杀掉本地进程其实很简单,取得进程ID后,调用OpenProcess函数打开进程句柄,然后调用TerminateProcess函数就可以杀掉进程了。有些情况下并不能直接打开进程句柄,例如WINLOGON等系统进程,因为权限不够。这个时候我们就得先提升自己的进程的权限了。提升权限过程也不复杂,先调用GetCurrentProcess函数取得当前进程的句柄,然后调用OpenProcessToken打开当前进程的访问令牌,接着调用LookupPrivilegeValue函数取得你想提升的权限的值,最后调用AdjustTokenPrivileges函数给当前进程的访问令牌增加权限就可以了。一般有了SeDebugPrivilege特权后,就可以杀掉除Idle外的所有进程了。
ZmSe>}B= OK!那如何杀掉远程进程呢?说起来有点复杂,但其实也不难。
=6FA(R|QU <1>与远程系统建立IPC连接
z~b5K\/1B <2>在远程系统的系统目录admin$\system32中写入一个文件killsrv.exe
^IgxzGD <3>调用函数OpenSCManager打开远程系统的Service Control Manager[SCM]
A1Tk6i<F1 <4>调用函数CreateService在远程系统创建一个服务,服务指向的程序是在<2>中写入的程序killsrv.exe
eUP.:(E <5>调用函数StartService启动刚才创建的服务,把想杀掉的进程的ID作为参数传递给它
nrqr p <6>服务启动后,killsrv.exe运行,杀掉进程
&h1.9AO <7>清场
cMxuG'{=. 嗯!这样看来,我们需要两个程序了。Killsrv.exe的源代码如下:
OwhMtYq /***********************************************************************
\;&WF1d`ac Module:Killsrv.c
pVgzUu7 Date:2001/4/27
\\Ps*HN Author:ey4s
#R2wt7vE Http://www.ey4s.org iTTUyftHT ***********************************************************************/
W"j&':xD #include
JC|j*x(k/ #include
W&E?#=*X #include "function.c"
:x"Q[079 #define ServiceName "PSKILL"
bCWSh~ *E$& SERVICE_STATUS_HANDLE ssh;
38<!Dt+S(, SERVICE_STATUS ss;
xgsE JE /////////////////////////////////////////////////////////////////////////
fuRCM^U( void ServiceStopped(void)
9FB k|g"U) {
+OSF0#bj ss.dwServiceType=SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS;
+<#0V!DM ss.dwCurrentState=SERVICE_STOPPED;
Zy!^HS$ ss.dwControlsAccepted=SERVICE_ACCEPT_STOP;
(jj=CLe ss.dwWin32ExitCode=NO_ERROR;
zx:Qz ss.dwCheckPoint=0;
u-v/`F2wN ss.dwWaitHint=0;
L1P.@hJ SetServiceStatus(ssh,&ss);
}<m'Nkz<X return;
#0OW0:Q }
y8oqCe) /////////////////////////////////////////////////////////////////////////
zfS0M void ServicePaused(void)
N %;bV@A9 {
! @EZ ss.dwServiceType=SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS;
62L,/?`B$ ss.dwCurrentState=SERVICE_PAUSED;
jVA|Vi_2 ss.dwControlsAccepted=SERVICE_ACCEPT_STOP;
u!$+1fI> ss.dwWin32ExitCode=NO_ERROR;
90Rz#qrI* ss.dwCheckPoint=0;
bH6i1c8 ss.dwWaitHint=0;
4KSZ;fV6/ SetServiceStatus(ssh,&ss);
&lnr?y^ return;
l1_hD,4 }
bF_SD\/ void ServiceRunning(void)
jP(|pz {
,2yIKPWk ss.dwServiceType=SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS;
2'> ss.dwCurrentState=SERVICE_RUNNING;
JDbRv'F:( ss.dwControlsAccepted=SERVICE_ACCEPT_STOP;
P*=M?:Jb, ss.dwWin32ExitCode=NO_ERROR;
2%!yV~Z ss.dwCheckPoint=0;
EV=/'f[++ ss.dwWaitHint=0;
&k\`!T1 SetServiceStatus(ssh,&ss);
'! \t!@I$ return;
tk]>\}% }
1}=@';cK* /////////////////////////////////////////////////////////////////////////
x-E@[= void WINAPI servier_ctrl(DWORD Opcode)//服务控制程序
4$~A%JN3 {
m$XMq switch(Opcode)
TwdY6E3` {
