",
\"winlogon\", \"smss\", \"svchost\", \"explorer\", \"runtimebroker\"
};The list is consulted only by KillProcessesUsingFile (line 300), which means any of these processes named below can still be killed by KillProcessTreeAndParents ancestor walks even though killing them is destructive on a live Windows host:
dwm (Desktop Window Manager) — kill causes a black-screen / forced session restart.fontdrvhost — font rendering breaks across all sessions.audiodg — system audio dies until manual restart.MsMpEng (Defender real-time protection) — bypasses AV, looks like an EDR-evasion attempt to security tooling.LsaIso (when Credential Guard is on) — kernel-protected process, kill attempt logs a security event.WUDFHost — user-mode driver framework; killing breaks USB/peripherals.wmiprvse — kills running WMI consumers; subsequent WMI queries fail until restart.conhost — console host; killing detaches every child console process.taskhostw — orphans scheduled tasks.sihost, ctfmon, dllhost — stability-critical for shell/COM.
Risk surfaces are:
KillProcessesUsingFile — a stray service log in a system-process working set could now be the trigger for a kernel critical kill.- The
KillParentProcesses walk (lines 402-433) does not consult this list — if a Servy-tracked child was launched by dwm or services (unlikely but reachable on misconfigured services) the parent walk will try to terminate it.
Suggested fix:
- Move the safelist out of
KillProcessesUsingFile and consult it from KillProcessTree and KillParentProcesses as well.
- Extend the list to at least:
dwm, fontdrvhost, audiodg, MsMpEng, MsSense, LsaIso, WUDFHost, wmiprvse, conhost, taskhostw, sihost, ctfmon, dllhost, searchindexer, searchhost.
- Consider also matching by Authenticode publisher (Microsoft Windows Publisher) for unknown system processes, since name alone can be spoofed by user processes.
Severity: Warning
File:
src/Servy.Core/Helpers/ProcessKiller.csLines: 20-24
The list is consulted only by
KillProcessesUsingFile(line 300), which means any of these processes named below can still be killed byKillProcessTreeAndParentsancestor walks even though killing them is destructive on a live Windows host:dwm(Desktop Window Manager) — kill causes a black-screen / forced session restart.fontdrvhost— font rendering breaks across all sessions.audiodg— system audio dies until manual restart.MsMpEng(Defender real-time protection) — bypasses AV, looks like an EDR-evasion attempt to security tooling.LsaIso(when Credential Guard is on) — kernel-protected process, kill attempt logs a security event.WUDFHost— user-mode driver framework; killing breaks USB/peripherals.wmiprvse— kills running WMI consumers; subsequent WMI queries fail until restart.conhost— console host; killing detaches every child console process.taskhostw— orphans scheduled tasks.sihost,ctfmon,dllhost— stability-critical for shell/COM.Risk surfaces are:
KillProcessesUsingFile— a stray service log in a system-process working set could now be the trigger for a kernel critical kill.KillParentProcesseswalk (lines 402-433) does not consult this list — if a Servy-tracked child was launched bydwmorservices(unlikely but reachable on misconfigured services) the parent walk will try to terminate it.Suggested fix:
KillProcessesUsingFileand consult it fromKillProcessTreeandKillParentProcessesas well.dwm,fontdrvhost,audiodg,MsMpEng,MsSense,LsaIso,WUDFHost,wmiprvse,conhost,taskhostw,sihost,ctfmon,dllhost,searchindexer,searchhost.