When our devs are trying to debug a C++/Winrt ncalrpc RPC server after attaching the newly built and running server process to a VS2017 debugger, they can't breakpoint to new or modified lines of code even if enabling breakpointing to code that isn't exactly the same; it produces an unexpected symbol error message inside the IDE.
I was informed by a team member this was happening due to lingering RPC connections to the RPC Endpoints from other apps and services that use the core service. I don't know a lot about RPC but have been reading up. Checking the core service's source seems to indicate that they're doing everything correctly for stopping the server,
RPC_STATUS rs = 0;
rs = RpcMgmtStopServerListening(NULL);
//...
rs = RpcServerUnregisterIf(RPC_IF_SPEC, nullptr, 0);
//...
rs = RpcEpUnregister(RPC_IF_SPEC, BindingVector, nullptr);
But to be honest it could also be that they should be using rs = RpcServerUnregisterIf(NULL, NULL, 0); instead, I really couldn't say.
Right now we either have to manually track down all the processes that connect to this service and kill/stop them or take the "easy" way out and perform a reboot after installing the new service, allowing us to debug in the correct file locations when attaching the process to VS2017.
My utility idea to get around this was to see if I can generate a list of processes connecting to the RPC Endpoint, nuke them, install the new service, then restart them.
Alternatively this article seems to indicate that avoiding this issue in the first place is possible via something called an Associations, but is somewhat vague on how to do that.
The association itself is reference-counted, and when all references are gone, it stops and closes all connections. Every binding handle and every context handle hold a reference on the association. When all are closed, the association disappears.
Update:
The accepted answer indicates this is not possible with an external process; it is not a way to accomplish this goal with an external process.
RPC has an RpcServerInqCallAttributes function that an RPC server can use during a client call to obtain the client's security context attributes and other information.
You must pass a RPC_CALL_ATTRIBUTES_V2 available only with Windows Vista and higher Windows version (or RPC_CALL_ATTRIBUTES_V3 availble with Windows 8 and higher), so something like this:
// the code depends on the minimal platform you compile for
RPC_CALL_ATTRIBUTES atts = { 0 }; // should map to RPC_CALL_ATTRIBUTES_V2 or RPC_CALL_ATTRIBUTES_V3
atts.Version = RPC_CALL_ATTRIBUTES_VERSION; // should be 2 or 3
atts.Flags = RPC_QUERY_CLIENT_PID;
RpcServerInqCallAttributes(0, &atts);
... pid is in atts.ClientPID ...
This can only be called from the RPC server itself, so you'd have to record all client pids somehow and add some API to the server to be able to list them.
Related
I am using Interop.Domino to work with .NSF file. To generate the html mime entity I used the nnote but in some case it failed to generate it so in that case I took the RTFTEXT / PLIAN TEXT as output.
so I used CreateMIMEEntity for it.
NotesMIMEEntity MIMEBody = NoteDocument.CreateMIMEEntity("Body");
It works but it holds the control on the Database (.nsf file), file is getting mark as being used in another process.
By troubleshooting it it clear that above statement holds the control.
I have released all the Note objects assigned with it.Still problem remains same.
Is there are proper way to use it or release it?
The Notes core DLLs that are underneath the COM classes keep databases open in cache. The only way that I know of to close them is to terminate the process that loaded the DLLs. One option is to design code using the COM API so that it dispatches short-term worker processes to open the database, do the work, and terminate. Yeah, it's ugly and slow, but if you need a long-running service and you're using the COM API instead of the Notes C API, it's the best way.
In any case, the cached open databases should not cause a sharing violation if you are opening the database through the Domino server. If you are using "" instead of the server name when opening the database however, it's going to be a problem -- and you shouldn't even do that in short-running worker processes.
As a part of my project, I get an event notification every time a Service is Started or Stopped using the WMI class Win32_Service through an EventSink.
I want to detect the application which had requested "services.exe" to start a particular service.
Till now, I tried Monitoring ALPC calls between any process and "services.exe" and got a Message_ID every time a process communicates (sends/receives) any information to/from "services.exe" using the ALPC Class. I would like to know what these messages are so that I can decode a StartService() or a StopService() procedure.