Hl"^E*9x case SERVICE_CONTROL_STOP://停止Service
eMHBY6<~= ServiceStopped();
$U*b;'o break;
(U`<r-n\n case SERVICE_CONTROL_INTERROGATE:
KE$I!$zO SetServiceStatus(ssh,&ss);
_bsAF^ ; break;
~<Eu
@8+_ }
t=(d, kf return;
CdZS"I }
eDkJ+5b //////////////////////////////////////////////////////////////////////////////
:{8,O- //杀进程成功设置服务状态为SERVICE_STOPPED
C-2{<$2k //失败设置服务状态为SERVICE_PAUSED
YY4XCkt //
k-CW?= void WINAPI ServiceMain(DWORD dwArgc,LPTSTR *lpszArgv)
}Od=WQv+ {
#(Xv\OE ssh=RegisterServiceCtrlHandler(ServiceName,servier_ctrl);
AHB_[i'>7 if(!ssh)
z^,P2kqK_ {
K;L6<a A# ServicePaused();
!c2<-3e return;
O su 75@3 }
$^K12Wcp- ServiceRunning();
lVptA3F Sleep(100);
xR~9|H9a //注意,argv[0]为此程序名,argv[1]为pskill,参数需要递增1
jNbU{Z%r //argv[2]=target,argv[3]=user,argv[4]=pwd,argv[5]=pid
^55q~DP}> if(KillPS(atoi(lpszArgv[5])))
9*Z!=Y#4, ServiceStopped();
vV
PK else
8T523VI ServicePaused();
<>shx;g^C return;
Pt=@U: }
/mK."5-cm /////////////////////////////////////////////////////////////////////////////
)B$Uo,1 void main(DWORD dwArgc,LPTSTR *lpszArgv)
X$A[~v {
)x&4 Q= SERVICE_TABLE_ENTRY ste[2];
xofxE4. ste[0].lpServiceName=ServiceName;
2G&H[` ste[0].lpServiceProc=ServiceMain;
HrK7qLw7 ste[1].lpServiceName=NULL;
+~n"@ / ste[1].lpServiceProc=NULL;
/ka "YU StartServiceCtrlDispatcher(ste);
q.:j
yj6 return;
vp|.x |@ }
uY;7&Lw
y1 /////////////////////////////////////////////////////////////////////////////
)u?^w function.c中有两个函数,一个是提升权限的,一个是提供进程ID,杀进程的。代码如
cgV5{|P 下:
c&"OhzzJK' /***********************************************************************
ET\>cxSp Module:function.c
M`D`-vv Date:2001/4/28
4p6\8eytq. Author:ey4s
,>3b|-C- Http://www.ey4s.org Hfo/\\ ***********************************************************************/
|_\q5?S #include
4(mRLr%l@` ////////////////////////////////////////////////////////////////////////////
J;5G]$s BOOL SetPrivilege(HANDLE hToken,LPCTSTR lpszPrivilege,BOOL bEnablePrivilege)
],|; {
2J &J TOKEN_PRIVILEGES tp;
9i`MUE1Sh LUID luid;
pP)> x*1 fn3DoD+I if(!LookupPrivilegeValue(NULL,lpszPrivilege,&luid))
/P[ @o {
<Kk[^.7C; printf("\nLookupPrivilegeValue error:%d", GetLastError() );
D6fGr$(N% return FALSE;
BJP^?FUd=, }
}$oZZKS tp.PrivilegeCount = 1;
\R.Fmeko tp.Privileges[0].Luid = luid;
Hd ${I", if (bEnablePrivilege)
k vF[d{l tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tGwQUn else
OI)U c . tp.Privileges[0].Attributes = 0;
h[& \OD,P // Enable the privilege or disable all privileges.
cnL@j_mb AdjustTokenPrivileges(
i*61i0 hToken,
,|^ lqY FALSE,
H=@S+4_bK &tp,
y{9<>28 sizeof(TOKEN_PRIVILEGES),
[pzo[0G 'v (PTOKEN_PRIVILEGES) NULL,
\=
G8 (PDWORD) NULL);
#XeEpdE // Call GetLastError to determine whether the function succeeded.
