A customer’s program has a plug-in model. They already run the plug-ins in a separate process, but they wanted to understand, among other things, whether any of those plug-ins in turn launch child processes of their own. This would help them evaluate ideas for improving their plug-in model and reach out to plug-in authors who may be affected. They asked for ideas on how they could instrument this.<\/p>\n
One of the things they considered was patching the import address table for all of the Better is not to do either of these things.<\/p>\n Instead, you can put the plug-in host process in a job object, and then monitor the job object. Specifically, job objects will queue the So let’s demonstrate this. We start with the existing Little Program that creates a job object and listens for completions<\/a> and listen for the additional completions.<\/p>\n The original program checked only for Left as an exercise (for further diagnostics) is using the process ID to get information like the path to the process. Note that there is a race condition if the process is very short-lived and exits before you can get any information from it.<\/p>\n","protected":false},"excerpt":{"rendered":" You can ask a job object to keep track for you.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-111216","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":" You can ask a job object to keep track for you.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/111216","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=111216"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/111216\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=111216"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=111216"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=111216"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Create\u00adProcess*<\/code> functions so they could intercept attempts to create a child process. Another thing they considered was using the existing Detours library. They asked which method was better.<\/p>\nJOB_JOB_JOB_#define UNICODE\r\n#define _UNICODE<\/a>\r\n#define STRICT\r\n#include <windows.h>\r\n#include <stdio.h>\r\n#include <atlbase.h>\r\n#include <atlalloc.h>\r\n#include <shlwapi.h>\r\n\r\nint __cdecl wmain(int argc, PWSTR argv[])\r\n{\r\n CHandle Job(CreateJobObject(nullptr, nullptr));\r\n if (!Job) {\r\n wprintf(L\"CreateJobObject, error %d\\n\", GetLastError());\r\n return 0;\r\n }\r\n\r\n\r\n CHandle IOPort(CreateIoCompletionPort(INVALID_HANDLE_VALUE,\r\n nullptr, 0, 1));\r\n if (!IOPort) {\r\n wprintf(L\"CreateIoCompletionPort, error %d\\n\",\r\n GetLastError());\r\n return 0;\r\n }\r\n\r\n\r\n JOBOBJECT_ASSOCIATE_COMPLETION_PORT Port;\r\n Port.CompletionKey = Job;\r\n Port.CompletionPort = IOPort;\r\n if (!SetInformationJobObject(Job,\r\n JobObjectAssociateCompletionPortInformation,\r\n &Port, sizeof(Port))) {\r\n wprintf(L\"SetInformation, error %d\\n\", GetLastError());\r\n return 0;\r\n }\r\n\r\n\r\n PROCESS_INFORMATION ProcessInformation;\r\n STARTUPINFO StartupInfo = { sizeof(StartupInfo) };\r\n PWSTR CommandLine = PathGetArgs(GetCommandLine());\r\n\r\n\r\n if (!CreateProcess(nullptr, CommandLine, nullptr, nullptr,\r\n FALSE, CREATE_SUSPENDED, nullptr, nullptr,\r\n &StartupInfo, &ProcessInformation)) {\r\n wprintf(L\"CreateProcess, error %d\\n\", GetLastError());\r\n return 0;\r\n }\r\n\r\n\r\n if (!AssignProcessToJobObject(Job,\r\n ProcessInformation.hProcess)) {\r\n wprintf(L\"Assign, error %d\\n\", GetLastError());\r\n return 0;\r\n }\r\n\r\n\r\n ResumeThread(ProcessInformation.hThread);\r\n CloseHandle(ProcessInformation.hThread);\r\n CloseHandle(ProcessInformation.hProcess);\r\n\r\n\r\n DWORD CompletionCode;\r\n ULONG_PTR CompletionKey;\r\n LPOVERLAPPED Overlapped;\r\n\r\n while (GetQueuedCompletionStatus(IOPort, &CompletionCode, <\/span>\r\n &CompletionKey, &Overlapped, INFINITE)) { <\/span>\r\n if ((HANDLE)CompletionKey == Job) { <\/span>\r\n if (CompletionCode == JOB_OBJECT_MSG_ACTIVE_PROCESS_ZERO) { <\/span>\r\n break; \/\/ all processes have exited - done <\/span>\r\n } else if (CompletionCode == JOB_OBJECT_MSG_NEW_PROCESS) { <\/span>\r\n wprintf(L\"Process %d created\\n\", PtrToInt(Overlapped)); <\/span>\r\n } else if (CompletionCode == JOB_OBJECT_MSG_EXIT_PROCESS) { <\/span>\r\n wprintf(L\"Process %d exited\\n\", PtrToInt(Overlapped)); <\/span>\r\n } else if (CompletionCode == JOB_OBJECT_MSG_ABNORMAL_NEW_PROCESS) {<\/span>\r\n wprintf(L\"Process %d exited abnormally\\n\", PtrToInt(Overlapped));<\/span>\r\n } <\/span>\r\n } <\/span>\r\n } <\/span>\r\n\r\n wprintf(L\"All done\\n\");\r\n\r\n return 0;\r\n}\r\n<\/pre>\n
JOB_