Friendly reminder:  NEVER use the top right red X button with suspect software!!!

This pic describes exactly why I recommend people NEVER use the form’s X button in the event of suspected adware, spyware, MALWARE, or any other random POP-UP…

DO NOT DO IT.  

EDIT TO CLARIFY:  This article is about the red X in the top right of the ‘window’ or form, but also includes other methods such as the ALT+F4 keyboard combination, and also even by using the standard “End Task” option within Windows Task Manager!!  See the update at the end of this article for more information!!!

In another article we will detail how to kill the applications ‘process’ or via an external app such as the upcoming CryptoPrevent v8 which will contain a built-in one-click simplified interface for our existing free code for KillEmAll, one of our free tech tools which can be used in the meantime for the same purpose.

Allow me to explain some simple terminology before diving in:

• Form:  the visible “window” in a GUI (Graphical User Interface) application.
  • It’s worthy of note a Windows application doesn’t need a ‘form’ rather it can have a console (text) based UI (now just User Interface) or it can have no UI at all and run completely invisible.  
• Button:  an object placed on a form.
  • Obviously intended to allow a user to control application behavior.
• Event:  a code procedure tied to an object such as a button or an entire form.  An event typically ‘fires’ (the code in the event is interpreted and executed) based on a property or state change of the event’s object.
  • Examples of events relevant to this post are form_Query_Unload events and button_Click events.
• The Window Title Bar and the red X button:  I’m referring to the title bar at the top of most Windows forms, which typically contains a red X button, among others usually just the two visible windowstate buttons (for minimize/restore/max functionality.)
  • It is typically a default behavior in developing and interpreting code that a form will contain a title bar, but it is NOT required, and when it is present, it may be customized of course.
  • The red X button on the title bar by default closes a form when clicked, and although it does not have an exposed button_Click event, it is tied to some form events, specifically Query_Unload!

 

The root of the ‘problem’ – the X button is actually just a button!

If you read the terms you probably have an idea of the issue already, and if not re-read the last sub-bullet point above.

When you click the red X, it fires the form’s Query_Unload event, which can pass back an optional Cancel boolean value.  When you set Cancel = True in the Query_Unload event guess what?  The form doesn’t fire the form_Unload event, which means it isn’t going anywhere!

The reason why I’m stressing this for a potentially malicious situation, is that ANY code can be placed in the Query_Unload event (and the form_Unload event, and form_Resize event for that matter which fires even during min/restore/max operations.)

In web specific development, I don’t really know the specifics and with different web browsers I would expect their design/behavior is another factor – but I’m sure it is the same, in that web browser pop-ups may respond to their own form events which can naturally execute code, and naturally a bit of it is probably restricted until something is clicked to acknowledge user consent, ahem, yeah, don’t click it!!

Why ‘they’ don’t just ‘fix’ that:

You may be thinking that ‘they’ should do away with these events, but the events are quite necessary.

The Query_Unload event allows the code to perform some validation on whatever data is in use, and unlike the form_Unload event that doesn’t give a return option (typically just used for app file/setting/whatever cleanup and auto data saving) the Query_Unload event can prompt the user of the application to cancel the form close before completing a task, such as saving your work.  A prompt presented to the user can easily set the boolean value passed back from Query_Unload to cancel the form_Unload event which would otherwise come next.  Ultimately this returns control to the user, allowing the user to finish whatever work was being done.

Abusing the system:

This functionality is abused in the picture by the Skype application (now owned by Microsoft themselves) for two reasons.

1. There is NO PROMPT provided that actually allows you to close the form, or the entire app.  Skype is programmed by default to disobey a direct order.  Yeah, that’s pretty nasty, Microsoft.
2. The worst of it is, IMHO, that Skype isn’t actually doing any WORK so there is nothing to prompt the user to save or finish up before closing the form.  So not only do they disobey you and not prompt you, there is no reason to in the first place!!!

 

Obviously the point is entirely moot if we’re talking about an app already on your PC that you’ve already executed, (i.e. double-clicked, run, whatever the case it was already allowed to execute code in the first place,) but in the case of a web browser or other, it becomes a gray area since the only code execution before any events occur should hopefully be from the web browser itself!!!

When an app has a user interface, anything you interact with (ANYTHING, not just a click but even typing a single character into an input box or even moving your mouse cursor over the form) can be used to execute code behind the scenes through form_events!

But lets also not forget that apps don’t need a user interface!  Let me reiterate the sub-bullet point from my Form explanation:

• It’s worthy of note a Windows application doesn’t need a ‘form’ rather it can have a console (text) based UI (now just User Interface) or it can have no UI at all and run completely invisible.  

So look at this pic again, and

imagine how any potentially unwanted software sees that button!

EDIT TO CLARIFY:  This article is about the red X because that’s what most people know, but it also applies to closing an application in any standard method not involving any actual force-terminate means.  This includes the red X in the top right of the ‘window’ or form, the ALT+F4 keyboard combination, and also even by using the standard “End Task” option within Windows Task Manager!!  See the linked article for more technical information:  the Query_Unload event.  (Note the article referenced is for the VB language, and the same ‘event’ exists for all languages targeting the Windows platform (and I would assume any other OS using a ‘forms’ UI) however the ‘event’ or procedure may be named differently for other languages.

The only way to effectively terminate an application (without allowing it to execute more code) is to use an application designed to use the TerminateProcess API function in conjunction with the appropriate security access token and flags outlined here.  By default Task Manager doesn’t do this (at first) only if an application doesn’t respond to a previous terminate request (and only then I think with the End Process Tree function, I’ll have to double check…)

What apps do this particular style of termination?  As mentioned earlier, our existing free tool KillEmAll, one of our free tech tools, can terminate all non-essential processes effectively with one click (by using TerminateProcess with the appropriate flags and security token) as mentioned above, as well as the upcoming CryptoPrevent v8 which will contain a built-in one-click simplified interface for our existing KillEmAll style termination methods, both via in-app and a system tray icon!

There’s also good old tskill or taskkill from a console window with the /F parameter at the command line..