F* _ytL if (GetLastError() != ERROR_SUCCESS)
>jRH<|Az {
f^[u70c82 printf("AdjustTokenPrivileges failed: %u\n", GetLastError() );
w)<h$<tU return FALSE;
{s3 j}& }
AiUK#I return TRUE;
*?R<gWCF }
^K?Mq1"Db ////////////////////////////////////////////////////////////////////////////
AcIw;
c: BOOL KillPS(DWORD id)
K*aGz8N {
umI6# Vd`= HANDLE hProcess=NULL,hProcessToken=NULL;
Senb_? BOOL IsKilled=FALSE,bRet=FALSE;
+GlG.6 __try
Eemk2>iP? {
bnxR)b~ uuf+M-P if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hProcessToken))
_xdFQ {
qwvch^?>FQ printf("\nOpen Current Process Token failed:%d",GetLastError());
pKhV<MFB __leave;
9;L50q>s }
pP*`b<| //printf("\nOpen Current Process Token ok!");
%0lJ(hm if(!SetPrivilege(hProcessToken,SE_DEBUG_NAME,TRUE))
%-O[%Dy {
psM&r __leave;
gPY Cw?zQ }
\heQVWRl printf("\nSetPrivilege ok!");
gVN&?`k*? =`f"8,5 if((hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,id))==NULL)
)(DX]Tr` {
5@`DS-7h printf("\nOpen Process %d failed:%d",id,GetLastError());
K)nn;j= __leave;
I`[s(C>3@ }
F(;95TB //printf("\nOpen Process %d ok!",id);
x0ICpt{; if(!TerminateProcess(hProcess,1))
Qg5-I$0 {
oF=UjA printf("\nTerminateProcess failed:%d",GetLastError());
QmY1Bn?s __leave;
,7^,\ ,-m }
-3|i5,f IsKilled=TRUE;
}^Ky)** }
}!1pA5x$ __finally
Na>?1F"KHk {
B+n(K+ if(hProcessToken!=NULL) CloseHandle(hProcessToken);
YnwP\Arfq if(hProcess!=NULL) CloseHandle(hProcess);
r1AG1Y }
x>MY_?a return(IsKilled);
Y5\=5r/ }
hC2_Yr>N% //////////////////////////////////////////////////////////////////////////////////////////////
RrRE$g OK!服务端的程序已经好了。接下来还需要一个客户端。如果通过在客户端运行的时候,把killsrv.exe COPY到远程系统上,那么就需要提供两个exe文件给用户,这样显得不是很专业,呵呵。不如我们就把killsrv.exe的二进制码作为buff保存在客户端吧,这样在运行的时候,我们直接把buff中的内容写过去,这样提供给用户一个exe文件就可以了。Pskill.c的源代码如下:
)" H r3 /*********************************************************************************************
}NF7"tOL ModulesKill.c
UO8./%'
Create:2001/4/28
[|dQZ Modify:2001/6/23
~,O}wT6q Author:ey4s
&/{x7;e Http://www.ey4s.org
1ZRSeh PsKill ==>Local and Remote process killer for windows 2k
"Rq)%o$Z **************************************************************************/
{U7A&e0eW #include "ps.h"
tN&_f==e #define EXE "killsrv.exe"
&?#!%Ds #define ServiceName "PSKILL"
Fa9gr/.F,@ |<w
Z;d #pragma comment(lib,"mpr.lib")
{+x;J4 //////////////////////////////////////////////////////////////////////////
tjt#2i8/ //定义全局变量
{aYCrk1 SERVICE_STATUS ssStatus;
ca?;!~%zA SC_HANDLE hSCManager=NULL,hSCService=NULL;
O
K2|/y BOOL bKilled=FALSE;
BZs?tbf char szTarget[52]=;
\"AzT{l!; //////////////////////////////////////////////////////////////////////////
