Hi Benny,
Here is how to achieve your requirement:
so class+(PROCESS)
nr PROCESS ("C:\Windows\system32\cmd.exe") defaccess(N) audit(a) owner(nobody)
Doing this, will stop users from killing the process directly.
To check this, after creating the rule, open the taskmanager > Process Tab , try killing the process.
However, You can Kill the Cmd.exe from the Applications tab of the task manager > End Task.
The reason for this is , when you end the task from the taskmanager,windows will fire WM_CLOSE message to that window asking graceful shutdown:
The application processes this message, handles any necessary cleanup tasks end exits. Actually the process is not terminated but exits by itself that is
not kind of process killing related to PROCESS class protection. In difference to this, Task Manager "End Process" invokes TerminateProcess function terminating/killing application process and this is protected with PROCESS class.
--
Vinay Reddy