Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

Monthly Seminars at OSR Headquarters

East Coast USA
Windows Internals and SW Drivers, Dulles (Sterling) VA, 13 November 2017

Kernel Debugging & Crash Analysis for Windows, Nashua (Amherst) NH, 4 December 2017

Writing WDF Drivers I: Core Concepts, Nashua (Amherst) NH, 8 January 2018

WDF Drivers II: Advanced Implementation Techniques, Nashua (Amherst) NH, 15 January 2018


Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 8  
09 Aug 17 06:07
S B
xxxxxx@gmail.com
Join Date: 10 Jul 2015
Posts To This List: 11
Protected process using elam

I am trying to create a protected service using the elam driver, all the steps are succeeding except the last StartService call. I am following the MSDN link https://msdn.microsoft.com/en-us/library/windows/desktop/dn313124(v=vs.85).aspx#s tarting_the_service_as_protected and http://www.osronline.com/showThread.CFM?link=284726 for certificate creation and signing. The error message, i am getting on service start is 1053, which is "The service did not respond to start or control request in a timely fashion". Even is have tried to increase the timeout but still the result is same. If, I am just creating a normal (not-protected) service then it is working fine, which means no issue with the service, issue is only happening when i am trying to run it as a protected service. Below are the steps, that i am performing. 1. hFileHandle = CreateFile(L"C:\\Windows\\System32\\drivers\\elamsample.sys", FILE_READ_DATA, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); 2. InstallELAMCertificateInfo(hFileHandle) 3. schSCManager = OpenSCManager( NULL, NULL, SC_MANAGER_ALL_ACCESS); 4. schService = CreateService(schSCManager, lpszDisplayName, lpszDisplayName, SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, lpszBinaryPathName, NULL, NULL, NULL, NULL, NULL); 5. SetServiceObjectSecurity(schService, si, &sd) 6. ChangeServiceConfig2(schService, SERVICE_CONFIG_LAUNCH_PROTECTED, &Info) 7. StartService(schService, 0, NULL) // This is failing. Need help on this, any input would be highly appreciated.
  Message 2 of 8  
09 Aug 17 12:45
Jan Bottorff
xxxxxx@pmatrix.com
Join Date: 16 Apr 2013
Posts To This List: 394
Protected process using elam

Does your service process actually start? Does it then report it’s running state to the SCM in a timely manner? I assume protected services can still write ETW or other logging events. Creating ETW TraceLogging is REALLY easy. Jan On 8/9/17, 3:07 AM, "xxxxx@lists.osr.com on behalf of xxxxx@gmail.com xxxxx@lists.osr.com" <xxxxx@lists.osr.com on behalf of xxxxx@gmail.com xxxxx@lists.osr.com> wrote: I am trying to create a protected service using the elam driver, all the steps are succeeding except the last StartService call. I am following the MSDN link https://msdn.microsoft.com/en-us/library/windows/desktop/dn313124(v=vs.85).aspx#s tarting_the_service_as_protected and http://www.osronline.com/showThread.CFM?link=284726 for certificate creation and signing. The error message, i am getting on service start is 1053, which is "The service did not respond to start or control request in a timely fashion". Even is have tried to increase the timeout but still the result is same. If, I am just creating a normal (not-protected) service then it is working fine, which means no issue with the service, issue is only happening when i am trying to run it as a protected service. Below are the steps, that i am performing. 1. hFileHandle = CreateFile(L"C:\\Windows\\System32\\drivers\\elamsample.sys", FILE_READ_DATA, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); 2. InstallELAMCertificateInfo(hFileHandle) 3. schSCManager = OpenSCManager( NULL, NULL, SC_MANAGER_ALL_ACCESS); 4. schService = CreateService(schSCManager, lpszDisplayName, lpszDisplayName, SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, lpszBinaryPathName, NULL, NULL, NULL, NULL, NULL); 5. SetServiceObjectSecurity(schService, si, &sd) 6. ChangeServiceConfig2(schService, SERVICE_CONFIG_LAUNCH_PROTECTED, &Info) 7. StartService(schService, 0, NULL) // This is failing. Need help on this, any input would be highly appreciated. --- NTDEV is sponsored by OSR Visit the list online at: <http://www.osronline.com/showlists.cfm?list=ntdev> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at <http://www.osr.com/seminars> To unsubscribe, visit the List Server section of OSR Online at <http://www.osronline.com/page.cfm?name=ListServer>
  Message 3 of 8  
09 Aug 17 13:20
Tim Roberts
xxxxxx@probo.com
Join Date: 28 Jan 2005
Posts To This List: 11622
Protected process using elam

xxxxx@gmail.com xxxxx@lists.osr.com wrote: > I am trying to create a protected service using the elam driver, all the steps are succeeding except the last StartService call. ... > Below are the steps, that i am performing. > > 1. hFileHandle = CreateFile(L"C:\\Windows\\System32\\drivers\\elamsample.sys", FILE_READ_DATA, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); > 2. InstallELAMCertificateInfo(hFileHandle) > 3. schSCManager = OpenSCManager( NULL, NULL, SC_MANAGER_ALL_ACCESS); > 4. schService = CreateService(schSCManager, lpszDisplayName, lpszDisplayName, SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, lpszBinaryPathName, NULL, NULL, NULL, NULL, NULL); I admit that I'm confused by the documentation. If this is a kernel driver, then it needs to be SERVICE_KERNEL_DRIVER, not SERVICE_WIN32_OWN_PROCESS, doesn't it? The ELAM Driver Requirements document shows that: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/elam-driver-req uirements What confuses me is that the page you referenced seems to be talking about two different services: one for the ELAM driver, and one for the protected user-mode process. I don't see two separate services there. -- Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc.
  Message 4 of 8  
10 Aug 17 12:54
S B
xxxxxx@gmail.com
Join Date: 10 Jul 2015
Posts To This List: 11
Protected process using elam