)d"s6i BOOL ConnIPC(char *,char *,char *);//建立IPC连接函数
` EgO&;1D) BOOL InstallService(DWORD,LPTSTR *);//安装服务函数
kz?m `~1 BOOL WaitServiceStop();//等待服务停止函数
}@NT#hD BOOL RemoveService();//删除服务函数
5d5q0bb /////////////////////////////////////////////////////////////////////////
;(~H(]D int main(DWORD dwArgc,LPTSTR *lpszArgv)
P'p5-l UK {
#hP&;HZ2>" BOOL bRet=FALSE,bFile=FALSE;
_%6Vcy char tmp[52]=,RemoteFilePath[128]=,
&+-]!^2o szUser[52]=,szPass[52]=;
@DK;i_i HANDLE hFile=NULL;
0OPpA Ll DWORD i=0,dwIndex=0,dwWrite,dwSize=sizeof(exebuff);
[XDr-5Dm riY[p, //杀本地进程
q3$;lLsb;j if(dwArgc==2)
@Yy']!Ju {
H/BU2s a if(KillPS(atoi(lpszArgv[1])))
?R\:6x< printf("\nLoacl Process %s have beed killed!",lpszArgv[1]);
dT4e[4l else
=~F.7wq*^ printf("\nLoacl Process %s can't be killed!ErrorCode:%d",
)\|Bghui lpszArgv[1],GetLastError());
F]7$Y return 0;
G,JK$j>*l
}
3m59EI-p //用户输入错误
Gw0MDV&[ else if(dwArgc!=5)
= *~Q5F {
^.;
x printf("\nPSKILL ==>Local and Remote Process Killer"
XY1b_uY "\nPower by ey4s"
`o,D[Jd "\nhttp://www.ey4s.org 2001/6/23"
LSN%k5G7. "\n\nUsage:%s <==Killed Local Process"
Tv`-h "\n %s <==Killed Remote Process\n",
kr6^6I. lpszArgv[0],lpszArgv[0]);
H_+F~P5RC return 1;
.~yz1^ c }
?~s2 3%E //杀远程机器进程
*d;D~"E<@ strncpy(szTarget,lpszArgv[1],sizeof(szTarget)-1);
}~3 %KHT strncpy(szUser,lpszArgv[2],sizeof(szUser)-1);
R8YA"(j!L strncpy(szPass,lpszArgv[3],sizeof(szPass)-1);
h!UB#-
/ng+IC3 //将在目标机器上创建的exe文件的路径
Q^z&;%q1 sprintf(RemoteFilePath,"\\%s\admin$\system32\%s",szTarget,EXE);
"8YXFg __try
]eD5It\ {
L#X!. //与目标建立IPC连接
V=DT.u if(!ConnIPC(szTarget,szUser,szPass))
)3RbD#? {
>Vvjs printf("\nConnect to %s failed:%d",szTarget,GetLastError());
L fx$M return 1;
|"XxM(Dm }
E2a00i/9Y printf("\nConnect to %s success!",szTarget);
r%^J3 //在目标机器上创建exe文件
@[(<oX% cp\A
xWtUZ hFile=CreateFile(RemoteFilePath,GENERIC_ALL,FILE_SHARE_READ|FILE_SHARE_WRIT
|jwN8@ E,
H&3i[D!p NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
{9yW8&m if(hFile==INVALID_HANDLE_VALUE)
Z2wgfP` {
A3=$I&!% printf("\nCreate file %s failed:%d",RemoteFilePath,GetLastError());
35X4]
t __leave;
>7^i>si }
[r"`rBw //写文件内容
~Q/G_^U: while(dwSize>dwIndex)
tW#=St0<.o {
j/Rm~!q L4C_qb k;: if(!WriteFile(hFile,&exebuff[dwIndex],dwSize-dwIndex,&dwWrite,NULL))
:w5p#+/,P {
e-.s63hm printf("\nWrite file %s
"G,$Sqi@ failed:%d",RemoteFilePath,GetLastError());
MEZc/Ru-[ __leave;
@5y ~A}Vd }
7)y9%-} dwIndex+=dwWrite;
D%=FCmL5@= }
g<"k\qs7 //关闭文件句柄
e$+/;MRq CloseHandle(hFile);
qqR8E&Y{ bFile=TRUE;
fR6.:7& //安装服务
%juR6zB%8 if(InstallService(dwArgc,lpszArgv))
XK7$Xbd {
j/+e5.EX/ //等待服务结束
jaq`A'o5 if(WaitServiceStop())
