No mods work due to SentinelOne antivirus incompatibility

[NaimChabs]

Hello, I just installed windhawk on my domain computer. I'm admin on it. When launching windhawk and selecting my mods, nothing happens. Here is the log from debugview :

00000001 0.00000000 [7972] [WH] [AllProcessesInjector::InjectIntoNewProcesses]: Error handling a new process 9156: engine\dll_inject.cpp(311)\windhawk.dll!7434972B: (caller: 7434673C) Exception(1) tid(1d0c) 80070005 Accès refusé.
00000002 0.00000000 [7972] [WH] [AllProcessesInjector::InjectIntoNewProcesses]: Error handling a new process 8916: engine\all_processes_injector.cpp(286)\windhawk.dll!743467C8: (caller: 74345C30) Exception(2) tid(1d0c) 80070005 Accès refusé.
00000003 0.00000000 **
00000004 0.00001080 This break indicates this binary is not signed correctly: \Device\HarddiskVolume3\Program Files\Windhawk\Engine\1.3.1\64\windhawk.dll 00000005 0.00001230 and does not meet the system policy.
00000006 0.00001570 The binary was attempted to be loaded in the process: \Device\HarddiskVolume3\Windows\System32\dllhost.exe
00000007 0.00001710 This is not a failure in CI, but a problem with the failing binary.
00000008 0.00001850 * Please contact the binary owner for getting the binary correctly signed.
00000009 0.00002000 **
00000010 0.00750820 [13200] [WH] ERR: 00000241

Thanks for your help.

[m417z]

Which mods have you tried? Can you try the Slick Window Arrangement mod, which works for all Windows versions and environments? Also, do you have an antivirus installed? It could be that your antivirus blocks Windhawk and prevents it from injecting code into other programs.

[NaimChabs]

Hello, I tried "Taskbar Labels for Windows 11" and "Taskbar Volume Control"

Slick Window Arrangement doesn't work too.

I do have a third party antivirus but I checked and it didn't say anything blocked since launch. I will check to disable it

[m417z]

Can you also post verbose logs? First, run DebugView as administrator, and enable Capture -> Capture Global Win32. Then, in Windhawk, go to settings, then "More advanced settings", then change both verbosity values to "Verbose" and save. Windhawk will be restarted. After Windhawk is restarted, copy the logs from DebugView and post them here.

[antonmantula]

Hello, m417z. Taskbar icon size mod is unloaded. What could be the reason?

[m417z]

@antonmantula please open a new issue in the windhawk-mods repo. Include debug logs as following:

• Disable the mod.
• Enable Detailed debug logs in the mod's Advanced tab.
• Click on Show log output.
• Enable the mod.
• Verify that the mod doesn't work, copy the log output and paste it in the issue.

[sck6162]

I have the same problem, I believe it is due to the Win11 update.Because everything happened after I updated it.

