There is no supported way to accomplish this. The process list can be read at any privilege level. If you were hoping to hide a process from even Administrators, then this is doubly unsupported.

没有支持的方法来实现这一点。可以在任何权限级别读取进程列表。如果您希望甚至对管理员隐藏一个进程，那么这是双重不受支持的。

To get this to work, you would need to write a kernel mode rootkit to intercept calls to NtQuerySystemInformationso that the SystemProcessInformation info class fails to list your hidden process.

要使其工作，您需要编写内核模式 rootkit 来拦截对NtQuerySystemInformation 的调用，以便 SystemProcessInformation 信息类无法列出您的隐藏进程。

Intercepting system calls is very difficult to do safely, and the 64 bit Windows kernels go out of their wayto prevent this from being possible: trying to modify the syscall table results in an instant blue screen. It's going to be very difficult on those platforms

拦截系统调用很难安全地进行，64 位 Windows 内核竭尽全力阻止这种情况的发生：尝试修改系统调用表会导致立即蓝屏。在这些平台上会非常困难

Hereis an example of a rootkit that tries to do something similar (and has several serious problems).

下面是一个尝试做类似事情的 rootkit 的例子（并且有几个严重的问题）。

I hope that you would not be able to.

我希望你不能。

Update:given the scenario, I think that you will probably be best off running it under a different admin account. That may help alert people to the fact that they should not kill the process.

更新：鉴于这种情况，我认为您最好在不同的管理员帐户下运行它。这可能有助于提醒人们他们不应该终止进程的事实。

If you simply need to disguise the process and not hide it completely, you can rename it winlogon.exe or svchost.exe and it will likely be ignored by users. But as Sergio mentioned, that's security by obscurity and it's got a bad reputation for a reason.

如果您只是需要伪装该进程而不是完全隐藏它，您可以将其重命名为 winlogon.exe 或 svchost.exe，它可能会被用户忽略。但正如塞尔吉奥所说，这是默默无闻的安全，它的名声不好是有原因的。

Preventing users from killing a process is another difficulty if they have proper privileges. The only method I know is to have multiple processes that watch each other and restart any watched process which gets killed. Again, this is going down a shady path.

如果用户拥有适当的权限，阻止用户杀死进程是另一个困难。我知道的唯一方法是让多个进程相互监视并重新启动任何被监视的进程。再一次，这是一条阴暗的道路。

There is no easy or supported way to do this. Even if you wrote a rootkit to do it then that could very easily get broken by a future update that was made to plug that hole. I would reexamine whether that is something you want to do.

没有简单或受支持的方法可以做到这一点。即使您编写了一个 Rootkit 来执行此操作，也很容易被未来为填补该漏洞而进行的更新所破坏。我会重新检查这是否是你想做的事情。

Don't try to stop it from being killed - you're not going to manage it. Instead, make it regularly call home to a webservice. When the webservice notices a client "going silent" it can ping the machine to see if it's just a reboot issue, and send an email to a manager (or whoever) to discipline whoever has killed the process.

不要试图阻止它被杀死 - 你不会管理它。相反，让它定期调用 Web 服务。当 Web 服务注意到客户端“静默”时，它可以 ping 机器以查看它是否只是重启问题，并向经理（或任何人）发送电子邮件以惩罚杀死进程的人。

If you want to prevent users from killing the process from task manager, you can just use a security descriptor on the process to deny terminate access to everyone. Administrators technically can still kill the process by taking ownership of the process and resetting the DACL, but there is no interface to do either of these things from Task Manager. Process Explorermay have an interface to though.

如果你想阻止用户从任务管理器中杀死进程，你可以只在进程上使用一个安全描述符来拒绝对每个人的终止访问。从技术上讲，管理员仍然可以通过获取进程的所有权并重置 DACL 来终止进程，但是任务管理器中没有任何接口可以执行这些操作。Process Explorer可能有一个接口。

When your process starts, use SetKernelObjectSecuritywith DACL_SECURITY_INFORMATIONusing the current process handle. Set a DACL with zero ACLs. This will deny all access to everyone, including those trying to end your process with task manager.

当您的进程启动时，使用SetKernelObjectSecurity并DACL_SECURITY_INFORMATION使用当前进程句柄。设置具有零 ACL 的 DACL。这将拒绝所有人的所有访问，包括那些试图用任务管理器结束您的进程的人。

Here is an example that also changes the process's owner:

这是一个也会更改进程所有者的示例：

SECURITY_DESCRIPTOR sd;
ACL dacl;
SID_IDENTIFIER_AUTHORITY ntauth = SECURITY_NT_AUTHORITY;
PSID owner;

assert(InitializeAcl(&dacl, sizeof dacl, ACL_REVISION));

assert(AllocateAndInitializeSid(&ntauth, 1, SECURITY_LOCAL_SYSTEM_RID, 0,0,0,0,0,0,0, &owner));

assert(InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION));

assert(SetSecurityDescriptorDacl(&sd, TRUE, &dacl, FALSE));

assert(SetSecurityDescriptorOwner(&sd, owner, FALSE));

assert(SetKernelObjectSecurity(GetCurrentProcess(), DACL_SECURITY_INFORMATION | OWNER_SECURITY_INFORMATION, &sd));

assert(FreeSid(owner) == NULL);

Unfortunately, it doesn't seem to be effective. I can still close the process (although not as a limited user). Perhaps Task Manager is taking ownership or invoking some other privilege to kill the process? I seem to remember this working in previous versions of Windows (I was testing 2003), but I could be mistaken.

不幸的是，它似乎并不有效。我仍然可以关闭该进程（尽管不是作为受限用户）。也许任务管理器正在获取所有权或调用其他特权来终止进程？我似乎记得这在以前版本的 Windows 中工作（我正在测试 2003），但我可能会弄错。

Alternatively, you could write a small "checker" utility that checks if the app is running, if it isn't it automatically starts it. Then add code to the app to check for the "checker" utility that does the same. This way if one is terminated, then the other starts it back up. I've seem virus's do this, and it seems to work pretty effectively.

或者，您可以编写一个小的“检查器”实用程序来检查应用程序是否正在运行，如果不是，它会自动启动它。然后将代码添加到应用程序以检查执行相同操作的“检查器”实用程序。这样，如果一个终止，则另一个启动它。我似乎病毒会这样做，而且它似乎非常有效。

What about you just ask the user to don't kill the process ? How much time you'll spend doing it, for a behavior that is clearly childish from employees in the same company.

你只是要求用户不要终止进程呢？你会花多少时间做这件事，对于同一家公司的员工来说，这种行为显然是幼稚的。

As people mentioned above, the best method is 2 tasks, monitoring each other, I understand you don't want to waste CPU, so the best way is to establish an event between the tasks which will be triggered when one closes.

正如上面提到的，最好的方法是2个任务，互相监视，我理解你不想浪费CPU，所以最好的方法是在任务之间建立一个关闭时触发的事件。

I am not entirely sure on how to set up the hook, but then you don't use a while loop which does waste CPU.

我不完全确定如何设置挂钩，但是您不使用会浪费 CPU 的 while 循环。

Have you looked at writing a service? This way the service runs as the local system, and the application runs under the user's context, and the service can ensure that things are still done as needed, and the application is just an interface to this service. Killing the application would just result in the user not seeing any notices, system tray icon, etc, but the service is still doing its job.

您是否考虑过编写服务？这样服务作为本地系统运行，应用程序运行在用户的上下文中，服务可以保证事情仍然按需要完成，而应用程序只是这个服务的一个接口。终止应用程序只会导致用户看不到任何通知、系统托盘图标等，但服务仍在执行其工作。