Windows 10 SearchUI.exe
Windows 10 SearchUI.exe
Hi,
I have a problem on Windows 10 only.
Sometimes when I uninject, some of the injected files still stay captured by the Windows 10 SearchUI.exe process.
It works perfect on Windows/7/8/8.1.
Any suggestions?
Thank you in advance
I have a problem on Windows 10 only.
Sometimes when I uninject, some of the injected files still stay captured by the Windows 10 SearchUI.exe process.
It works perfect on Windows/7/8/8.1.
Any suggestions?
Thank you in advance
Re: Windows 10 SearchUI.exe
Is it a Metro app? Maybe it's suspended? Does it also occur with the precompiled demos? E.g. try this one for double checking:
http://madshi.net/PrintMonitor.zip
http://madshi.net/PrintMonitor.zip
Re: Windows 10 SearchUI.exe
It's a metro app and yes it is often suspended. New remote threads will not execute until the process is unsuspended, so in this case it's why a DLL would remain injected despite a call to UninjectLibrary
--Iconic
--Iconic
Re: Windows 10 SearchUI.exe
@iconic, have you found a way yet to manually resume Metro apps? I've tried but didn't find anything on a quick look...
Re: Windows 10 SearchUI.exe
Yes, but it's ugly and an example can be seen here that uses the new UI and JavaScript located here https://code.msdn.microsoft.com/windows ... d-ec15b168. Unfortunately, even low-level calls such as NtResumeProcess returns STATUS_SUCCESS but does not actually remove any running threads from a wait-state nor does targeting your remote thread specifically NtResumeThread(YourThread, @dwPrevCount). Seems you have to comply with their UI containers to really do anything with the app's state. Not a huge fan of modern UI apps but the entire purpose of suspending apps not in the foreground is to gain performance when they are not being used which makes sense, since they're not eating up CPU
--Iconic
--Iconic
Last edited by iconic on Thu Sep 10, 2015 7:32 am, edited 1 time in total.
Re: Windows 10 SearchUI.exe
Yeah, I tried NtResumeProcess myself already. You say an example can be seen "here", but where is "here"?
I agree that suspending Metro apps might make sense, but it's weird that there's no API to control that from the outside. I don't want to resume them completely, just want to make injection/uninjection succeed. Especially uninjection is kinda important, so e.g. a hook dll can be replaced with a new build.
I agree that suspending Metro apps might make sense, but it's weird that there's no API to control that from the outside. I don't want to resume them completely, just want to make injection/uninjection succeed. Especially uninjection is kinda important, so e.g. a hook dll can be replaced with a new build.
Re: Windows 10 SearchUI.exe
Just edited and posted the link
--Iconic
--Iconic
Re: Windows 10 SearchUI.exe
Hmmm... That link just seems to describe how to handle suspend/resume events from inside an app. It doesn't seem to explain how to suspend/resume any specific other app? Or am I missing something?
Re: Windows 10 SearchUI.exe
Metro apps are intentionally isolated this way so MS doesn't give developers documented APIs for outside control from what I see, especially not on a per thread basis, which is all you'd need since you only want your remote thread to execute without being forcefully suspended without affecting other threads you did not create and don't want to manage. This might be possible with PowerShell or WMI but I haven't tested the waters yet. It's a pain as you mentioned if you want to swap out DLL builds and it's trapped inside a metro app that is suspended and sleeping indefinitely. If I play with it this week I'll email you, I need to address this myself as well
--Iconic
--Iconic
Re: Windows 10 SearchUI.exe
That'd be great - thanks!
-
- Posts: 109
- Joined: Thu Dec 30, 2004 9:59 pm
- Location: UK
Re: Windows 10 SearchUI.exe
Just to confirm this is an issue and so far the only way to update/replace hook dll's that are trapped inside the suspended process is to destroy the process; which is ok because windows just starts the process again. Still annoying though.
Re: Windows 10 SearchUI.exe
Still don't have a good solution...
Re: Windows 10 SearchUI.exe
If a user has text in notepad or calculations in calculator I don't find destroying the process a viable solution. From playing with Windows Store Apps it appears that you will have to coax the runtime broker process to unsuspend the thread of interest or the process as a whole. Think of these application container processes as sandboxes and the runtime broker as the command center, so to speak.
--Iconic
--Iconic
Re: Windows 10 SearchUI.exe
Hi all. Lets wake up the topic. I have this issue. Anyone solved this ?
Re: Windows 10 SearchUI.exe
Unfortunately no, as far as I'm aware. Microsoft simply doesn't seem to offer any APIs for this, not even in driver land...