Thanks Jan and Tim for the quick responses. Jan, The service was getting launched and timed out. Actually, i have written a simple out-of-proc com service without much functionality and it was failing to find the AppId which is resolved by manually creating it. I need to figure out why it is not creating by itself on registration. Tim, it was my bad, i did not mention about the driver service, which i was able to create. I was only having the issue with the user mode service.
  Message 5 of 8  
10 Aug 17 23:40
Jan Bottorff
xxxxxx@pmatrix.com
Join Date: 16 Apr 2013
Posts To This List: 394
Protected process using elam

Can you clarify what you mean be “timed out”? It sounds like you’re saying the process DID start, but you didn’t answer if it reported it entered running state to the SCM (by calling ReportSvcStatus( SERVICE_RUNNING, NO_ERROR, 0 ) with a success return code) The SCM will timeout and terminate a service that does not report a running state within a timeout value. We are trying to determine if the service successfully started, and then failed, or if it never became running. I believe you can get ETW trace events about services moving into different states. I would not be surprised if protected services had some restrictions on what APIs they can call, and becoming an out of process COM service involves hooking up to a bunch of mechanism. The docs for a protected service specifically say the service exe and ALL bound DLLs must be signed with the protected service key. I didn’t see in the docs what the signature requirements were for “run-time” and “system” DLLs, which are what implement a ton of the Windows API functionality. You might try turning on the “code integrity” ETW traces, and see if any events are reported for failing a code signature check. You might also try turning on loader snaps, and see if some message around a DLL binding error is spit out. Jan On 8/10/17, 9:53 AM, "xxxxx@lists.osr.com on behalf of xxxxx@gmail.com xxxxx@lists.osr.com" <xxxxx@lists.osr.com on behalf of xxxxx@gmail.com xxxxx@lists.osr.com> wrote: Thanks Jan and Tim for the quick responses. Jan, The service was getting launched and timed out. Actually, i have written a simple out-of-proc com service without much functionality and it was failing to find the AppId which is resolved by manually creating it. I need to figure out why it is not creating by itself on registration. Tim, it was my bad, i did not mention about the driver service, which i was able to create. I was only having the issue with the user mode service. --- NTDEV is sponsored by OSR Visit the list online at: <http://www.osronline.com/showlists.cfm?list=ntdev> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at <http://www.osr.com/seminars> To unsubscribe, visit the List Server section of OSR Online at <http://www.osronline.com/page.cfm?name=ListServer>
  Message 6 of 8  
11 Aug 17 11:29
W. D.
xxxxxx@gmail.com
Join Date: 12 Oct 2017
Posts To This List: 40
Protected process using elam

I don't know why but the 'Create Process' WinDbg's event filter is not working for me. To have your service being debugged in a kernel mode debugger, try to: 1) Install a VS 2015 template PNP driver on the target with DEVCON.EXE. A sample KMDF Kernel Mode Driver is good. The driver should have a device interface, and a default WDF queue with an IOCTL handler. 2) In the debugger, set a breakpoint to the driver's IOCTL handler. 3) Then in your SvcMain, have your service open a handle to the device and issue an IOCTL code. 4) If the debugger breaks in the context of the service (look at the stack), you can make a step by step debugging of the service initialization. Just add another break after DeviceIoControl in the source window. I remember that a Windows service based on the old Windows Service Sample below was hanging on startup: https://msdn.microsoft.com/fr-fr/library/windows/desktop/bb540475(v=vs.85).aspx But a Windows service based on the VS 2015 C# Windows Service template explained below was ok. https://docs.microsoft.com/en-us/dotnet/framework/windows-services/walkthrough-cr eating-a-windows-service-application-in-the-component-designer This was already discussed here: http://www.osronline.com/showThread.CFM?link=284726 http://www.osronline.com/showThread.CFM?link=284667
  Message 7 of 8  
13 Aug 17 13:42
S B
xxxxxx@gmail.com
Join Date: 10 Jul 2015
Posts To This List: 11
Protected process using elam

Yes Jan, process did start but as it is a com service and i was creating the service by the steps i have mentioned above which are required for the protected service but not through the /service ( servicename.exe /service) command, it was not creating the appid and during the service start call, process was starting but as the appid was not registered it was taking time to find it out and was eventually getting time out. After i created the appid before start it started working. Thanks for all your help.
  Message 8 of 8  
13 Aug 17 13:44
S B
xxxxxx@gmail.com
Join Date: 10 Jul 2015
Posts To This List: 11
Protected process using elam

Thanks W.D. for providing the debugging steps.
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 07:12.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license