Allow non-Administrator to view and terminate processes for all users

In Windows 2003 Enterprise Server, is there a user right or group policy
setting (or other means) to allow someone to view and end processes from any
(all) users (e.g. in Task Manager - "Show processes from all users") without
making that someone's user account a member of the Administrators group?

Interesting question... That might be a matter of changing one of the user
rights in the local security policy. Which one? I'd say "Increase scheduling
priority" or "debug programs".

Any user in hold of Debug permission (SeDebug Privilege) can easily become
an owner (Administrator) on that PC... User with debug permission can run
tools such as lsadump, pwdump etc...

I tried granting a user both the "increase scheduling priority" and "debug
programs" "right" under Security Settings, Local Policies, User Rights
Assignment (in Computer Configuration) via GPO to a specific domain user,
but that user still could not add a check mark to the "Show processes from
all users" check box in Task Manager.

I verified using gpresult /v that the settings in the GPO had been applied
to the computer.

Any other ideas come to mind?

It may well be that there is no specific right or permission that grants
this - this ability may be built-in to the Administrators group inherent
rights (unfortunately!) but it would be nice to know definitively.

We need to factor apart what you appear after.
One is to use task manager to view all processes. This appears to be
something hardcoded into task manager as allowed only to admins.
However, if you are willing to use other tools, for example fromt the
PStools suite from www.sysinternals.com (now part of Microsoft)
then you will find that they do not have this restirction.
You also seemed to what to grant the ability for a non-admin account
to access/kill arbitrary processes. I do not believe that there is a
specific user right for that tightly defined purpose. I would also try
debug priv, possibly with load/unload drivers, and if those are not
sufficient then act as part of OS. Any one of these is an unsafe grant
that would allow the account with them to elevate they privs to full
admin, to destabalize the OS, to install code of choice, etc..

Perhaps an explanation might help. We have a line of business application
that is a classic client server implementation. We are running the client
under Terminal Services with Citrix XPe. It uses an Oracle database that is
on a completely seperate system (Sun Solaris actually).

For an unknown reason, the client application randomly goes into a very
tight CPU loop - no page faults, no I/O, no database interaction, no network
activity. There are between 400 and 500 users spread over 24 servers (the
application is a real memory hog and also can be quite CPU intensive when
operating normally). The client application is a win32 executable - a
classic desktop type application - no web browser/server involved. It is
not unusual for a single user to have multiple instances of the client
running - each process manages one window. At any given point in time,
there are sometimes as many as 100 instances of the client application
running on each server. When one of the client application instances
(.exe - process) gets into this loop situation, it completely hogs one of
the two CPUs on that server, which impacts the performance for all users on
that server. Some days this doesn't happen at all; on other days we see
five or six intances. Unfortunately, most of our users are in the habit of
merely ignoring the "hung" window and starting another instance of the
client application - which works correctly and allows them to proceed with
their work. Sometimes, the user will "Close" the window, believing that
this has "solved the problem", but this unfortunately does not cause the
associated process to terminate.

We're working with the application vendor to find out what triggers this
problem and get it fixed, but the problem is quite random and is proving
hard for the vendor to diagnose. This is a major "system" for our agency
and switching to another vendor would be a multi-year, very expensive
process - its not going to happen!

So, in the mean time, we're faced with these runaway processes on the
Terminal Servers. We monitor the %CPU on all the servers and can see when
this problem is happening on a particular server becuase the %CPU is then
consistently high for a long time. We've decided that a couple of the staff
in our Help Desk are knowledgeable and trusted enough to be able to
identify, track down and terminate the "bad" processes. So I'm looking for
a way to allow these few users to view and terminate processes from any user
without being an administrator. We appreciate that such a
right/privilege/permission could be used to terminate any process, including
vital system processes, but judge that risk slight and acceptable given the
particular people that would be granted that right and the alternative of
suffering degraded performance. If there really isn't a way without them
being administrators, then we'll just live with that.

I'll take a look at PSTools suite as you suggest. I'm somewhat familiar
with System Internals and have used some of their tools for other purposes.

It is perfectly useless to know the right answer to the wrong question.

[Luiz Alberto Koroll]

try this:
1. include the user into admnistrators group.
2. Under Security Settings, Local Policies, allow "debug programs" "right"
3. Logon with the user, open task manager and check the box "show processes from all users"
4. Remove the user from admnistrators group.
5. Logoff e logon again, open task manager...

Did this work for anyone? I tried it myself and after removing the user/group
from the administrators group they could still see the list of other
processes but not the owner?

That works as long as the user is a local administrator. Unfortunately that
is a built-in feature of Task Manager.

[capnjack]

Giving them the "debug" right and putting them in the Perf Mon Users group allowed them to use pslist and pskill.