Processes with elevation terminated randomly?

meh · 25 Feb 2016

Lately, I've been experiencing a weird and new problem: Programs I run with elevation (i.e. as Administrator) have been randomly terminated. I'm not sure why this is happening. Is this a new Windows 10 security feature?

Examples: I run Process Hacker with elevation to access all its features and allow for services to be stopped, processes to be killed, etc. But Process Hacker is one of the applications that is itself being terminated somehow at seemingly random intervals. It will be running, tray icons and all, then suddenly be terminated. I won't know it has been killed until I move the mouse cursor over its tray icons, which disappear as soon as I do.

There are several other examples of programs I always run with elevation. They are all being terminated at the same time, but I'm not doing it. It's pissing me off.

Nothing jumps out at me in the event logs.

Any ideas?

dmex · 26 Feb 2016

Is this a new Windows 10 security feature?

No.

Process Hacker is one of the applications that is itself being terminated

Do you have the same problem with Task Manager or Regedit?

meh · 26 Feb 2016

I can run task manager and regedit just fine. But, my antivirus has suddenly started having issues as well. Too many malware red flags. I'm going to restore from a backup from about a week ago.

dmex · 26 Feb 2016

meh said:

I can run task manager and regedit just fine. But, my antivirus has suddenly started having issues as well. Too many malware red flags. I'm going to restore from a backup from about a week ago.

Yeah, it's likely malware terminating these processes and it's strange that they targeted Process Hacker but not built-in tools.

If you still have issues with Process Hacker being terminated, just send me a PM and I'll link you a custom build that bypasses the detection used by the malware (I'm one of project maintainers: About - Process Hacker).

-dmex

meh · 26 Feb 2016

I recognized your nick, couldn't remember where. Well I appreciate your work; PH is one of a very few applications I refuse to do without. I work for a huge company and was on a call with a guy from China, sharing my screen, and he saw that I was running PH. He recognized it, and said "That's a really nice utility." Not far from home I realize. /End of boring story.

Anyway, I restored from a full image backup. Scanned with F-Secure online scanner, came back clean. Scanning with Eset online scanner and HouseCall now (taking forever). Scanned with MBAM, which (as always) found nothing. Anything else I should do? I'm not seeing the find-hidden-process function in PH anymore.

PS wtf is that avatar

b1rd · 26 Feb 2016

Anything else I should do?

Hi meh,

I see that you and dmex are working on a solution, but I was wondering about the Reliability History? That should show the red warnings, with an option to find a solution. I saw that you already looked over the Event Log, so perhaps this won't show anything additional, but just a thought.

b1rd

PS- Article is for Win-8, but it's the same.

meh · 26 Feb 2016

Before I restored, the event log wasn't really showing anything, but that's the weird bit... It did have a bunch of unusual entries about the logs being full or something, but none of the usual stuff I'm used to seeing. At least some of the logs wouldn't seem to open at all. At the time, I thought the scumbag malware may have been doing that to prevent the use of event logs as a diagnostic measure, but I'm not sure.