I'm trying to run some dynamic analysis routines on Windows programs, using things like Intel Pin and DynamoRIO. I am running Windows 11. A problem I am having is when I use cmd.exe to launch an interactive application, control returns immediately to the interpreter after the application has been launched. This means those apps don't get analyzed properly.
For example, if I use DynamoRIO to instrument the File Explorer like this:
drrun.exe -t drcachesim -- explorer.exe
Then DynamoRIO returns immediately after explorer.exe is launched, and it doesn't actually instrument File Explorer when the user can interact with it.
I've had similar issues with Intel Pin. It seems the root issue is cmd.exe detaches from processes immediately after launching them. I am a complete novice Windows developer, so there is probably some mechanism I am unaware of that is causing this. I would be grateful or any insight or feedback here.
Two things to note here.
cmd.exe waits for console programs but not GUI programs. Use the start command to wait on GUI programs: start /wait notepad.exe.
Explorer.exe will often communicate with an existing instance of itself and then just exit. Exit Explorer and then use Task manager to kill all Explorer.exe instances and then run your command.
Related
I have little previous experience with Windows (for programming, anyway), but recognizing that Windows has an enormous market share, I am trying to support it in my programs (even though they are just for fun, I like to pretend they're big projects). I have written a tiny shell with minimal (and when I say minimal, I mean minimal) features.
I am trying to port it to Windows and would like to use it independently from cmd.exe in a Win32 Console window (meaning the shell part of cmd.exe isn't running at all, but the window used for it shows). I have already done most of the other porting stuff such as build system (CMake) and changing appropriate Unix syscalls to Windows ones in a #define. I have done a little research and found little on this topic, however. I know it is possible because I've seen it done with Bash. Visual Studio also used to do it when I ran a program in its GUI.
Reference article I got some of this info from: https://en.wikipedia.org/wiki/Win32_console
Note: What I mean is when you click on it and it opens it without running cmd in its own little console window. Or when you type it into cmd it opens in a separate window that isn't running cmd. I am assuming cmd.exe and the console window it runs in are two separate things, but if I am wrong, please let me know. :)
This question is inspired by https://askubuntu.com/questions/111144/are-terminal-and-shell-the-same and a similar question where I got that Wikipedia link. Someone said that the console window and the shell were separate. I was writing my own shell so I started to wonder how to make mine independent of the default one.
The Win32 Console and cmd.exe are two different things. Windows automatically opens a console window when a program that needs one is started. It decides whether do to so by switches hard-wired into the executable. This window will be running said program. If the program that started the process is running in a console window, the two programs will share that console window.
As Noodles said, it really is that simple. You just start it. Double-clicking on it will do it. The CreateProcess() function with CREATE_NEW_CONSOLE passed to it will do it. Running the program from cmd.exe with
start <command>
will do it.
There is also a family of functions in the Windows API, called FreeConsole() and AllocConsole() that will free a program from its current console and create a new console for it, respectively.
Reference link (given by Noodles): https://msdn.microsoft.com/en-us/library/windows/desktop/ms682010(v=vs.85).aspx
How does the Windows program shutdown.exe make itself unclosable, even from Task Manager, but how does shutdown /a terminate it?
From the disassembly, it looks like it may be built into the kernel, but I'm unsure. I am not going to use it to write malware.
The program shutdown.exe does not make itself uncloseable, in fact it normally exits immediately. The window you're talking about is generated by the operating system itself to warn the user that a system shutdown is pending. (In more recent versions of Windows this warning is presented differently.) You can get the same effect in your own code by calling InitiateSystemShutdown.
Similarly, shutdown /a doesn't terminate the window, it just calls AbortSystemShutdown to cancel the shutdown. Windows then removes the warning window since it is no longer applicable.
If you were to figure out which process is actually generating the window, you could no doubt terminate that process, assuming you have admin access. On the other hand if it is one of the system critical processes then terminating it will crash the system.
How can I start my program automatically if it crashes on windows 2003 server? Sometimes my program just crashes, is there a way in windows or settings that I can set?
There are several ways to create a process supervisor/guardian process on Windows.
First, is to leverage windows command line capabilities. Create a bat file:
#echo off
:start
start /w "your app to watch.exe"
goto start
start /w will wait for the process to exit. When the process crashes and exits, the bat script will relaunch it.
Another option is to use free supervisor tool https://github.com/chebum/Supervisor. It allows to restart the crashed app, plus it allows to monitor two or more apps at once and it will automatically close these apps when supervisor's window is closed.
The usual approach is to run what is known as a guardian process. This is a separate process, often a service, that monitors the state of the main process. When the guardian detects that the main service has died, it re-spawns it.
To the very best of my knowledge, there is not built in Windows functionality to do this for you.
Notice: running self-looping bat files can be useful, but unless you know what you're doing, they can wreak all kinds of havoc. This goes especially if you run them on startup. You have been warned.