Is there any way to detect which application starts/stops a service?
The best way to do this, in my opinion, would be from kernel-mode using the PsSetCreateProcessNotifyRoutine/Ex/Ex2 kernel-mode callback.
If you're going to be using PsSetCreateProcessNotifyRoutine, you will receive less information than if you were using the Extended version of the kernel-mode callback (the Ex one). However, you can still query information such as the image file path of the parent process (or the one being created) by using PsLookupProcessByProcessId to get a pointer to the _EPROCESS structure and then relying on SeLocateProcessImageName (undocumented, however it is accessible in WDK by default).
The SeLocateProcessImageName routine will rely internally on that _EPROCESS structure, since information like the path of the process image on-disk is all tracked by the Windows kernel there.
If you're going to be using the Ex version of the kernel-mode callback, then you eliminate the need to do what is mentioned above. The Ex version of the routine is more recent than the non-Ex version.
The routine prototype for the callback routine will be:
VOID
CreateProcessNotifyRoutineEx(
PEPROCESS Process,
HANDLE ProcessId,
PPS_CREATE_NOTIFY_INFO CreateInfo
)
As seen above, you get a pointer to the _PS_CREATE_NOTIFY_INFO structure. You can then access the ImageFileName and CommandLine fields to filter for services.exe (make sure you filter properly to not catch it for a rogue copy - so ensure full path indicates its the real one) and gain more insight into why it was being invoked (if such information is exposed via the command-line... I cannot remember - nonetheless, you can still detect its creation and be aware of who spawned it).
To determine the parent who was responsible for the process creation operation of services.exe (e.g. if it relied on the Service Manager which in turn resulted in the spawning of it), you can rely on the ParentProcessId field (under the _PS_CREATE_NOTIFY_INFO structure as well). The SeLocateProcessImageName trick will work perfectly here.
SeLocateProcessImageName is undocumented so here is the routine prototype:
NTSTATUS
NTAPI
SeLocateProcessImageName(
PEPROCESS Process,
PUNICODE_STRING *ImageName
);
At-least with the latest Windows 10 WDK, it's already available by default. If you wanted to though, you can use a dynamic import with MmGetSystemRoutineAddress.
Resources:
https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-pssetcreateprocessnotifyroutine
https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-pssetcreateprocessnotifyroutineex
https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-pssetcreateprocessnotifyroutineex2
https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-mmgetsystemroutineaddress
https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntifs/nf-ntifs-pslookupprocessbyprocessid
https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/ns-ntddk-_ps_create_notify_info
Our application has a feature to actively connect to the customers' internal factory network and send a message when inspection events occur. The customer enters the IP address and port number of their machine and application into our software.
I'm using a TClientSocket in blocking mode and have provided callback functions for the OnConnect and OnError events. Assuming the abovementioned feature has been activated, when the application starts I call the following code in a separate thread:
// Attempt active connection
try
m_socketClient.Active := True;
except
end;
// Later...
// If `OnConnect` and socket is connected...send some data!
// If `OnError`...call `m_socketClient.Active := True;` again
When IP + port are valid, the feature works well. But if not, after several thousand errors (and many hours or even days) eventually Windows socket error 10055 (WSAENOBUFS) occurs and the application crashes.
Various articles such as this one from ServerFramework and this one from Microsoft talk about exhausting the Windows non-paged pool and mention (1) actively managing the number outstanding asynchronous send operations and (2) releasing the data buffers that were used for the I/O operations.
My question is how to achieve this and is three-fold:
A) Am I doing something wrong that memory is being leaked? For example, is there some missing cleanup code in the OnError handler?
B) How do you monitor I/O buffers to see if they are being exhausted? I've used Process Explorer to confirm my application is the cause of the leak, but ideally I'd need some programmatic way of measuring this.
C) Apart from restarting the application, is there a way to ask Windows to clear out or release I/O operation data buffers?
Code samples in Delphi, C/C++, C# fine.