All mods that change the taskbar have the same error

DebugViewConsole 1.8.0.102
Listening for OutputDebugString messages...
15:38:36.227 4576 explorer.exe  [WH] [`anonymous-namespace'::ModDebugLoggingScope::ModDebugLoggingScope]: >>> Entering LoadedMod::LoadedMod
15:38:36.227 4576 explorer.exe  [WH] [LoadedMod::LoadedMod]: Windhawk v1.3.1
15:38:36.227 4576 explorer.exe  [WH] [LoadedMod::LoadedMod]: Mod id: taskbar-thumbnail-reorder
15:38:36.227 4576 explorer.exe  [WH] [LoadedMod::LoadedMod]: Mod version: 1.0.3
15:38:36.230 4576 explorer.exe  [WH] [LoadedMod::LoadedMod]: Mod base address: 00007FFAB87E0000
15:38:36.230 4576 explorer.exe  [WH] [`anonymous-namespace'::ModDebugLoggingScope::~ModDebugLoggingScope]: <<< Exiting LoadedMod::LoadedMod
15:38:36.230 4576 explorer.exe  [WH] [`anonymous-namespace'::ModDebugLoggingScope::ModDebugLoggingScope]: >>> Entering LoadedMod::Initialize
15:38:36.230 4576 explorer.exe  [WH] [taskbar-thumbnail-reorder] [868:Wh_ModInit]: >
15:38:36.230 4576 explorer.exe  [WH] [taskbar-thumbnail-reorder] [658:GetWindowsVersion]: Version: 10.0.22621.1776
15:38:36.230 4576 explorer.exe  [WH] [`anonymous-namespace'::ModDebugLoggingScope::ModDebugLoggingScope]: >>> Entering LoadedMod::GetIntSetting
15:38:36.231 4576 explorer.exe  [WH] [LoadedMod::GetIntSetting]: valueName: oldTaskbarOnWin11
15:38:36.231 4576 explorer.exe  [WH] [LoadedMod::GetIntSetting]: valueNameFormatted: oldTaskbarOnWin11
15:38:36.231 4576 explorer.exe  [WH] [LoadedMod::GetIntSetting]: value: 0
15:38:36.231 4576 explorer.exe  [WH] [`anonymous-namespace'::ModDebugLoggingScope::~ModDebugLoggingScope]: <<< Exiting LoadedMod::GetIntSetting
15:38:36.231 4576 explorer.exe  [WH] [`anonymous-namespace'::ModDebugLoggingScope::ModDebugLoggingScope]: >>> Entering LoadedMod::GetStringValue
15:38:36.231 4576 explorer.exe  [WH] [LoadedMod::GetStringValue]: valueName: symbol-cache-taskbar.dll
15:38:36.231 4576 explorer.exe  [WH] [LoadedMod::GetStringValue]: value: 
15:38:36.231 4576 explorer.exe  [WH] [`anonymous-namespace'::ModDebugLoggingScope::~ModDebugLoggingScope]: <<< Exiting LoadedMod::GetStringValue
15:38:36.231 4576 explorer.exe  [WH] [taskbar-thumbnail-reorder] [820:HookSymbols]: Couldn't resolve all symbols from cache
15:38:36.231 4576 explorer.exe  [WH] [`anonymous-namespace'::ModDebugLoggingScope::ModDebugLoggingScope]: >>> Entering LoadedMod::FindFirstSymbol2
15:38:36.231 4576 explorer.exe  [WH] [LoadedMod::FindFirstSymbol2]: Module: 00007FFA9E790000
15:38:36.231 4576 explorer.exe  [WH] [LoadedMod::FindFirstSymbol2]: Path: C:\Windows\System32\Taskbar.dll
15:38:36.231 4576 explorer.exe  [WH] [LoadedMod::FindFirstSymbol2]: Version: 10.0.22621.1776
15:38:36.233 4576 explorer.exe  [WH] [`anonymous-namespace'::LogSymbolServerEvent]: SYMSRV:  BYINDEX: 0x1
15:38:36.233 4576 explorer.exe  [WH] [`anonymous-namespace'::LogSymbolServerEvent]: SYMSRV:  UNC: C:\ProgramData\Windhawk\Engine\Symbols\Taskbar.pdb\5EAE082B258556908CC9E15364F8561A1\Taskbar.pdb - path not found
15:38:36.234 4576 explorer.exe  [WH] [`anonymous-namespace'::LogSymbolServerEvent]: SYMSRV:  UNC: C:\ProgramData\Windhawk\Engine\Symbols\Taskbar.pdb\5EAE082B258556908CC9E15364F8561A1\Taskbar.pd_ - path not found
15:38:36.234 4576 explorer.exe  [WH] [`anonymous-namespace'::LogSymbolServerEvent]: SYMSRV:  UNC: C:\ProgramData\Windhawk\Engine\Symbols\Taskbar.pdb\5EAE082B258556908CC9E15364F8561A1\file.ptr - path not found
15:38:36.234 4576 explorer.exe  [WH] [`anonymous-namespace'::LogSymbolServerEvent]: SYMSRV:  HTTPGET: /download/symbols/index2.txt
15:38:38.378 4576 explorer.exe  [WH] [`anonymous-namespace'::LogSymbolServerEvent]: SYMSRV:  HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
15:38:38.378 4576 explorer.exe  [WH] [`anonymous-namespace'::LogSymbolServerEvent]: SYMSRV:  HTTPGET: /download/symbols/Taskbar.pdb/5EAE082B258556908CC9E15364F8561A1/Taskbar.pdb
15:38:38.800 4576 explorer.exe  [WH] [`anonymous-namespace'::LogSymbolServerEvent]: SYMSRV:  HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
15:38:38.801 4576 explorer.exe  [WH] [`anonymous-namespace'::LogSymbolServerEvent]: SYMSRV:  HTTPGET: /download/symbols/Taskbar.pdb/5EAE082B258556908CC9E15364F8561A1/Taskbar.pd_
15:38:39.207 4576 explorer.exe  [WH] [`anonymous-namespace'::LogSymbolServerEvent]: SYMSRV:  HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
15:38:39.207 4576 explorer.exe  [WH] [`anonymous-namespace'::LogSymbolServerEvent]: SYMSRV:  HTTPGET: /download/symbols/Taskbar.pdb/5EAE082B258556908CC9E15364F8561A1/file.ptr
15:38:39.609 4576 explorer.exe  [WH] [`anonymous-namespace'::LogSymbolServerEvent]: SYMSRV:  HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND
15:38:39.610 4576 explorer.exe  [WH] [`anonymous-namespace'::LogSymbolServerEvent]: SYMSRV:  RESULT: 0x80190194
15:38:39.617 4576 explorer.exe  [WH] [LoadedMod::LogFunctionError]: Mod taskbar-thumbnail-reorder error: engine\symbol_enum.cpp(197)\windhawk.dll!00007FFA850AD0BE: (caller: 00007FFA8509AE92) Exception(3) tid(3fe0) 806D0005 
15:38:39.617 4576 explorer.exe  [WH] [`anonymous-namespace'::ModDebugLoggingScope::~ModDebugLoggingScope]: <<< Exiting LoadedMod::FindFirstSymbol2
15:38:39.617 4576 explorer.exe  [WH] [taskbar-thumbnail-reorder] [825:HookSymbols]: Wh_FindFirstSymbol failed
15:38:39.617 4576 explorer.exe  [WH] [`anonymous-namespace'::ModDebugLoggingScope::~ModDebugLoggingScope]: <<< Exiting LoadedMod::Initialize
15:38:39.617 4576 explorer.exe  [WH] [`anonymous-namespace'::ModDebugLoggingScope::ModDebugLoggingScope]: >>> Entering LoadedMod::~LoadedMod
15:38:39.617 4576 explorer.exe  [WH] [`anonymous-namespace'::ModDebugLoggingScope::~ModDebugLoggingScope]: <<< Exiting LoadedMod::~LoadedMod

