Firefox.exe sometimes can't be seen by Process Lasso [FIXED]

BenYeeHua · December 04, 2013, 04:36:21 AM

Firefox.exe sometimes can't be seen by Process Lasso that it is launched.

This is a strange bug that I hardly to reproduce, but it will easy to happen, based on the log, it first run CommandExecuteHandler.exe, then CommandExecuteHandler.exe run Firefox.exe, while this is happen, sometimes Process Lasso will unseen Firefox.exe has been launched and log it, then showing in the process list.

In the attach you can see, CommandExecuteHandler.exe get run and end as it has launched Firefox.exe, but it don't showing when Firefox.exe has been launched...
But it is also strange, it will showing Firefox.exe running Plugin-container.exe in the log, and showing Plugin-container.exe in the process list.

As I am running Firefox for second times, it is showing in the process list, so for now I don't has the pic to showing that it is not showing in the process list.

BenYeeHua · December 05, 2013, 06:46:19 AM

So today I found out the Firefox that can't be seen by Process Lasso will leaving a dead process and showing in Process Lasso after some time, and when I found it, I am using IME, and the dead process will causing IME freezing the process that using IME.
I might try to find out what's happen.

Jeremy Collake · December 06, 2013, 06:13:35 PM

Hmm, this is interesting. Thanks for reporting it, I'm going to start looking into it.

BenYeeHua · December 07, 2013, 05:19:19 AM

Hmm, it look like this issues has been fixed by restart too?
I guess it is because my anti-virus etc get updated, or Firefox get updated(Nightly update everyday).

Too bad I don't create the minidump while it is freezing...

---
Yup, I just rethink again, Nightly has a bug, which is after you update, you has a chance to get empty Description for Firefox.exe.
I guess this has some relationship?

edkiefer · December 07, 2013, 09:41:48 AM

I don't run native FF but run Palemoon (slightly optimized FF core ), all seems ok here with proper naming when launched .

BenYeeHua · December 07, 2013, 02:22:00 PM

Yup, I guess I need a long time to find out what's happening.

Jeremy Collake · December 07, 2013, 02:27:37 PM

In the last 3 months, I've added extensive new debug logging. So, I'll enable debug output in the next beta, and you can use DebugView to see what's going on - and/or send me the log for analysis. It will tell us exactly what is happening. I'll pump out a new beta today.

BenYeeHua · December 07, 2013, 02:52:13 PM

Ok, thank for letting me know, but I need to find out the ways to reproduce first.

BenYeeHua · December 08, 2013, 11:55:02 PM

En, I somehow reproduce it, it look like it needs the first boot of Firefox+windows from hibernate?

I wonder can it be stutter or slow down causing PL don't get monitor it or not.
---
Lucky, I got it!

Code Select

00000461 277.57171631 [8252] Process Lasso: Removing dead process from the list: firefox.exe 
00000462 277.57177734 [8252] Process Lasso: pg: cleaning up terminated process 7220 firefox.exe 
00000463 277.57196045 [8252] Process Lasso: Erasing a process ... 
00000464 278.58645630 [8252] Process Lasso: Managing 49 processes ... 
00000465 279.60223389 [8252] Process Lasso: Got username via token user 
00000466 279.60229492 [8252] Process Lasso: CommandExecuteHandler.exe actualized to CommandExecuteHandler.exe 
00000467 279.60232544 [8252] Process Lasso: new process to manage, 4732 CommandExecuteHandler.exe 
00000468 279.60235596 [8252] Process Lasso: pg: Process needs log entry emitted on creation .. 
00000469 279.60241699 [8252] Process Lasso: new process, no termination, adding to list 
00000470 279.60241699 [8252] Process Lasso: pg: Adding new process CommandExecuteHandler.exe to list, size of link will be 0xc0 
00000471 279.60244751 [8252] Process Lasso: pg.Adding: Process CommandExecuteHandler.exe 4732 
00000472 279.60263062 [8252] Process Lasso: Got username via token user 
00000473 279.61718750 [8252] Process Lasso: pg: Not managing this process due to insufficient access 
00000474 279.61734009 [8252] Process Lasso: pg: Ignored process firefox.exe 
00000475 280.61871338 [8252] Process Lasso: Managing 50 processes ...