A) The cause of the resource leak was a programming error. When the OnError event occurs, Socket.Close() should be called to release low-level resources associated with the socket.
B) The memory leak does not show up in the standard Working Set memory use of the process. Open handles belonging to your process need to be monitored which is possible with GetProcessHandleCount. See this answer in Delphi which was tested and works well. This answer in C++ was not tested but the answer is accepted so should work. Of course, you should be able to use GetProcessHandleCount directly in C++.
C) After much research, I must conclude that just like a normal memory leak, you cannot just ask Windows to "clean up" after you! The handle resource has been leaked by your application and you must find and fix the cause (see A and B above).
I'm using Chromium Embedded Framework 3 (via CEFGlue) to host a browser in a third-party process via a plugin. CEF spins up various external processes (e.g. the renderer process) and manages the lifetime of these.
When the third-party process exits cleanly, CefRuntime.Shutdown is called and all the processes exit cleanly. When the third-party process exits badly (for example it crashes) I'm left with CEF executables still running and this (sometimes) causes problems with the host application meaning it doesn't start again.
I'd like a way to ensure that whatever manner the host application exits CefRuntime.Shutdown is called and the user doesn't end up with spurious processes running.
I've been pointed in the direction of job objects (see here) but this seems like it might be difficult to ship in a real solution as on some versions of Windows it requires administrative rights.
I could also set CEF to run in single process mode, but the documentation specifies that this is really for "debugging" only, so I'm assuming shipping this in production code is bad for some reason (see here).
What other options do I have?
Following on from the comments, I've tried passing the PID of the host process through to the client (I can do this by overriding OnBeforeChildProcessLaunch). I've then created a simple watchdog with the following code:
ThreadPool.QueueUserWorkItem(_ => {
var process = Process.GetProcessById(pid);
while (!process.WaitForExit(5000)) {
Console.WriteLine("Waiting for external process to die...");
}
Process.GetCurrentProcess().Kill();
});
I can verify in the debugger that this code executes and that the PID I'm passing into it is correct. However, if I terminate the host process I find that the thread simply dies in a way that I can't control and that the lines following the while loop are never executed (even if I replace it with a Console.WriteLine I never see any more messages printed from this thread.
For posterity, the solution suggested by #IInspectable worked, but in order to make it work I had to switch the implementation of of the external process to use the non-multi threaded message loop.
settings.MultiThreadedMessageLoop = false;
CefRuntime.Initialize(mainArgs, settings, cefWebApp, IntPtr.Zero);
Application.Idle += (sender,e) => {
if (parentProcess.HasExited) Process.GetCurrentProcess().Kill();
CefRuntime.DoMessageLoopWork();
}
Application.Run();
I made a GUI application that must run in my DELL server to send queries for 24 hours.
In case where the application is stopped by random users, or whatever it is, I created a service program that detects when it stops running, and executes it again.
The problem is, in service, FindWindow() doesn't properly work (always returns nullptr) because Microsoft changed its OS service policies since XP. And my service program has no way to find if the program is on the process list or not.
I found some solutions on the internet, which is to "allow service to interact with desktop on service panel" but since it was a long time ago so doesn't quite fit into the current OS version.
Should I use IPC instead? or any other ways to fix?
I believe that there has got to be a way to do this, because executing a process from service is also possible by using CreateProcessAsUser().
Any advice will be truly appreciated.
Thanks in advance.
So I did what Remy Lebeau suggessted for me, and it properly works in Windows 7, and 2008.
Here's how I went step by step.
Create a named mutex in the global namespace in the GUI application.
::CreateMutex(nullptr, false, L"Global\\MyMutex");
Check periodically if the mutex has disappeared or not
by using CreateMutex(), and do not forget to take care of the reference count to the handle.
HANDLE hDetector = ::CreateMutex(nullptr, false, L"Global\\MyMutex");
if (GetLastError() == ERROR_ALREADY_EXISTS)
{
// The GUI application is still running.
// ...
::CloseHandle(hDetector);
}
else
{
// The GUI application is not running.
// ...
::CloseHandle(hDetector);
}
See it work.