Firefox.exe sometimes can't be seen by Process Lasso [FIXED]

Started by BenYeeHua, December 04, 2013, 04:36:21 AM

Previous topic - Next topic

BenYeeHua

Firefox.exe sometimes can't be seen by Process Lasso that it is launched. :)

This is a strange bug that I hardly to reproduce, but it will easy to happen, based on the log, it first run CommandExecuteHandler.exe, then CommandExecuteHandler.exe run Firefox.exe, while this is happen, sometimes Process Lasso will unseen Firefox.exe has been launched and log it, then showing in the process list.

In the attach you can see, CommandExecuteHandler.exe get run and end as it has launched Firefox.exe, but it don't showing when Firefox.exe has been launched...
But it is also strange, it will showing Firefox.exe running Plugin-container.exe in the log, and showing Plugin-container.exe in the process list.

As I am running Firefox for second times, it is showing in the process list, so for now I don't has the pic to showing that it is not showing in the process list.

BenYeeHua

So today I found out the Firefox that can't be seen by Process Lasso will leaving a dead process and showing in Process Lasso after some time, and when I found it, I am using IME, and the dead process will causing IME freezing the process that using IME.
I might try to find out what's happen. :)

Jeremy Collake

Hmm, this is interesting. Thanks for reporting it, I'm going to start looking into it.
Software Engineer. Bitsum LLC.

BenYeeHua

#3
Hmm, it look like this issues has been fixed by restart too?
I guess it is because my anti-virus etc get updated, or Firefox get updated(Nightly update everyday).

Too bad I don't create the minidump while it is freezing... :P
---
Yup, I just rethink again, Nightly has a bug, which is after you update, you has a chance to get empty Description for Firefox.exe.
I guess this has some relationship?

edkiefer

I don't run native FF but run Palemoon (slightly optimized FF core ), all seems ok here with proper naming when launched .
Bitsum QA Engineer

BenYeeHua

Yup, I guess I need a long time to find out what's happening.

Jeremy Collake

In the last 3 months, I've added extensive new debug logging. So, I'll enable debug output in the next beta, and you can use DebugView to see what's going on - and/or send me the log for analysis. It will tell us exactly what is happening. I'll pump out a new beta today.
Software Engineer. Bitsum LLC.

BenYeeHua

Ok, thank for letting me know, but I need to find out the ways to reproduce first. :)

BenYeeHua

En, I somehow reproduce it, it look like it needs the first boot of Firefox+windows from hibernate?

I wonder can it be stutter or slow down causing PL don't get monitor it or not.
---
Lucky, I got it! ;)
00000461 277.57171631 [8252] Process Lasso: Removing dead process from the list: firefox.exe
00000462 277.57177734 [8252] Process Lasso: pg: cleaning up terminated process 7220 firefox.exe
00000463 277.57196045 [8252] Process Lasso: Erasing a process ...
00000464 278.58645630 [8252] Process Lasso: Managing 49 processes ...
00000465 279.60223389 [8252] Process Lasso: Got username via token user
00000466 279.60229492 [8252] Process Lasso: CommandExecuteHandler.exe actualized to CommandExecuteHandler.exe
00000467 279.60232544 [8252] Process Lasso: new process to manage, 4732 CommandExecuteHandler.exe
00000468 279.60235596 [8252] Process Lasso: pg: Process needs log entry emitted on creation ..
00000469 279.60241699 [8252] Process Lasso: new process, no termination, adding to list
00000470 279.60241699 [8252] Process Lasso: pg: Adding new process CommandExecuteHandler.exe to list, size of link will be 0xc0
00000471 279.60244751 [8252] Process Lasso: pg.Adding: Process CommandExecuteHandler.exe 4732
00000472 279.60263062 [8252] Process Lasso: Got username via token user
00000473 279.61718750 [8252] Process Lasso: pg: Not managing this process due to insufficient access
00000474 279.61734009 [8252] Process Lasso: pg: Ignored process firefox.exe
00000475 280.61871338 [8252] Process Lasso: Managing 50 processes ...

"Not managing this process due to insufficient access"...

Wait, I am running with Admin right, both or them.(Firefox and PL)
I guess it is too early to detect Firefox, and look on it?
Because if it looking it too early, then it match that why I can more easy to see this after boot, as it is cool boot, it will need Firefox a long time to boot up. :)
----
And yes, I found 1 more, it look like for any process that showing insufficient access, PL choose to not "log" it, but still showing it in the Process List.
I think this can be also improved?

And loled for my Anti-virus, protecting itself, and PL choose to not manage it.
I guess this is why there are nothing happen with my Anti-virus. :)

I will upload the log in the area that we can access only. ;D
---
En...
It look like explorer.exe also showing this information, it is caused by SafeBoot or?

BenYeeHua

I guess it become worst?
Even CommandExecuteHandle.exe PL also can't log it...

Jeremy Collake

Thanks BenYeeHua! I appreciate you posting the debug output, all this is very helpful.

I am going to start looking into this more closely soon. It's next on my list for Lasso maintenance.
Software Engineer. Bitsum LLC.

BenYeeHua

Yup, it look like it can be the cool boot or booting the software need a long time, at that time, PL can't access it, then set it as protected processes.

So far I can easy to reproduce this bug with cool boot of Firefox.
---
I guess it will be 2 bug that need to be fixed. :)
1.Protected processes need to be logging into the log, not just ignore it and put it into the process list without logging it.
2.Don't list a booting software that can't be access as protected processes, but trying to access it again after 5-10 second?

ellison

I guess my post is related maybe to the self protection .
https://bitsum.com/forum/index.php/topic,3648.msg14075.html#msg14075
Firefox when run in sandboxie, doesn't show ,neither does outpost firewall when its self protection is enabled (shows when disabled).Im not sure why firefox in sandboxie doesnt show though ,unless theres some sort of protection going on there too/

Jeremy Collake

On issue #1: Processes can be ignored by the governor due to insufficient access if they are in the process of loading when the governor first checks them

Quote"Not managing this process due to insufficient access"...
Because if it looking it too early, then it match that why I can more easy to see this after boot, as it is cool boot, it will need Firefox a long time to boot up

It would appear you are right about the cause here. Newer versions don't recheck processes once they are found to be inaccessible. That's why this may have just recently appeared.

I will have to better handle this situation, and will do so ASAP.


On issue #2: Tamper protected processes are not logged.

I'll be back about this.
Software Engineer. Bitsum LLC.

Jeremy Collake

I've fixed issue #1 - processes 'skipped' when caught during initialization - in v6.7.0.29 beta. I will announce this build eventually, though it will be silently uploaded in about an hour. Work will continue on this.

This problem erupted only recently - the last month - after a recent optimization to not re-check processes where there was insufficient access.
Software Engineer. Bitsum LLC.

BenYeeHua

Ok, good to hear about that, I will testing it on next restart/boot, but I guess it will be tomorrow. :)

BenYeeHua


Jeremy Collake

Thanks. I am still evaluating this change, I want to improve the performance - that's how it got broken, me attempting to improve the performance. While it may never matter to anyone else, optimality does matter to me ;).
Software Engineer. Bitsum LLC.

BenYeeHua