IF ISAPP ... ".exe" or not?

May 20, 2008
10,574
78
Syracuse, NY, USA
IF ISAPP works on conhost.exe and not on conhost. In contrast, it fails on dllhost.exe and works on dllhost. What's going on there?

Code:
v:\> tasklist | egrep "conhost|dllhost"
 7976  conhost
 3164  dllhost

v:\> if isapp conhost.exe echo yes
yes

v:\> if isapp conhost echo yes

v:\> if isapp dllhost.exe echo yes

v:\> if isapp dllhost echo yes
yes

v:\>
 

rconn

Administrator
Staff member
May 14, 2008
11,915
133
Not reproducible here.

Code:
[D:\release]if isapp conhost.exe echo yes
yes

[D:\release]if isapp conhost echo yes

[D:\release]if isapp dllhost.exe echo yes
yes

[D:\release]if isapp dllhost echo yes

[D:\release]
ISAPP enumarates the process list (with CreateToolhelp32Snapshot).
 
May 20, 2008
10,574
78
Syracuse, NY, USA
Hmmm! If I run through the processes (%z) with

Code:
echo %@if[isapp %z,yes,no]^t%@if[isapp %z.exe,yes,no]^t%z
I get a rather interesting mixture of results. User processes give "no yes" and except for SystemProcess and MemoryCompression which give "no no", system processes give "yes no" ... except for svchost, which gives "yes yes". I've used Toolhelp32SnapShots but I'll have to brush up (maybe experiment) to try to figure out what's happening.

Code:
no      no      [System Process]
no      no      Memory Compression
no      yes     AutoHotkeyU64
no      yes     conhost
no      yes     explorer
no      yes     firefox
no      yes     OUTLOOK
no      yes     powerpro
no      yes     ppro64
no      yes     RuntimeBroker
no      yes     SearchUI
no      yes     SecurityHealthSystray
no      yes     sihost
no      yes     sort
no      yes     StartMenuExperienceHost
no      yes     taskhostw
no      yes     tcc
no      yes     uniq
yes     no      csrss
yes     no      dwm
yes     no      fontdrvhost
yes     no      IAStorDataMgrSvc
yes     no      lsass
yes     no      MsMpEng
yes     no      NisSrv
yes     no      OfficeClickToRun
yes     no      PresentationFontCache
yes     no      Registry
yes     no      SecurityHealthService
yes     no      Serv-U
yes     no      services
yes     no      SgrmBroker
yes     no      smss
yes     no      spoolsv
yes     no      System
yes     no      w32tmsvc
yes     no      wininit
yes     no      winlogon
yes     yes     svchost
 
May 20, 2008
10,574
78
Syracuse, NY, USA
I can't figure out what TCC is doing. When I use CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0), except for "[System Process]", "System", "Registry", and "Memory Compression", PROCESSENTRY32::szExeFile always contains ".exe".
 
May 20, 2008
10,574
78
Syracuse, NY, USA
Is this idle curiosity or do you have a specific issue? (The TCC code that handles this is about 1300 lines long and I'm not going to post it here.)
I do use ISAPP and It's hard to remember how to use it ... do I include the ".exe" or not.
 
May 20, 2008
10,574
78
Syracuse, NY, USA
How exactly you are using it? Please show code sample.
Code:
do proc in /L SystemSettingsBroker CompPkgSrv ShellExperienceHost iastoricon smartscreen igfxem
    set procname=%proc.exe
    iff isapp %procname .or. isapp %proc then
        set started=%@wmitcvt[%@wmi[.,"Select CreationDate from Win32_Process where Name='%procname'"]]
        echo %proc.exe (started %started) | tee /a v:\killers.log
        taskend /F %proc
    endiff
enddo
 
May 20, 2008
10,574
78
Syracuse, NY, USA
Apparently @PID and ISAPP use the same mechanism. Unelevated, to get the PID of explorer, ".exe" must be present, while to get the PID of spoolsv, ".exe" must be absent.

1596214460578.png


And when the current process is elevated, it's exactly the opposite for some processes.

1596214563409.png