[m417z]

@sck6162 You're using a release preview build (10.0.22621.1776), and Microsoft didn't upload the relevant symbols for this build. They might upload them in the future, or perhaps they skipped it for some reason, I don't know. Generally, it's best to avoid preview builds with Windhawk (and other similar customization tools) to have better compatibility and avoid conflicts.

[NaimChabs]

Can you also post verbose logs? First, run DebugView. Then, in Windhawk, go to settings, then "More advanced settings", then change both verbosity values to "Verbose" and save. Windhawk will be restarted. After Windhawk is restarted, copy the logs from DebugView and post them here.

Hello, here is the logs : 00000001 0.00000000 [17028] [WH] [anonymous-namespace'::Run]: Running Windhawk daemon
00000002 0.20422021 [21884] [WH] [anonymous-namespace'::Run]: Starting service and running UI
00000003 0.29316181 [13492] [WH] LL 00000004 0.29335409 [16196] [WH] LL 00000005 0.29393020 [13492] [WH] GPA
00000006 0.29401740 [13492] [WH] II 00000007 0.29414961 [16196] [WH] GPA
00000008 0.29417431 [16196] [WH] II 00000009 0.29492569 [13492] [WH] [InjectInit]: Running InjectInit
00000010 0.29505771 [16196] [WH] [InjectInit]: Running InjectInit
00000011 0.29924059 [16092] [WH] LL 00000012 0.31509721 [16092] [WH] ERR: 00000241
00000013 0.32181460 [20364] [WH] LL 00000014 0.32311451 [20364] [WH] GPA
00000015 0.32325479 [20364] [WH] II 00000016 0.32431471 [20364] [WH] [InjectInit]: Running InjectInit
00000017 0.38436961 [2868] [WH] [anonymous-namespace'::Run]: Running Windhawk daemon
00000018 0.40196940 [2868] [WH] [CMainWindow::OnIdle]: Detected 0 explorer crashes

[m417z]

@NaimChabs There are no errors in the log, but the list of processes that Windhawk detected is unusually small. You can look at Task Manager for PIDs to check which processes are these: 13492, 16196, 16092, 20364. PIDs can be seen in the details tab.

I still suspect that your antivirus is silently preventing Windhawk from injecting code into other processes. Which antivirus are you using? Can you turn it off temporarily to check this theory?

[abbeyj]

I believe that I'm experiencing the same (or similar) issue as @NaimChabs. My logs look like this:

00000001    0.00000000  [17004] [WH] [`anonymous-namespace'::Run]: Restarting app   
00000002    0.00646350  [17004] [WH] [`anonymous-namespace'::WaitForRunningProcessesToTerminate]: QueryFullProcessImageName for 4 (System) failed with error 0x8007001F 
00000003    0.00671760  [17004] [WH] [`anonymous-namespace'::WaitForRunningProcessesToTerminate]: QueryFullProcessImageName for 204 (Secure System) failed with error 0x8007001F    

... snip ...

00000025    0.00891020  [18556] [WH] [CustomizationSession::Run]: Exiting engine thread wait loop   
00000026    0.00894120  [16348] [WH] [CustomizationSession::Run]: Exiting engine thread wait loop   

... snip ...

00000035    0.00958730  [18556] [WH] II: 1  

... snip ...

00000038    0.00975210  [16348] [WH] II: 1  

... snip ...

