In the next patch you've found a problem: Mikołaj Zalewski wrote:

+#if 0 /* for some reason (rpcrt4 bug?) QueryServiceConfig for a non-NULL lpLoadOrder crashes Wine */

The issue is to do with this code:

LPQUERY_SERVICE_CONFIGW lpServiceConfig, DWORD cbBufSize, LPDWORD pcbBytesNeeded) { - WCHAR str_buffer[ MAX_PATH ]; - LONG r; - DWORD type, val, sz, total, n; - LPBYTE p; - HKEY hKey; + QUERY_SERVICE_CONFIGW config; struct sc_service *hsvc; + DWORD total; + DWORD err; + BYTE *bufpos;

TRACE("%p %p %d %p\n", hService, lpServiceConfig, cbBufSize, pcbBytesNeeded); @@ -1886,58 +1908,21 @@ QueryServiceConfigW( SC_HANDLE hService, SetLastError( ERROR_INVALID_HANDLE ); return FALSE; } - hKey = hsvc->hkey; - - /* TODO: Check which members are mandatory and what the registry types - * should be. This should of course also be tested when a service is - * created. - */ - - /* calculate the size required first */ - total = sizeof (QUERY_SERVICE_CONFIGW);

- sz = sizeof(str_buffer); - r = RegQueryValueExW( hKey, szImagePath, 0, &type, (LPBYTE) str_buffer, &sz ); - if( ( r == ERROR_SUCCESS ) && ( type == REG_SZ || type == REG_EXPAND_SZ ) ) + if ((err = svcctl_QueryServiceConfigW(hsvc->hdr.rpc_handle, &hsvc->hdr.server_handle, &config)) != 0)

The problem is that QUERY_SERVICE_CONFIGW contains pointers and the DCE/RPC programming model ensures that non-NULL pointers that are being unmarshalled into are used (presumably to reduce memory allocations). So the issue here is that you're not initialising config before passing it into svcctl_QueryServiceConfigW and it is blowing up just by chance on the pointer occupying the lpLoadOrderGroup; it could just as well have been lpBinaryName, lpServiceStartName or lpDisplayName.

+ + /* Windows function 0x11 must be using a different prototype - not compatible */ + /* Robert Shearman thinks there should be a byte_count attribute but (as of Sep 2007) + * this isn't supported by widl nor by rpcrt4 */ + DWORD svcctl_QueryServiceConfigW( + SvcCtlRpcHandle rpc_handle, + [in] POLICY_HANDLE *handle, + [out] QUERY_SERVICE_CONFIGW *config); + }

The byte_count attribute is officially deprecated by Microsoft and it's not part of the DCE/RPC standard, plus you've already done the work and it's wire compatible (I think) without the attribute, so you can remove the comment about it. -- Rob Shearman