Anyway. I just remembered something from my 286 days, when I played around a lot with BAT files. If you write the file
yourprogram.exe
some other event
the BAT file will run yourprogram, and then pause and wait around in the background until the program exits. After that it will run "some other event". This used to be kind of annoying if you wanted to run multiple things at once, but here it's actually useful. Using this, it's possible to make it run a loop that restarts the program (and reruns the bat file) as soon as it exits. Combine this with https://superuser.com/questions/62525/run-a-completly-hidden-batch-file, and you'll never even see it happening.
The final BAT file ("restart.bat" in this example) will look something like:
c:\[location]\yourprogram.exe
wscript "C:\[location]\invisible.vbs" "C:\[location]\restart.bat"
That's about it. Start the program (on startup via task or even just startup folder) with line 2, and this ought to solve your problem :)
Oh, if you want to stop the loop, just rename the bat file or put "// " in front of the two lines, save it, and exit the program.
If the program you are running requires admin rights, the solution I found was using psexec (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) to run both the program and the bat with elevated privileges. In that case the BAT will look like:
c:\[location]\psexec -h c:\[location]\yourprogram.exe
c:\[location]\psexec -h wscript "C:\[location]\invisible.vbs" "C:\[location]\restart.bat"
Then you run the bat as administrator, or run the second line (without the psexec part) from task scheduler with elevated privileges. BEWARE: running it as a normal user and clicking "no" on the UAC prompt gave me a BSOD, probably because it looped "can't run program because of lacking privileges" a couple of billion times or something :)
You can use RegisterApplicationRestart.
"If you register for restart and the application encounters an
unhandled exception or is not responsive, the user is offered the
opportunity to restart the application; the application is not
automatically restarted without the user's consent. "
For automatic restart without user intervention, there is also RestartOnCrash. Works with all Windows versions.
I was looking for something similar. There are two options to handle this - either you can write a small script by yourself or use something that is already existing.
After some googling I came across this nice list. The blogger has compiled about 8 tools to automatically restart a crashed or closed application.
Unfortunately there are no settings in Windows to automatically restart a regular program when it crashes.
Do you need to actively interact with your application's GUI? Some of the Service Wrappers (designed to run any application as a Windows Service) will monitor your application and restart it when it fails, but be sure investigate Session 0 Isolation to ensure that it won't get in the way.
You may use some special app like BDV SystemEvents or any other. It allows you to specify application which will be started if some another application is closed. Specify the same application as a Condition and as an Action and you will get expected results.
Some installation applications stop (or appear to stop) the normal windows booting. The computer starts, the user logs in and then the installation program starts before others (like Windows explorer).
How can I replicate this behaviour in my own program?
E.g.
OS Boot
Login
The program runs, updates etc.
The rest of the programs run (e.g. windows explorer and what ever runs on startup)
If you want to start an application before the shell starts, you can add a value to the Userinit value in the registry. In this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
There is a value named Userinit. Change it so your program is run before userinit.exe. For example, to start notepad before the shell/everything else is initialized:
C:\WINDOWS\system32\notepad.exe,C:\Windows\system32\userinit.exe
Use commas to separate the programs that should be started.
This works for Windows XP, Vista, and 7.
I have not tried it but I assume that this is done by the registry entry
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup
There are even more registry keys - see the complete list documented here:
Definition of the RunOnce Keys in the Registry
But for your use case I would recommend to start your application as desktop shell similar to the proposed solution by "vcsjones". When your program has finished you can call explorer.exe to start loading the regular desktop.
You could possibly wrap a windows batch file .bat around explorer.exe
#echo off
something.exe
explorer.exe
But that wouldn't really make sure it's always started before explorer.exe
You could possibly change some registry value to select another 'shell' instead of explorer for that . .
If that is what you are actually looking for.
You should have a look at Windows Task Scheduler. Tasks can be scheduled to execute when a user (specific or any) logs on. The UI provided out-of-the-box by Windows illustrates what can actually be done with this standard Windows feature.
Another solution is to write a Windows service (the .msi Windows Installer is in fact a service).
I'm not sure you will be able to block Windows Explorer though...
Greetings all,
I'm working on a Windows program whose installation necessitates restarting explorer.exe. I know "Reboot your computer to complete the installation" is the standard method here, but I'd like my installer to give users the option of just restarting Explorer so they can start using my program immediately. What's the best way to do that? Of course I could just find and kill the process, but that seems rather icky. Is there some trick to, say, make Explorer think the user is logging off and close cleanly?
Thanks!
Is this an MSI install?
Have you considered using the Restart Manager?
Restart Manager will detect which processes are holding files/handles open and need to be restarted, and allow you to automatically stop/start those processes without a restart.
I could try to call ExitProcess or TerminateProcess to stop explorer.exe.
I don't know if you can implement this, but I downloaded PsTools from:
http://technet.microsoft.com/en-us/sysinternals/bb896649
Then I wrote the following batch file which kills and then executes the explorer.exe process:
pskill explorer.exe
psexec -d explorer.exe
exit
You can also try getting in touch with the author of PSTools
Mark Russinovich on the TechNet site.
You could send it the WM_ENDSESSION message.
That might trick it into thinking the computer is shutting down. Then it will hopefully free all resources, close all open explorer windows, etc.
Then when it is closed, you can restart the process.
I use powershell in my post build events like this:
get-process explorer | kill
It generally auto restarts fine