Windows doesn't write crashdumps for process with low integrity level

2018-06-06 23:31:22

I configured windows to put crashdumps of my apps into specific directory (via LocalDumps Registry - I have DumpType=2)

When I'm running my app from task scheduler with flag "Run with highest privileges", and it creates child process with "low integrity level", and this low integrity level process crashes - there are no crashdumps in directory for this process.

It happens only in such conditions: "Run with highest privileges" and "low integrity level". If I'm changing anything in these conditions - dumps are created successfully.

How to force Windows save such crashdumps?

That's results of my 'research':

When a usermode application crashes, the OS creates for crashed recorder process WerFault.exe to handle it according to configurations in registry. It creates like that (for x86 apps called WerFault from SysWOW64): C:WindowsSysWOW64WerFault.exe -u -p 2676 -s 60 , where -p is PID of crashed process ( -u means that usermode app crashed, and what -s is I don't know).

In WerFault.exe there are next chain of function calls:

_wmain()
    UserCrashMain()
        OpenProcess()

in OpenProcess(), WerFault.exe tries to open crashed process.

And in this particular case ("Run with highest privileges" for parent and "low integrity level" for crashed child), OpenProcess() returns an error and GetLastError returns 5 - ERROR_ACCESS_DENIED - and WerFault.exe finishes with exit code 0x80004005 - Unspecified error.

So, I think it's bug in Windows, because in other cases dumps always created.

链接地址: http://www.djcxy.com/p/21494.html

上一篇: 如何实现可重用的用户控制并保持DRY？

下一篇: Windows不会为低完整性级别的进程编写故障转储