K=`;D {
[~_()i=Y //printf("\nService was stoped!");
$pOgFA1' }
+bv-! rf else
4fp]z9Y {
)^'g2gVK+p //printf("\nService can't be stoped.Try to delete it.");
Z(=UZI? }
5Sm)+FC: Sleep(500);
zjVQ \L //删除服务
/K2=GLl; RemoveService();
!<P|:Oo*Dl }
E6FT*}Q }
0cxk)l% __finally
ejuw+@ _ {
= g[Cs* //删除留下的文件
bEz1@"~
p if(bFile) DeleteFile(RemoteFilePath);
c7fQ{"f 3B //如果文件句柄没有关闭,关闭之~
<.lT.>'? if(hFile!=NULL) CloseHandle(hFile);
<#r/4a"V //Close Service handle
[V-OYjPAx if(hSCService!=NULL) CloseServiceHandle(hSCService);
|`50Tf\J //Close the Service Control Manager handle
ZC\&n4~7 if(hSCManager!=NULL) CloseServiceHandle(hSCManager);
[c=T)]E1 //断开ipc连接
rIg5Wcd wsprintf(tmp,"\\%s\ipc$",szTarget);
@h&crI[c WNetCancelConnection2(tmp,CONNECT_UPDATE_PROFILE,TRUE);
?UPZ49y if(bKilled)
KNw{\Pz~w printf("\nProcess %s on %s have been
@Ht7^rz+S killed!\n",lpszArgv[4],lpszArgv[1]);
:J{| /"== else
H^<LnYZ printf("\nProcess %s on %s can't be
609_ZW;) killed!\n",lpszArgv[4],lpszArgv[1]);
5lc%GJybV }
FNyr0!t, return 0;
Bh\>2]~@a }
+"Ui@^ //////////////////////////////////////////////////////////////////////////
<7;AK!BH BOOL ConnIPC(char *RemoteName,char *User,char *Pass)
@\|W#,~ {
=vaC?d3 NETRESOURCE nr;
}wh
sZ char RN[50]="\\";
=/b WS,= WLe9m02r strcat(RN,RemoteName);
7Ib/Cm0d| strcat(RN,"\ipc$");
V?*\ISB`} RTgR>qI&) nr.dwType=RESOURCETYPE_ANY;
-!kfwJg8N( nr.lpLocalName=NULL;
=h<LlI^v nr.lpRemoteName=RN;
v_$'!i$ nr.lpProvider=NULL;
4CT _MAj > (.V(]{3y if(WNetAddConnection2(&nr,Pass,User,FALSE)==NO_ERROR)
L
=kc^dU return TRUE;
8a;I,DK=j else
w>q:&Q return FALSE;
Q0\tK=Z/ }
d,R /////////////////////////////////////////////////////////////////////////
"&,Gn#'FG BOOL InstallService(DWORD dwArgc,LPTSTR *lpszArgv)
]^j'2nJv0 {
\ tK{!v+ BOOL bRet=FALSE;
O&Ws*k __try
lOc!KZHUp {
Y8^pgv //Open Service Control Manager on Local or Remote machine
W_##8[r(? hSCManager=OpenSCManager(szTarget,NULL,SC_MANAGER_ALL_ACCESS);
EM.7,;|N if(hSCManager==NULL)
)TmqE<[ {
!)}3[h0 printf("\nOpen Service Control Manage failed:%d",GetLastError());
Y<vsMf_U __leave;
YR{%pZp }
jv
C.T]<B //printf("\nOpen Service Control Manage ok!");
.=nx5yz //Create Service
![{>$Q?5
hSCService=CreateService(hSCManager,// handle to SCM database
d0;$k, ServiceName,// name of service to start
%L\buwjy$ ServiceName,// display name
*r&q;ER SERVICE_ALL_ACCESS,// type of access to service
},d`<^~ SERVICE_WIN32_OWN_PROCESS,// type of service
XU3v#Du SERVICE_AUTO_START,// when to start service
krw_1Mm SERVICE_ERROR_IGNORE,// severity of service
c:R`]4o failure
Dj~]] EXE,// name of binary file