"Not managing this process due to insufficient access"...

Wait, I am running with Admin right, both or them.(Firefox and PL)
I guess it is too early to detect Firefox, and look on it?
Because if it looking it too early, then it match that why I can more easy to see this after boot, as it is cool boot, it will need Firefox a long time to boot up.

----
And yes, I found 1 more, it look like for any process that showing insufficient access, PL choose to not "log" it, but still showing it in the Process List.
I think this can be also improved?

And loled for my Anti-virus, protecting itself, and PL choose to not manage it.
I guess this is why there are nothing happen with my Anti-virus.

I will upload the log in the area that we can access only.

---
En...
It look like explorer.exe also showing this information, it is caused by SafeBoot or?

BenYeeHua · December 12, 2013, 05:17:40 AM

I guess it become worst?
Even CommandExecuteHandle.exe PL also can't log it...

Jeremy Collake · December 12, 2013, 11:39:06 AM

Thanks BenYeeHua! I appreciate you posting the debug output, all this is very helpful.

I am going to start looking into this more closely soon. It's next on my list for Lasso maintenance.

BenYeeHua · December 12, 2013, 12:24:46 PM

Yup, it look like it can be the cool boot or booting the software need a long time, at that time, PL can't access it, then set it as protected processes.

So far I can easy to reproduce this bug with cool boot of Firefox.
---
I guess it will be 2 bug that need to be fixed.

1.Protected processes need to be logging into the log, not just ignore it and put it into the process list without logging it.
2.Don't list a booting software that can't be access as protected processes, but trying to access it again after 5-10 second?

ellison · December 12, 2013, 05:14:37 PM

I guess my post is related maybe to the self protection .
https://bitsum.com/forum/index.php/topic,3648.msg14075.html#msg14075
Firefox when run in sandboxie, doesn't show ,neither does outpost firewall when its self protection is enabled (shows when disabled).Im not sure why firefox in sandboxie doesnt show though ,unless theres some sort of protection going on there too/

Jeremy Collake · December 12, 2013, 09:24:52 PM

On issue #1: Processes can be ignored by the governor due to insufficient access if they are in the process of loading when the governor first checks them

Quote"Not managing this process due to insufficient access"...
Because if it looking it too early, then it match that why I can more easy to see this after boot, as it is cool boot, it will need Firefox a long time to boot up

It would appear you are right about the cause here. Newer versions don't recheck processes once they are found to be inaccessible. That's why this may have just recently appeared.

I will have to better handle this situation, and will do so ASAP.

On issue #2: Tamper protected processes are not logged.

I'll be back about this.

Jeremy Collake · December 12, 2013, 09:40:29 PM

I've fixed issue #1 - processes 'skipped' when caught during initialization - in v6.7.0.29 beta. I will announce this build eventually, though it will be silently uploaded in about an hour. Work will continue on this.

This problem erupted only recently - the last month - after a recent optimization to not re-check processes where there was insufficient access.

BenYeeHua · December 13, 2013, 07:01:16 AM

Ok, good to hear about that, I will testing it on next restart/boot, but I guess it will be tomorrow.

BenYeeHua · December 14, 2013, 03:47:05 AM

So I just tested, so far so good, it is showing in the log.

Jeremy Collake · December 16, 2013, 03:58:20 AM

Thanks. I am still evaluating this change, I want to improve the performance - that's how it got broken, me attempting to improve the performance. While it may never matter to anyone else, optimality does matter to me

.

BenYeeHua · December 16, 2013, 05:38:59 AM

Yup, but I guess stability is also on the list too?