[Bug 45561] New: Windows Sysinternals 'PsService' v2.x tool, part of ' PsTools' crashes when trying to query the service configuration (needs ' QueryServiceConfig2A/W' level 2 'SERVICE_CONFIG_FAILURE_ACTIONS')
https://bugs.winehq.org/show_bug.cgi?id=45561
Bug ID: 45561 Summary: Windows Sysinternals 'PsService' v2.x tool, part of 'PsTools' crashes when trying to query the service configuration (needs 'QueryServiceConfig2A/W' level 2 'SERVICE_CONFIG_FAILURE_ACTIONS') Product: Wine Version: 3.13 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: advapi32 Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
as it says.
--- snip --- $ pwd /home/focht/.wine/drive_c/Program Files/pstools
$ wine ./PsService /?
PsService v2.25 - Service information and configuration utility Copyright (C) 2001-2010 Mark Russinovich Sysinternals - www.sysinternals.com
PsService lists or controls services on a local or remote system.
Usage: PsService.exe [\Computer [-u Username [-p Password]]] <cmd> <optns> Cmd is one of the following: query Queries the status of a service config Queries the configuration setconfig Sets the configuration start Starts a service stop Stops a service restart Stops and then restarts a service pause Pauses a service cont Continues a paused service depend Enumerates the services that depend on the one specified find Searches for an instance of a service on the network security Reports the security permissions assigned to a service Use the username and password to log into the remote computer in cases where your account does not have permissions to perform the action you specify.
Omitting a command queries the active services on the specified computer. Enter -? for help on a particular command. Use option -nobanner to supress the startup banner and copyright message. --- snip ---
--- snip --- $ WINEDEBUG=+seh,+relay wine ./PsService.exe config >>log.txt 2>&1 ... 00b3:Call ntdll.RtlAllocateHeap(00110000,00000000,0000001e) ret=00405f54 00b3:Ret ntdll.RtlAllocateHeap() retval=0015cba8 ret=00405f54 00b3:Call advapi32.QueryServiceConfig2W(0015cb48,00000002,0015cba8,0000001e,0033fde4) ret=00402bf5 00b3:fixme:service:QueryServiceConfig2W Level 2 not implemented 00b3:Ret advapi32.QueryServiceConfig2W() retval=00000000 ret=00402bf5 00b3:Call KERNEL32.GetLastError() ret=00408d44 00b3:Ret KERNEL32.GetLastError() retval=0000007c ret=00408d44 ... 00b3:Call KERNEL32.WideCharToMultiByte(000004e4,00000000,0033f88c L" ",00000001,0033f8bc,00000005,00000000,0033f884) ret=00413d80 00b3:Ret KERNEL32.WideCharToMultiByte() retval=00000001 ret=00413d80 00b3:trace:seh:raise_exception code=c0000005 flags=0 addr=0x40c5d0 ip=0040c5d0 tid=00b3 00b3:trace:seh:raise_exception info[0]=00000000 00b3:trace:seh:raise_exception info[1]=00530054 00b3:trace:seh:raise_exception eax=00000000 ebx=00000000 ecx=00530054 edx=ffffffff esi=00530054 edi=7ffffffe 00b3:trace:seh:raise_exception ebp=0033fd80 esp=0033f8ec cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010202 00b3:trace:seh:call_stack_handlers calling handler at 0x407640 code=c0000005 flags=0 00b3:trace:seh:call_stack_handlers handler at 0x407640 returned 1 00b3:trace:seh:call_stack_handlers calling handler at 0x407640 code=c0000005 flags=0 00b3:Call KERNEL32.GetLastError() ret=00408d44 00b3:Ret KERNEL32.GetLastError() retval=0000007c ret=00408d44 00b3:trace:seh:call_stack_handlers handler at 0x407640 returned 1 00b3:trace:seh:call_stack_handlers calling handler at 0x7b48ffea code=c0000005 flags=0 wine: Unhandled page fault on read access to 0x00530054 at address 0x40c5d0 (thread 00b3), starting debugger... 