传说中的会话管理服务器进程,它是windows操作系统启动时引导的最重要的系统进程,它负责启动csrss.exe和winlogon.exe进程,并对它们进行监控,如果发现其中一个挂掉,它马上叫你当机,所以要想结束csrss.exe/winlogon.exe,先结束Smss.exe,源码前一目了然(摘自windows nt 4.0代码)
//1 Module Info : 变量定义,提高当前进程的优先级(11级)
NTSTATUS Status;
KPRIORITY SetBasePriority;
UNICODE_STRING InitialCommand, DebugInitialCommand, UnicodeParameter;
HANDLE ProcessHandles[ 2 ];
ULONG Parameters[ 4 ];
ULONG Response;
PROCESS_BASIC_INFORMATION ProcessInfo;
BOOLEAN WasEnabled;
SetBasePriority = FOREGROUND_BASE_PRIORITY+2;//#define FOREGROUND_BASE_PRIORITY 9
Status = NtSetInformationProcess( NtCurrentProcess(),
ProcessBasePriority,
(PVOID) &SetBasePriority,
sizeof( SetBasePriority )
);
ASSERT(NT_SUCCESS(Status));
if (ARGUMENT_PRESENT( DebugParameter )) {
SmpDebug = DebugParameter;
}
//2 Module Info : 获取Csrss.exe和winlogon.exe进程的句柄,并对它们进行监控
try {
Status = SmpInit( &InitialCommand, &ProcessHandles[ 0 ] );//返回crsss.exe进程的句柄
if (!NT_SUCCESS( Status )) {
KdPrint(( "SMSS: SmpInit return failure - Status == %x\n" ));
RtlInitUnicodeString( &UnicodeParameter, L"Session Manager Initialization" );
Parameters[ 1 ] = (ULONG)Status;
}
else {
SYSTEM_FLAGS_INFORMATION FlagInfo;
NtQuerySystemInformation( SystemFlagsInformation,
&FlagInfo,
sizeof( FlagInfo ),
NULL
);
if (FlagInfo.Flags & (FLG_DEBUG_INITIAL_COMMAND | FLG_DEBUG_INITIAL_COMMAND_EX) ) {
DebugInitialCommand.MaximumLength = InitialCommand.Length + 64;
DebugInitialCommand.Length = 0;
DebugInitialCommand.Buffer = RtlAllocateHeap( RtlProcessHeap(),
MAKE_TAG( INIT_TAG ),
DebugInitialCommand.MaximumLength
);
if (FlagInfo.Flags & FLG_ENABLE_CSRDEBUG) {
RtlAppendUnicodeToString( &DebugInitialCommand, L"ntsd -p -1 -d " );
}
else {
RtlAppendUnicodeToString( &DebugInitialCommand, L"ntsd -d " );
}
if (FlagInfo.Flags & FLG_DEBUG_INITIAL_COMMAND_EX ) {
RtlAppendUnicodeToString( &DebugInitialCommand, L"-g -x " );
}
RtlAppendUnicodeStringToString( &DebugInitialCommand, &InitialCommand );
InitialCommand = DebugInitialCommand;
}
Status = SmpExecuteInitialCommand( &InitialCommand, &ProcessHandles[ 1 ] );//返回winlogon进程句柄
if (NT_SUCCESS( Status )) {
Status = NtWaitForMultipleObjects( 2,
ProcessHandles,
WaitAny,
FALSE,
NULL
);
}
if (Status == STATUS_WAIT_0) {
RtlInitUnicodeString( &UnicodeParameter, L"Windows SubSystem" );
Status = NtQueryInformationProcess( ProcessHandles[ 0 ],
ProcessBasicInformation,
&ProcessInfo,
sizeof( ProcessInfo ),
NULL
);
KdPrint(( "SMSS: Windows subsystem terminated when it wasn't supposed to.\n" ));
}
else {
RtlInitUnicodeString( &UnicodeParameter, L"Windows Logon Process" );
if (Status == STATUS_WAIT_1) {
Status = NtQueryInformationProcess( ProcessHandles[ 1 ],
ProcessBasicInformation,
&ProcessInfo,
sizeof( ProcessInfo ),
NULL
);
}
else {
ProcessInfo.ExitStatus = Status;
Status = STATUS_SUCCESS;
}
KdPrint(( "SMSS: Initial command '%wZ' terminated when it wasn't supposed to.\n", &InitialCommand ));
}
if (NT_SUCCESS( Status )) {
Parameters[ 1 ] = (ULONG)ProcessInfo.ExitStatus;
}
else {
Parameters[ 1 ] = (ULONG)STATUS_UNSUCCESSFUL;
}
}
}
except( SmpUnhandledExceptionFilter( GetExceptionInformation() ) ) {
RtlInitUnicodeString( &UnicodeParameter, L"Unhandled Exception in Session Manager" );
Parameters[ 1 ] = (ULONG)GetExceptionCode();
}
//3 Module Info : 当机代码!呵呵,其实就是通知操作系统,发生了一个硬件中断
Status = RtlAdjustPrivilege( SE_SHUTDOWN_PRIVILEGE,
(BOOLEAN)TRUE,
TRUE,
&WasEnabled
);//提高当前的权限,可以执行shutdown指令
if (Status == STATUS_NO_TOKEN) {
//
// No thread token, use the process token
//
Status = RtlAdjustPrivilege( SE_SHUTDOWN_PRIVILEGE,
(BOOLEAN)TRUE,
FALSE,
&WasEnabled
);
}
Parameters[ 0 ] = (ULONG)&UnicodeParameter;
Status = NtRaiseHardError( STATUS_SYSTEM_PROCESS_TERMINATED,
2,
1,
Parameters,
OptionShutdownSystem,
&Response
);//看看,字面意思就知道发生什么了,唤起硬件错误
//
// If this returns, giveup
//
NtTerminateProcess( NtCurrentProcess(), Status );