IF ISAPP ... ".exe" or not?

May 20, 2008
11,783
118
Syracuse, NY, USA
IF ISAPP works on conhost.exe and not on conhost. In contrast, it fails on dllhost.exe and works on dllhost. What's going on there?

Code:
v:\> tasklist | egrep "conhost|dllhost"
 7976  conhost
 3164  dllhost

v:\> if isapp conhost.exe echo yes
yes

v:\> if isapp conhost echo yes

v:\> if isapp dllhost.exe echo yes

v:\> if isapp dllhost echo yes
yes

v:\>
 

rconn

Administrator
Staff member
May 14, 2008
12,425
153
Not reproducible here.

Code:
[D:\release]if isapp conhost.exe echo yes
yes

[D:\release]if isapp conhost echo yes

[D:\release]if isapp dllhost.exe echo yes
yes

[D:\release]if isapp dllhost echo yes

[D:\release]

ISAPP enumarates the process list (with CreateToolhelp32Snapshot).
 
May 20, 2008
11,783
118
Syracuse, NY, USA
Hmmm! If I run through the processes (%z) with

Code:
echo %@if[isapp %z,yes,no]^t%@if[isapp %z.exe,yes,no]^t%z

I get a rather interesting mixture of results. User processes give "no yes" and except for SystemProcess and MemoryCompression which give "no no", system processes give "yes no" ... except for svchost, which gives "yes yes". I've used Toolhelp32SnapShots but I'll have to brush up (maybe experiment) to try to figure out what's happening.

Code:
no      no      [System Process]
no      no      Memory Compression
no      yes     AutoHotkeyU64
no      yes     conhost
no      yes     explorer
no      yes     firefox
no      yes     OUTLOOK
no      yes     powerpro
no      yes     ppro64
no      yes     RuntimeBroker
no      yes     SearchUI
no      yes     SecurityHealthSystray
no      yes     sihost
no      yes     sort
no      yes     StartMenuExperienceHost
no      yes     taskhostw
no      yes     tcc
no      yes     uniq
yes     no      csrss
yes     no      dwm
yes     no      fontdrvhost
yes     no      IAStorDataMgrSvc
yes     no      lsass
yes     no      MsMpEng
yes     no      NisSrv
yes     no      OfficeClickToRun
yes     no      PresentationFontCache
yes     no      Registry
yes     no      SecurityHealthService
yes     no      Serv-U
yes     no      services
yes     no      SgrmBroker
yes     no      smss
yes     no      spoolsv
yes     no      System
yes     no      w32tmsvc
yes     no      wininit
yes     no      winlogon
yes     yes     svchost
 
May 20, 2008
11,783
118
Syracuse, NY, USA
I can't figure out what TCC is doing. When I use CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0), except for "[System Process]", "System", "Registry", and "Memory Compression", PROCESSENTRY32::szExeFile always contains ".exe".
 
May 20, 2008
11,783
118
Syracuse, NY, USA
Is this idle curiosity or do you have a specific issue? (The TCC code that handles this is about 1300 lines long and I'm not going to post it here.)
I do use ISAPP and It's hard to remember how to use it ... do I include the ".exe" or not.
 
May 20, 2008
11,783
118
Syracuse, NY, USA
How exactly you are using it? Please show code sample.
Code:
do proc in /L SystemSettingsBroker CompPkgSrv ShellExperienceHost iastoricon smartscreen igfxem
    set procname=%proc.exe
    iff isapp %procname .or. isapp %proc then
        set started=%@wmitcvt[%@wmi[.,"Select CreationDate from Win32_Process where Name='%procname'"]]
        echo %proc.exe (started %started) | tee /a v:\killers.log
        taskend /F %proc
    endiff
enddo
 
May 20, 2008
11,783
118
Syracuse, NY, USA
And for system processes, the syntaxes, elevated vs. not elevated, are exact opposites.

1594659123336.png


1594659148275.png
 
May 20, 2008
11,783
118
Syracuse, NY, USA
Can you ditch ISAPP and rely on return of WMI call solely?
For sure! I have done that in several cases. It's amazing what you can do with WMI. And I also have a plugin ...

Code:
v:\> help @isapp
@ISAPP[spec] = -1|PID - PID if wildcard match
 
May 20, 2008
11,783
118
Syracuse, NY, USA
Apparently @PID and ISAPP use the same mechanism. Unelevated, to get the PID of explorer, ".exe" must be present, while to get the PID of spoolsv, ".exe" must be absent.

1596214460578.png


And when the current process is elevated, it's exactly the opposite for some processes.

1596214563409.png
 

Similar threads