00b3:trace:seh:start_debugger Starting debugger "winedbg --auto 178 92" 00b3:trace:seh:call_stack_handlers handler at 0x7b48ffea returned 1 Unhandled exception: page fault on read access to 0x00530054 in 32-bit code (0x0040c5d0). Register dump: CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b EIP:0040c5d0 ESP:0033f8ec EBP:0033fd80 EFLAGS:00010202( R- -- I - - - ) EAX:00000000 EBX:00000000 ECX:00530054 EDX:ffffffff ESI:00530054 EDI:7ffffffe ... Backtrace: =>0 0x0040c5d0 in psservice (+0xc5d0) (0x0033fd80) 1 0x004060cf in psservice (+0x60ce) (0x0033fdc4) 2 0x00402c26 in psservice (+0x2c25) (0x0033fde8) 3 0x00404b38 in psservice (+0x4b37) (0x0033fe10) 4 0x00403cb0 in psservice (+0x3caf) (0x0033fe28) 5 0x004056cf in psservice (+0x56ce) (0x0033fe68) 6 0x00407ed5 in psservice (+0x7ed4) (0x0033feb0) 7 0x7b46dbfe call_process_entry+0x11() in kernel32 (0x0033fec8) 8 0x7b46dd37 start_process+0x12c() [/home/focht/projects/wine/mainline-src/dlls/kernel32/process.c:1101] in kernel32 (0x0033ffd8) 9 0x7b46dc0a start_process_wrapper+0x9() in kernel32 (0x0033ffec) 0x0040c5d0: cmpw %ax,0x0(%ecx) Modules: Module Address Debug info Name (102 modules) PE 400000- 430000 Export psservice ELF 7b400000-7b7f4000 Dwarf kernel32<elf> -PE 7b420000-7b7f4000 \ kernel32 ELF 7bc00000-7bd10000 Deferred ntdll<elf> -PE 7bc30000-7bd10000 \ ntdll ELF 7c000000-7c004000 Deferred <wine-loader> ... Threads: process tid prio (all id:s are in hex) ... 000000b2 (D) C:\Program Files\pstools\PsService.exe 000000b3 0 <== --- snip ---
Debugger/disassembly:
--- snip --- ... 00402BE1 ADD ESP,4 00402BE4 MOV ESI,EAX 00402BE6 LEA EAX,[LOCAL.1] 00402BE9 PUSH EAX 00402BEA PUSH EDI 00402BEB PUSH ESI 00402BEC PUSH 2 ; SERVICE_CONFIG_FAILURE_ACTIONS 00402BEE PUSH EBX 00402BEF CALL DWORD PTR DS:[42CBE4] ; advapi32.QueryServiceConfig2W 00402BF5 CMP DWORD PTR DS:[ESI+0C],0 00402BF9 JE 00402C86 00402BFF MOV EAX,DWORD PTR DS:[ESI+4] 00402C02 TEST EAX,EAX 00402C04 JZ SHORT 00402C14 00402C06 PUSH EAX 00402C07 PUSH OFFSET 00422884 ; " REBOOT_MESSAGE : %s" 00402C0C CALL 00406061 00402C11 ADD ESP,8 00402C14 MOV EAX,DWORD PTR DS:[ESI+8] 00402C17 TEST EAX,EAX 00402C19 JZ SHORT 00402C29 00402C1B PUSH EAX 00402C1C PUSH OFFSET 004228B4 ; " COMMAND : %s" 00402C21 CALL 00406061 00402C26 ADD ESP,8 ... 0040C5CF |/DEC EDI 0040C5D0 ||CMP WORD PTR DS:[ECX],AX 0040C5D3 ||JE SHORT 0040C5DC 0040C5D5 ||ADD ECX,2 0040C5D8 ||TEST EDI,EDI 0040C5DA |\JNZ SHORT 0040C5CF ... --- snip ---
https://docs.microsoft.com/en-us/windows/desktop/api/winsvc/ns-winsvc-_servi...
--- snip --- typedef struct _SERVICE_FAILURE_ACTIONSA { DWORD dwResetPeriod; LPSTR lpRebootMsg; LPSTR lpCommand; } SERVICE_FAILURE_ACTIONSA, *LPSERVICE_FAILURE_ACTIONSA; --- snip ---
Buffer passed (left untouched due to stub)
--- snip --- $-8 00000030 0 $-4 12455355 USE $ ==> 001100D8 ; dwResetPeriod $+4 001100C8 ; lpRebootMsg $+8 00530054 ; lpCommand -> access *boom* $+C 00530020 $+10 00000011 $+14 45455246 FREE --- snip ---
It's questionable why the app doesn't check for failure and tries to access the struct members straight away.
