trying to interact with a process running in session 0 but it looks like in the recent windows version this capability was either removed or hidden fairly well.
The UI0detect is removed and even software specialized for this kind of task are no longer (e.g. FireDaemon Zero)
Is it still possible to interact with processes running in session 0?
Related
API Monitor has a feature to automatically watch for a new process starting and ask if you want to monitor it. However I have not been able to get this to actually work. The only option in the program I can find which seems to be related is the File menu "Pause Process Notifications" option. However, this is disabled which gives me the impressions that it can't be turned off but also that it is supposed to work automatically "out of the box". But whenever I start a new process, nothing happens.
Specifically I'm referring to the feature described here:
Process Notification
API Monitor intercepts process creation and allows you to select the
process for monitoring. Each time a process is created by the system,
a notification window is displayed with options to monitor, skip or
terminate the process. This is especially useful for monitoring
processes with a short lifespan or processes that are automatically
launched in the background. Process Notification can also be used to
monitor applications such as consent.exe (UAC prompt), which run on a
different desktop.
The following screenshot shows an example of the Process Notification
window that is displayed when launching an application that requires
elevation
I've tried both the 32-bit and 64-bit versions of API Monitor (Version 2.0 Alpha-r13) running both as regular user and as admin; makes no difference.
How can this feature be activated?
The specific reason I'd like to use this feature is that I have process A which starts process B, and it is B I need to monitor. A and B each run for only a few seconds so I can't manually get it to monitor fast enough.
Finally after reading through API Monitor forums I found some information. Unfortunately (for now at least) it seems the answer is that this feature no longer works (since Windows 8.1).
As posted on http://www.rohitab.com/discuss/topic/40418-process-notification-on-81/?p=10093378
rohitabPosted 11 October 2013 - 03:38 AM
Due to security related changes in Windows 8.1, the Process
Notifications feature of API Monitor does not work. I will try to
resolve this issue as soon as possible and post a hotfix.
But a later update in 2014 indicated that it hadn't been fixed yet, and seems not to have been since then either.
It was implied that running in a Windows 7 (or 8.0?) virtual machine might be a workaround, or obviously finding another tool which has this capability.
We are working on stress testing of an application and noticed a curious case where Windows kernel takes over execution of the stress test. The application under the stress test picks up system-wide IO events, mostly CRUD of files, using minifilter driver, similar to this passthough driver.
During the stress test using spddisk on one particular VM (Windows Server 2019 1809 17763.864 with no external AV or other security software installed), we noticed that System process with reserved pid 4 is "taking over" the stress payload execution. The same seems to be happening with a simple batch script as well (create, read, delete a file in a loop). I have never seen anything like this on any other systems and we cannot reproduce this behaviour anywhere else but on that single VM.
The "taking over" occurs after a few seconds into executing of the stress test and manifests itself in the following way:
Process id is changed to System reserved pid 4
Thread id is changed to another tid
User SID is changed from S-1-5-21-2874696658-2485333267-3621126573-500 to S-1-5-18
User is changed from win-saacuiping\administrator to NT AUTHORITY\SYSTEM
We have captured this in procmon
This feels like some sort of sandboxing, but I've never actually seen this before. The simplified command used for stress testing is this
diskspd.exe -c100b -b1K -t2 -d60 -w50 -W0 -Sh f1.tmp
Can anyone please explain, why execution is suddenly passed from one process to Windows kernel System 4?
I want to make a windows application whose GUI will be streamed to another device (allowing remote control). The point is that I'm not willing to rely on creating Windows Sessions to isolate the GUI I/O's (1)
To achieve this, I started observing some existing solutions that are able to enable remote access using this premise to see if I could get a clue about where to start.
One of these solution is Winflector (BTW: it is free up to 2 connections).
I got interested in this solution because it seems (I'm guessing) it detects only the repainted regions. What I took from my observations are that:
While the streamed application is "invisibly" running locally in the same session I'm logged in (it shows the application process in my task manager), the application window seems not to be created anyhow - at least Inspect can't get any window information/handle of the application process - It looks like sort of a "GUI StdOut Redirection".
Apparently, no additional Desktop is created;
Also apparently, no Mirror Driver is installed;
Using Process Explorer, I found out Winflector adds some thread's to the original application process. I suspect it is about the GUI redirection (by the thread's names);
The application is started by the Winflector server - that is, it has control about the CreateProcess arguments.
What is the most likely technique to be used in this case?
Windows Hook?
Windows Messages interception?
Special Display Driver?
Sort of Memory Device Context?
Where should I start researching to get a similar approach? Any open source project regarding this subject would also be very welcomed.
PS: By my programming experience, this is sort of a whole "new world" - sorry if my questions are redundant/obvious/non-sense.
(1) That is, this application could be spawned, streamed and interact
with the remote client using the same session which a local user is
already logged in, without conflicting the IO (like a regular VNC
would do, for example). PS: At this moment, I'm focusing only at the
output.
my question may seem too weird but i thought about the windows hibernation thing and i was wondering if there is a way to hibernate a specific process or application.
i.e : when windows start up from a normal shutdown/restart it will load all startup programs normally but in addition of that it will load a specific program with it`s previous status before shutting down the computer.
I have though about reserving the memory location and retrieve it back when computer start up , but is there any application that does that in windows environment ?
That cannot work. The state of a process is almost never contained in just the process itself. A gui app creates user32 and gdi objects that are stored in a heap associated with the desktop. It makes calls to Windows that affect the window manager state. It makes I/O calls that cause code inside drivers to run. Which in turn affects allocations inside the kernel pools. Multiply the trouble by every pipe or rpc channel it opens to talk to other processes. And shared resources like the clipboard.
Only making a snapshot of the entire operating system state works.
There are multiple solutions for this now, in Linux OS: CRIU, CryoPID2, BLCR.
I think docker can be used (both for windows & linux), but it requires pre-packaging your app in a docker, which bears some overhead(s).
Background: We have a VB6 application [1] that runs on terminal services. As part of the update scripts, tskill [2] is used to kill off any running apps so that the application may be updated. Sometimes tskill cannot kill the process, although remoting in, and using task manager can take care of it.
Questions: what could cause a VB6 mdiform app to hang and not get shut down? Is there anything we can add to the app to make it shut down more gracefully?
Notes:
1 - It was supposed to be replaced already, but the SAP replacement is more than 1 year behind schedule.
2 - The script command is basically tskill theApp /server:theServer as it iterates across all the servers.
The app could actually have code to ignore the shutdown/kill request and cancel the unload.
I've seen where message boxes being open will cause an application to not respond to shutdown requests.
It's possible the main form is unloading, but there are other forms resident in memory that cause the EXE to continue running without a UI.