How does the Windows program shutdown.exe make itself unclosable, even from Task Manager, but how does shutdown /a terminate it?
From the disassembly, it looks like it may be built into the kernel, but I'm unsure. I am not going to use it to write malware.
The program shutdown.exe does not make itself uncloseable, in fact it normally exits immediately. The window you're talking about is generated by the operating system itself to warn the user that a system shutdown is pending. (In more recent versions of Windows this warning is presented differently.) You can get the same effect in your own code by calling InitiateSystemShutdown.
Similarly, shutdown /a doesn't terminate the window, it just calls AbortSystemShutdown to cancel the shutdown. Windows then removes the warning window since it is no longer applicable.
If you were to figure out which process is actually generating the window, you could no doubt terminate that process, assuming you have admin access. On the other hand if it is one of the system critical processes then terminating it will crash the system.
Related
I'm trying to run some dynamic analysis routines on Windows programs, using things like Intel Pin and DynamoRIO. I am running Windows 11. A problem I am having is when I use cmd.exe to launch an interactive application, control returns immediately to the interpreter after the application has been launched. This means those apps don't get analyzed properly.
For example, if I use DynamoRIO to instrument the File Explorer like this:
drrun.exe -t drcachesim -- explorer.exe
Then DynamoRIO returns immediately after explorer.exe is launched, and it doesn't actually instrument File Explorer when the user can interact with it.
I've had similar issues with Intel Pin. It seems the root issue is cmd.exe detaches from processes immediately after launching them. I am a complete novice Windows developer, so there is probably some mechanism I am unaware of that is causing this. I would be grateful or any insight or feedback here.
Two things to note here.
cmd.exe waits for console programs but not GUI programs. Use the start command to wait on GUI programs: start /wait notepad.exe.
Explorer.exe will often communicate with an existing instance of itself and then just exit. Exit Explorer and then use Task manager to kill all Explorer.exe instances and then run your command.
I have an application made with matlab compiler.
I want to do some shutdown activities whenever it ends. As it seems to be impossible to catch signals in matlab (or I'm not able to), I checked to use onCleanup (Matlab: Is it possible to create signal handlers (.m scripts)). It is working within matlab (native), but not within the compiled application.
I tried to end the application with CTRL-C and with taskkill (which only work with /f). In both cases the onCleanup-method was NOT executed.
For testing purposes here
function sigtest(varargin)
remainder=onCleanup(#()save('exit.mat'));
b=1;
while true
disp(datestr(now));
a=rand(round(5*b));%to be saved
pause(10);
b=a(1);
end
my source code, which I compiled via mcc -m -v sigtest.m.
As onether try, I inserted the lines
myexiter=addlistener(System.AppDomain.CurrentDomain,'ProcessExit',...
#(a,b)save('listexit.mat'));
after line 2, but also this .NET-Event is not working.
If you're registering shutdown activities within M-code, they're only going to work on a graceful shutdown of the process. The taskkill /f command will do a "forceful" shutdown, which I think will terminate the process immediately. The Matlab interpreter won't get a chance to run whatever cleanup code is still pending. I think Ctrl-C on a console application (which the compiled sigtest.m will be running as) will have the same effect. Same applies to the .NET-Event: if you forcefully kill the process, that callback never gets a chance to run.
If you want on-exit code, or any other cleanup stuff, to run, you need to find a way for the program to find out when it should exit and initiate a more graceful shutdown itself. For example, in your sigtest example, you could check stdin at the end of every pass through the loop, see if the user has typed 'quit', and if so call exit(). Then your onCleanup stuff should run.
In a GUI compiled Matlab application, this is more straightforward; you have GUI controls to exit the application. I don't know what the canonical way is to make a console compiled Matlab application responsive to user exit requests, or if there even is a good one. You might want to make this a GUI app if you think the user might want to request a graceful abort of its operation.
Yesterday I ran a BIOS update on a Windows7 computer. The BIOS update tool performed a shutdown of Windows and without restarting the computer (so directly after Windows shutdown), a DOS-like tool started that updated the BIOS.
I searched the WWW but all I can find is how to execute applications at Windows shutdown (so before windows goes down) or at logoff (logoff scripts).
Does anyone have any clue on how to achieve this?
It is my guess that the machine had in fact performed a soft-reboot and was running BIOS code. That's the usual approach, and in some cases the soft-reboot may not be visible to the user, i.e., the BIOS self-update code may run before the POST.
However, it is (or at least used to be) possible to run Windows code post-shutdown, although obviously it is limited in what it can do. The key information can be found in the MSDN library entry on the Service Control Handler Function:
After this time expires, system shutdown proceeds regardless of whether service shutdown is complete. Note that if the system is left in the shutdown state (not restarted or powered down), the service continues to run.
So, at least in principle, all you need to do is to install a service that asks for shutdown notification but does not actually stop when shutdown occurs, and then instruct Windows to shut down without rebooting or powering off. I have actually seen this happen, but only on older versions of Windows (before automatically powering off at shutdown became the default!) so I can't guarantee that it still works, although it definitely did once.
It should, however, be noted that this will not necessarily give you the sort of environment you may be thinking of. For example, device drivers are not necessarily unloaded before shutdown; after all, what would be the point?
You can run Local Group policy - gpedit.msc (From run).
Under Computer Configuration choose Windows Settings
choose Scripts(Startup/Shutdown)
On Shutdown properties you can add script and also mention parameters if needed.