The poor man's solution would be just to return an initialized '_SERVICE_FAILURE_ACTIONS' structure, with strings being empty. This way the app(s) don't crash why trying to access the strings.
https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/advapi32/service.c#l1...
--- snip --- 1630 BOOL WINAPI QueryServiceConfig2W(SC_HANDLE hService, DWORD dwLevel, LPBYTE buffer, 1631 DWORD size, LPDWORD needed) 1632 { 1633 BYTE *bufptr; 1634 DWORD err; 1635 1636 TRACE("%p %u %p %u %p\n", hService, dwLevel, buffer, size, needed); 1637 1638 if (!buffer && size) 1639 { 1640 SetLastError(ERROR_INVALID_ADDRESS); 1641 return FALSE; 1642 } 1643 1644 switch (dwLevel) 1645 { 1646 case SERVICE_CONFIG_DESCRIPTION: 1647 if (!(bufptr = heap_alloc( size ))) 1648 { 1649 SetLastError( ERROR_NOT_ENOUGH_MEMORY ); 1650 return FALSE; 1651 } 1652 break; 1653 1654 case SERVICE_CONFIG_PRESHUTDOWN_INFO: 1655 bufptr = buffer; 1656 break; 1657 1658 default: 1659 FIXME("Level %d not implemented\n", dwLevel); 1660 SetLastError(ERROR_INVALID_LEVEL); 1661 return FALSE; 1662 } ... --- snip ---
$ sha1sum PSTools.zip 1e562ff2bae38856f8dcf3f939cdbe8e1bf6ccf3 PSTools.zip
$ du -sh PSTools.zip 2.8M PSTools.zip
$ wine --version wine-3.13
Regards
https://bugs.winehq.org/show_bug.cgi?id=45561
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download URL| |https://download.sysinterna | |ls.com/files/PSTools.zip
https://bugs.winehq.org/show_bug.cgi?id=45561
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|https://download.sysinterna |https://web.archive.org/web |ls.com/files/PSTools.zip |/20180910011913/https://dow | |nload.sysinternals.com/file | |s/PSTools.zip
--- Comment #1 from Anastasius Focht focht@gmx.net --- Hello folks,
revisiting, still present.
--- snip --- $ wine ./PsService.exe config
PsService v2.25 - Service information and configuration utility Copyright (C) 2001-2010 Mark Russinovich Sysinternals - www.sysinternals.com
0070:fixme:service:svcctl_EnumServicesStatusExW resume handle not supported 005c:fixme:service:svcctl_EnumServicesStatusExW resume handle not supported SERVICE_NAME: Winedevice1 DISPLAY_NAME: Winedevice1 0024:fixme:service:QueryServiceConfig2W Level 3 not implemented TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\windows\system32\winedevice.exe LOAD_ORDER_GROUP : System Bus Extender TAG : 0 DEPENDENCIES : SERVICE_START_NAME: LocalSystem 0024:fixme:service:QueryServiceConfig2W Level 2 not implemented 0024:fixme:service:QueryServiceConfig2W Level 2 not implemented REBOOT_MESSAGE : OC,C wine: Unhandled page fault on read access to 00000114 at address 0040C5D0 (thread 0024), starting debugger... ... Unhandled exception: page fault on read access to 0x00000114 in 32-bit code (0x0040c5d0). --- snip ---
Another (unrelated) problem:
--- snip --- 00ec:err:dbghelp_msc:pe_load_debug_directory Got a page fault while loading symbols --- snip ---
Stable download link via Internet Archive:
https://web.archive.org/web/20180910011913/https://download.sysinternals.com...
$ sha1sum PSTools.zip 1e562ff2bae38856f8dcf3f939cdbe8e1bf6ccf3 PSTools.zip
$ du -sh PSTools.zip 2.8M PSTools.zip
$ wine --version wine-6.21-214-gbe0684dad50
Regards
-
wine-bugs@winehq.org -
WineHQ Bugzilla