nscp crashes when exexuting wmi query on Win32_Process

[Napsty]

Issue and Steps to Reproduce

Using the CheckWMI module and querying the Win32_Process class crashed NSClient when a non-existant process name (winsvc.exe in this case) is selected.

C:\Windows\system32>tasklist | find "winsvc.exe"

C:\Windows\system32>tasklist | find "cvd.exe"
cvd.exe                       2172 Services                   0  2'403'716 K

Using check_nrpe to remotely launch the WMI query on the Windows target:

 /usr/lib/nagios/plugins/check_nrpe -H target -c check_wmi -a 'query=select * from Win32_Process WHERE Name = "winsvc.exe"'

The same check works fine on processes which actually exist:

 /usr/lib/nagios/plugins/check_nrpe -H target -c check_wmi -a 'query=select * from Win32_Process WHERE Name = "cvd.exe"'
cvd.exe, "C:\Program Files\NetApp\SnapProtect\Base\cvd.exe" -vm Instance001, Win32_Process, 20190902153547.008440+120, Win32_ComputerSystem, TARGET, cvd.exe, C:\Program Files\NetApp\SnapProtect\Base\cvd.exe, <NULL>, 2172, 48298, <NULL>, 37437187500, 1380, 200, cvd.exe, Win32_OperatingSystem, Microsoft Windows Server 2016 Standard|C:\Windows|\Device\Harddisk0\Partition2, 75453751, 6676277184, 15498196, 19131736, 668, 19131828, 20082024448, 6393288, 8, 19590897664, 2172, 220, 1386, 223, 2654, 744970015, 762076784788, 0, <NULL>, <NULL>, 66, 11333629843750, 20046450688, 10.0.14393, 2458034176, 5860643, 4051235581

Update: Even a simpler query causes a crash:

 /usr/lib/nagios/plugins/check_nrpe -H target -c check_wmi -a 'query=select Name from Win32_Process WHERE ExecutionState = 3'

Expected Behavior

nscp should not crash

Actual Behavior

nscp crashed. From Windows event log:

Faulting application name: nscp.exe, version: 0.5.2.35, time stamp: 0x5a6e3357
Faulting module name: ntdll.dll, version: 10.0.14393.2969, time stamp: 0x5ccd148a
Exception code: 0xc0000374
Fault offset: 0x00000000000f7b43
Faulting process id: 0x3c44
Faulting application start time: 0x01d59ac6d79b2eeb
Faulting application path: C:\Program Files\NSClient++\nscp.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 18340547-c4f6-4b6b-89d0-e182fdb1c0a5
Faulting package full name: 
Faulting package-relative application ID: 

Details

• NSClient++ version: 0.5.2
• OS and Version: Windows Server 2016
• Checking from: command line
• Checking with: check_nrpe

Additional Details

NSClient++ log: Unfortunately nothing logged in nsclient.log

[h3o66]

Hi it seems like i have a simular problem with the latest version.

OS: Windows Server 2016 ver: 1607

Faulting application name: nscp.exe, version: 0.5.3.4, time stamp: 0x5ae2226f
Faulting module name: ntdll.dll, version: 10.0.14393.3241, time stamp: 0x5d786bef
Exception code: 0xc0000374
Fault offset: 0x00000000000f7a33
Faulting process id: 0x2694
Faulting application start time: 0x01d5a395d950959a
Faulting application path: C:\Program Files\NSClient++\nscp.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 948fb13b-ad02-4796-b68f-82a0078b35ed
Faulting package full name: 
Faulting package-relative application ID: 

[h3o66]

The crash as well seems to happen with the version 0.5.1.46.

But the version 0.5.0.62 does not seem to be affected.

[mintsoft]

@h3o66 Can you reproduce running https://github.com/mickem/nscp/releases/tag/0.5.2.41 or https://github.com/mickem/nscp/releases/tag/0.5.3.4 ?

[h3o66]

@h3o66 Can you reproduce running https://github.com/mickem/nscp/releases/tag/0.5.2.41 or https://github.com/mickem/nscp/releases/tag/0.5.3.4 ?

well I did already test the version 0.5.3.4 see comment: https://github.com/mickem/nscp/issues/643#issuecomment-558168299

[mintsoft]

@h3o66 Apologies, I totally missed that comment. Is this limited to 1 server or multiple?

I would think the issues are probably wmi related? Does the following powershell output anything weird?

get-wmiobject -query 'select * from Win32_Process WHERE Name = "winsvc.exe"'

[h3o66]

@h3o66 Apologies, I totally missed that comment. Is this limited to 1 server or multiple?

I would think the issues are probably wmi related? Does the following powershell output anything weird?

get-wmiobject -query 'select * from Win32_Process WHERE Name = "winsvc.exe"'

nothing wired with a single process query either if the process exists or not

[mintsoft]

@h3o66 Does it still crash if you do the same query from nscp test ?

Also, is there a WER/minidump for the crash (C:\ProgramData\Microsoft\Windows\WER\ReportQueue\)?

It absolutely doesn't crash for me on either Server 2012R2 or Server 2019; have you tried lodctr /R as a hail mary ?