I also advised you to look at the following question - how to delay shutdown and run a process in window service
How can I start my program automatically if it crashes on windows 2003 server? Sometimes my program just crashes, is there a way in windows or settings that I can set?
There are several ways to create a process supervisor/guardian process on Windows.
First, is to leverage windows command line capabilities. Create a bat file:
#echo off
:start
start /w "your app to watch.exe"
goto start
start /w will wait for the process to exit. When the process crashes and exits, the bat script will relaunch it.
Another option is to use free supervisor tool https://github.com/chebum/Supervisor. It allows to restart the crashed app, plus it allows to monitor two or more apps at once and it will automatically close these apps when supervisor's window is closed.
The usual approach is to run what is known as a guardian process. This is a separate process, often a service, that monitors the state of the main process. When the guardian detects that the main service has died, it re-spawns it.
To the very best of my knowledge, there is not built in Windows functionality to do this for you.
Notice: running self-looping bat files can be useful, but unless you know what you're doing, they can wreak all kinds of havoc. This goes especially if you run them on startup. You have been warned.
Anyway. I just remembered something from my 286 days, when I played around a lot with BAT files. If you write the file
yourprogram.exe
some other event
the BAT file will run yourprogram, and then pause and wait around in the background until the program exits. After that it will run "some other event". This used to be kind of annoying if you wanted to run multiple things at once, but here it's actually useful. Using this, it's possible to make it run a loop that restarts the program (and reruns the bat file) as soon as it exits. Combine this with https://superuser.com/questions/62525/run-a-completly-hidden-batch-file, and you'll never even see it happening.
The final BAT file ("restart.bat" in this example) will look something like:
c:\[location]\yourprogram.exe
wscript "C:\[location]\invisible.vbs" "C:\[location]\restart.bat"
That's about it. Start the program (on startup via task or even just startup folder) with line 2, and this ought to solve your problem :)
Oh, if you want to stop the loop, just rename the bat file or put "// " in front of the two lines, save it, and exit the program.
If the program you are running requires admin rights, the solution I found was using psexec (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) to run both the program and the bat with elevated privileges. In that case the BAT will look like:
c:\[location]\psexec -h c:\[location]\yourprogram.exe
c:\[location]\psexec -h wscript "C:\[location]\invisible.vbs" "C:\[location]\restart.bat"
Then you run the bat as administrator, or run the second line (without the psexec part) from task scheduler with elevated privileges. BEWARE: running it as a normal user and clicking "no" on the UAC prompt gave me a BSOD, probably because it looped "can't run program because of lacking privileges" a couple of billion times or something :)
You can use RegisterApplicationRestart.
"If you register for restart and the application encounters an
unhandled exception or is not responsive, the user is offered the
opportunity to restart the application; the application is not
automatically restarted without the user's consent. "
For automatic restart without user intervention, there is also RestartOnCrash. Works with all Windows versions.
I was looking for something similar. There are two options to handle this - either you can write a small script by yourself or use something that is already existing.
After some googling I came across this nice list. The blogger has compiled about 8 tools to automatically restart a crashed or closed application.
Unfortunately there are no settings in Windows to automatically restart a regular program when it crashes.
Do you need to actively interact with your application's GUI? Some of the Service Wrappers (designed to run any application as a Windows Service) will monitor your application and restart it when it fails, but be sure investigate Session 0 Isolation to ensure that it won't get in the way.
You may use some special app like BDV SystemEvents or any other. It allows you to specify application which will be started if some another application is closed. Specify the same application as a Condition and as an Action and you will get expected results.
How to reload a crashed process on Windows? Of course, I can run a custom monitoring Win service process. But, for example, Firefox: it doesn't seem to install such a thing, but still it can restart itself when it crashes.
On Vista and above, you can use the RegisterApplicationRestart API to automatically restart when it crashes or hangs.
Before Vista, you need to have a top level exception filter which will do the restart, but be aware that running code inside of a compromised process isn't entirely secure or reliable.
Firefox constantly saves its state to the hard disk, every time you open a tab or click a link, or perform some other action. It also saves a flag saying it shut down safely.
On startup, it reads this all back, and is able to "restore" based on that info.
Structured exception handling (SEH) allows you to catch program crashes and to do something when it happens.
See: __try and __except
SEH can be very dangerous though and could lead to your program hanging instead. Please see this article for more information.
If you write your program as an NT service then you can set the first, second and subsequent failure actions to "Restart the service".
For Windows 2008 server and Windows Vista and Windows 7 you can use the Win32 API RegisterApplicationRestart
Please see my answer here for more information about dealing with different types of program crashes.
If I recall correctly Windows implements at least some subset of POSIX and so "must" have the signal interface (things like SIGKILL, SIGSEGV, SIGQUIT etc.).
I've never done this but on linux, but you could try setting the unexpected termination trap with signal() (signal.h).
From quick scan of docs it seems that very few things can be done while handling signal, it may be possible that even starting a new process is on forbidden list.
Now that I've thought about it, I'd probably go with master/worker pattern, very simple parent thread that does nothing but spawns the worker (that does all the UI / other things). If it does not set a specific "I'm gonna die now" bit but still dies (parent process always gets message / notification that spawned process died) then master respawns the worker. The main theme is keep master very simple and hard to die due to own bugs.