n8!qz:z/ NULL,// name of load ordering group
QX'EMyK$ NULL,// tag identifier
0x-58i0 NULL,// array of dependency names
"0nT:!BZ NULL,// account name
*7ggw[~ NULL);// account password
Kf.G'v46 //create service failed
|9;6Cp if(hSCService==NULL)
,EAf/2C {
!&3iZQGWv //如果服务已经存在,那么则打开
~is$Onf99# if(GetLastError()==ERROR_SERVICE_EXISTS)
q:y_#r"_y {
/lC&'h T //printf("\nService %s Already exists",ServiceName);
$E_9AaX //open service
}[[ hSCService = OpenService(hSCManager, ServiceName,
vu&%e\gM SERVICE_ALL_ACCESS);
Zj*kHjn" if(hSCService==NULL)
L+c7.l.yT {
&!y7PWHJ printf("\nOpen Service failed:%d",GetLastError());
:< )"G& __leave;
q]-CTx$ }
j#C1+Us //printf("\nOpen Service %s ok!",ServiceName);
b&y"[1` }
d"1DE else
4@qKML {
C;T:'Uws printf("\nCreateService failed:%d",GetLastError());
=*AAXNs@3 __leave;
>#q2KXh }
`+4>NT6cu9 }
,<^7~d{{3m //create service ok
`ehZ(H} else
:%!}%fkxH {
_::q
S! //printf("\nCreate Service %s ok!",ServiceName);
rc*iL }
1|?8g2Vf h "7:&=e // 起动服务
aXoD{zA if ( StartService(hSCService,dwArgc,lpszArgv))
tA?cHDp4E {
>d`XR"_e //printf("\nStarting %s.", ServiceName);
hrT_0FZV Sleep(20);//时间最好不要超过100ms
%<g(EKl while( QueryServiceStatus(hSCService, &ssStatus ) )
6N%fJ {
C)7T'[ if ( ssStatus.dwCurrentState == SERVICE_START_PENDING)
+B
4&$z {
WMo printf(".");
YpAJ7E|7 Sleep(20);
"k8Yc<`u }
b.`<T"y else
X`[P11` break;
JQ>GKu~ }
NV|[.g=lg if ( ssStatus.dwCurrentState != SERVICE_RUNNING )
6z/ct|n printf("\n%s failed to run:%d",ServiceName,GetLastError());
%{fa
.>6 }
4k
HFfc else if(GetLastError()==ERROR_SERVICE_ALREADY_RUNNING)
RGeM. {
:QndeUw //printf("\nService %s already running.",ServiceName);
GTj=R$%09 }
o]&w"3vOP0 else
P%#EH2J {
9@Iz:!oqb printf("\nStart Service %s failed:%d",ServiceName,GetLastError());
'`-W!g[
> __leave;
AhZ`hj }
h6*&1r bRet=TRUE;
`A]CdgA }//enf of try
fZ9EE3 __finally
yj^LX2x" {
-xJ_5 return bRet;
19Cs
3B \4 }
(RDY-~#~ return bRet;
B8jSdlvz }
N=>6PLie /////////////////////////////////////////////////////////////////////////
&=1Ag}l57 BOOL WaitServiceStop(void)
qk;vn}auD] {
4(VVEe BOOL bRet=FALSE;
ho1Mo //printf("\nWait Service stoped");
vhw"Nl while(1)
A@8Ot-t:\2 {
di@4'$5# Sleep(100);
\m3'4# if(!QueryServiceStatus(hSCService, &ssStatus))
rjmKe*_1V {
n{>Ge,enP0 printf("\nQueryServiceStatus failed:%d",GetLastError());
D 8nt%vy break;
@}#" o }
Q*S|SH-cZ0 if(ssStatus.dwCurrentState==SERVICE_STOPPED)
w/8`]q {
uHBEpqC% bKilled=TRUE;
TZ`@pDi bRet=TRUE;
Q9(J$_: break;
Qz T>h }
$Hx00
h o if(ssStatus.dwCurrentState==SERVICE_PAUSED)
*%G$[= {
}(g`l)OX //停止服务
1g_(xwUp+ bRet=ControlService(hSCService,SERVICE_CONTROL_STOP,NULL);
6sRe. ct<