Geek Answers Handbook

How does a process crash in Windows-7 without getting a WER dialog?

Is it possible to crash normal user mode in Windows 7 without getting the Windows Error Reporting dialog box? (When and if WER is normally enabled and special flags are not applied.)

Note: I am not interested in disabling WER , I am interested in crash scenarios where WER is not running, although it should > and Windows silently terminates the application.

In Windows XP, it’s quite simple to write a C or C ++ application (in user mode) that spoils its own address space in such a way that when an access violation (or other unhandled Win32 exception) is violated, Windows XP will simply silently terminate the process without informing the user generally:

... void stackbreaker() { printf("%s\n", __FUNCTION__); // global/static buffer static char buf[128] = "In a hole in the ground there lived a hobbit. And it burrowed through your stack. It even built a round door into you function."; // Get address on the stack char local; char* stack = &local; // nuke the stack: memcpy(stack - 64, buf, sizeof(buf)); // Kaboom. No user defined unhandled exception filter will be called. Stack nuked. // Process will terminate silently on Windows XP. // But on Windows-7 you still get the WER dialog. } ...

The call of the above function in a simple C ++ project (in the release mode - follow the compiler optimization during testing - and do not start under the debugger) will:

  • Typically complete the process under XP.
  • Display the WER failure dialog box under Windows-7.
  • Also: under no circumstances call your own unhandled exception filter, even if you set it through SetUnhandledExceptionFilter

Now I'm wondering if the Windows 7 WER mechanism will be implemented in such a way that I always get a dialog box with an error for crash [a] in my application or are there scenarios of process corruption even in Windows 7, which will prevent the WER dialog from appearing?

I will add a little reading:

In the Windows book via C / C ++ (5th from Richter, Nasarr) they describe what happens in the “Crash Process” (p 711):

  • Exceptional filters.
  • ...
  • ...
  • kernel detects unhandled exception
  • ALPC call blocking for Wer Service
  • The WER report is launched.
  • ...

Now they indicate that Win7 does this differently than Windows XP (to quote this book p. 710 :)

... Starting with Windows Vista, the UnhandledExceptionFilter function no longer sends an error report to MS servers. Instead. The kernel detects that the exception is not handled by the user-mode thread (step 4) ...

Thus, this implies that the process does not crash at all — in Vista and later — in such a way as to prevent WER from entering. I am trying to confirm or refute this.

[a]: Obviously, the process can be easily "killed" without any trace by calling one of the various *exit or terminate* functions. The question is that, if you can eliminate such a reason for termination, (how), it is possible to “knock out” the user mode process on Win7 in such a way as to prevent the WER dialog from being displayed.

+8
windows-7 visual-c ++ winapi unhandled-exception windows-error-reporting
source share
2 answers

I took a look at my release of Windows Internals, but there is not much to say about this. In earlier versions, the Windows error message handling procedure took place in the context of a thread failure. This means that if the stack is broken (as in your example), it may not work.

In Vista and later, it starts externally in a thread failure. In addition, the kernel itself is responsible for notifying the WER when a process crashes (through an extended local procedure call).

According to internal Windows docs, these changes fix the extinction issue. I can only take them for it. Obviously, if the WER service itself is corrupted (or stopped), you will still be silent.

EDIT

In Windows Internals, 5th Edition, p. 122:

Prior to Windows Vista, all the [WER] operations we described should have occurred in the context of a thread failure ... In some types of failures ... the processed exception filter itself. This "silent death of the process" was not registered anywhere .... Windows Vista and later versions improved the WER mechanism by doing this work from the outside of the crashed thread if the filter of unhandled exceptions fails.

Page 124:

... all Windows processes now have an error port, which is actually an ALPC port object registered by the WER service. The kernel ... will use this port to send a message to the WER service, which will then analyze the failure process .... This solves all the silence problems of the death process ...

+4
source share

You already know how the process crashes, so I am responsible for hiding the WER dialog.
A way to hide the WER dialog with Windows XP:

 UINT WINAPI SetErrorMode(_In_ UINT uMode);

SEM_NOGPFAULTERRORBOX 0x0002 The system does not display the Windows Error Reporting dialog box.

Please note that there are also other reasons for the error dialogs, and you can also turn them off using this function, check the documentation for more information.

Also, since Windows 7:

 BOOL SetThreadErrorMode( _In_ DWORD dwNewMode, _Out_ LPDWORD lpOldMode );

Some programs and dlls use these functions to hide errors from the user.

+2
source share

More articles:


All Articles