Page 1 of 2

Windows 10 SearchUI.exe

Posted: Wed Sep 09, 2015 3:11 pm
by dudul
Hi,
I have a problem on Windows 10 only.
Sometimes when I uninject, some of the injected files still stay captured by the Windows 10 SearchUI.exe process.

It works perfect on Windows/7/8/8.1.

Any suggestions?

Thank you in advance

Re: Windows 10 SearchUI.exe

Posted: Wed Sep 09, 2015 3:27 pm
by madshi
Is it a Metro app? Maybe it's suspended? Does it also occur with the precompiled demos? E.g. try this one for double checking:

http://madshi.net/PrintMonitor.zip

Re: Windows 10 SearchUI.exe

Posted: Wed Sep 09, 2015 8:09 pm
by iconic
It's a metro app and yes it is often suspended. New remote threads will not execute until the process is unsuspended, so in this case it's why a DLL would remain injected despite a call to UninjectLibrary
metro_susp.png
metro_susp.png (78.12 KiB) Viewed 24405 times
--Iconic

Re: Windows 10 SearchUI.exe

Posted: Thu Sep 10, 2015 6:52 am
by madshi
@iconic, have you found a way yet to manually resume Metro apps? I've tried but didn't find anything on a quick look...

Re: Windows 10 SearchUI.exe

Posted: Thu Sep 10, 2015 7:30 am
by iconic
Yes, but it's ugly and an example can be seen here that uses the new UI and JavaScript located here https://code.msdn.microsoft.com/windows ... d-ec15b168. Unfortunately, even low-level calls such as NtResumeProcess returns STATUS_SUCCESS but does not actually remove any running threads from a wait-state nor does targeting your remote thread specifically NtResumeThread(YourThread, @dwPrevCount). Seems you have to comply with their UI containers to really do anything with the app's state. Not a huge fan of modern UI apps but the entire purpose of suspending apps not in the foreground is to gain performance when they are not being used which makes sense, since they're not eating up CPU


--Iconic

Re: Windows 10 SearchUI.exe

Posted: Thu Sep 10, 2015 7:32 am
by madshi
Yeah, I tried NtResumeProcess myself already. You say an example can be seen "here", but where is "here"?

I agree that suspending Metro apps might make sense, but it's weird that there's no API to control that from the outside. I don't want to resume them completely, just want to make injection/uninjection succeed. Especially uninjection is kinda important, so e.g. a hook dll can be replaced with a new build.

Re: Windows 10 SearchUI.exe

Posted: Thu Sep 10, 2015 7:33 am
by iconic
Just edited and posted the link

--Iconic

Re: Windows 10 SearchUI.exe

Posted: Thu Sep 10, 2015 7:35 am
by madshi
Hmmm... That link just seems to describe how to handle suspend/resume events from inside an app. It doesn't seem to explain how to suspend/resume any specific other app? Or am I missing something?

Re: Windows 10 SearchUI.exe

Posted: Thu Sep 10, 2015 7:50 am
by iconic
Metro apps are intentionally isolated this way so MS doesn't give developers documented APIs for outside control from what I see, especially not on a per thread basis, which is all you'd need since you only want your remote thread to execute without being forcefully suspended without affecting other threads you did not create and don't want to manage. This might be possible with PowerShell or WMI but I haven't tested the waters yet. It's a pain as you mentioned if you want to swap out DLL builds and it's trapped inside a metro app that is suspended and sleeping indefinitely. If I play with it this week I'll email you, I need to address this myself as well

--Iconic

Re: Windows 10 SearchUI.exe

Posted: Thu Sep 10, 2015 7:51 am
by madshi
That'd be great - thanks! :)

Re: Windows 10 SearchUI.exe

Posted: Tue Apr 12, 2016 1:53 pm
by jonny_valentine
Just to confirm this is an issue and so far the only way to update/replace hook dll's that are trapped inside the suspended process is to destroy the process; which is ok because windows just starts the process again. Still annoying though.

Re: Windows 10 SearchUI.exe

Posted: Tue Apr 12, 2016 3:28 pm
by madshi
Still don't have a good solution... :(

Re: Windows 10 SearchUI.exe

Posted: Tue Apr 12, 2016 11:21 pm
by iconic
If a user has text in notepad or calculations in calculator I don't find destroying the process a viable solution. From playing with Windows Store Apps it appears that you will have to coax the runtime broker process to unsuspend the thread of interest or the process as a whole. Think of these application container processes as sandboxes and the runtime broker as the command center, so to speak.

--Iconic

Re: Windows 10 SearchUI.exe

Posted: Mon Dec 24, 2018 7:35 am
by ExPx
Hi all. Lets wake up the topic. I have this issue. Anyone solved this ?

Re: Windows 10 SearchUI.exe

Posted: Mon Dec 24, 2018 8:35 am
by madshi
Unfortunately no, as far as I'm aware. Microsoft simply doesn't seem to offer any APIs for this, not even in driver land... :(