00000130    0.02230210  [17004] [WH] [`anonymous-namespace'::WaitForRunningProcessesToTerminate]: OpenProcess for 19256 (svchost.exe) failed with error 5   
00000131    0.02235050  [17004] [WH] [`anonymous-namespace'::WaitForRunningProcessesToTerminate]: OpenProcess for 21356 (WmiPrvSE.exe) failed with error 5  
00000132    0.02244990  [17004] [WH] [`anonymous-namespace'::WaitForRunningProcessesToTerminate]: Waiting for 11 processes  
00000133    0.22802900  [13860] [WH] LL 
00000134    0.24073800  [18556] [WH] LL 
00000135    0.24116610  [18556] [WH] GPA    
00000136    0.24117570  [18556] [WH] II 
00000137    0.24144439  [16348] [WH] LL 
00000138    0.24148320  [18556] [WH] [InjectInit]: Running InjectInit   
00000139    0.24194400  [16348] [WH] GPA    
00000140    0.24221200  [16348] [WH] II 
00000141    0.24246711  [16348] [WH] [InjectInit]: Running InjectInit   
00000142    0.24361210  [13860] [WH] ERR: 00000241  
00000143    1.72970855  [6016] [WH] [`anonymous-namespace'::Run]: Running Windhawk daemon   
00000144    1.74848235  [6016] [WH] [CMainWindow::OnIdle]: Detected 0 explorer crashes  

Of the PIDs listed above: 6016 - the "windhawk.exe -tray-only" process 13860 - dllhost.exe (running as my username), which was launched from svchost.exe (running as "NT AUTHORITY\SYSTEM") 16348 - mmc.exe with eventvwr.msc loaded 18556 - mmc.exe with services.msc loaded

Antivirus is SentinelOne. I am unfortunately unable to disable it for testing.

According to the DLLs view in Process Explorer, windhawk.dll is getting successfully injected into the two mmc.exe processes. It is not showing up in the dllhost.exe process or in any other process that I can find.

When enabling "Slick Window Arrangement" it takes effect only for the mmc.exe processes and no others. Dragging one of those windows will snap against other existing windows. Dragging the window of another process will not snap against anything.

[m417z]

@abbeyj There are no errors in the log, so I suspect that SentinelOne quietly prevents Windhawk from injecting code into most processes. I'm not sure what's special about dllhost.exe and mmc.exe, modern AV/EDR heuristics can be quite complex. In any case, Windhawk can't do much about it. You can try contacting SentinelOne and asking whether something can be done from their end to allow some or all of Windhawk's code injection activity.

One thing you can try is limiting Windhawk to specific processes in the advanced settings. Perhaps it will make it seem less suspicious to SentinelOne.

[abbeyj]

I tried setting exclude=* and include=explorer.exe but this did not help. I can try contacting SentinelOne but I'm not too hopeful that they'll do anything about this.

For explorer.exe specifically I believe there are documented, supported ways to get a .dll loaded, e.g. as a shell extension. Since many of the Windhawk mods only need to apply to explorer.exe, could this be a way to get at least those to work?

[m417z]

Theoretically, that would be possible, but it's not implemented in Windhawk, and it's not a trivial feature to add. Also, there's no guarantee that SentinelOne will let that one run.

Since the mods are open source, you're welcome to try and port one of them to run as part of a shell extension or a similar explorer-specific component and see how it goes.

[abbeyj]

I was able to temporarily disable SentinelOne for testing. This produced a lot of additional messages in the debug log, mostly for the mod slick-window-arrangement starting up in multiple processes. Now slick-window-arrangment is working better than before, affecting the windows of multiple programs (but not all).

Unfortunately it seems that this still hasn't fixed the problem with explorer.exe. No mods start up under explorer.exe, not even slick-window-arrangement.

The full log is quite big so I don't want to paste it here directly. Here is a gist instead: https://gist.github.com/abbeyj/7cbc8b10e209ebb9be65a48db121004f

The PID of the explorer.exe shell was 13752 during this time. It doesn't appear in the log.

The processes with exceptions (10600, 19416, 20232, 21216, 21228, 21468) are all firefox.exe subprocesses. I'm assuming that they are probably not relevant here.

[m417z]

I think that some logs are missing, specifically the Windhawk service logs. That was also probably the case in the logs in previous comments here. Can you please enable global logs and repeat the log collection?

• Run DebugView as administrator.
• Enable Capture -> Capture Global Win32.
• Collect the logs again.
  • In Windhawk, go to settings, then "More advanced settings", then change both verbosity values to "Verbose" and save. Windhawk will be restarted. After Windhawk is restarted, copy the logs from DebugView and post them here.

The processes with exceptions (10600, 19416, 20232, 21216, 21228, 21468) are all firefox.exe subprocesses. I'm assuming that they are probably not relevant here.

These are probably sandboxed renderer processes. Windhawk is able to inject code into them it they're started while Windhawk is already running, but not if they're already running when Windhawk is started. In any case, they're not relevant for slick-window-arrangment and for most other mods.

[abbeyj]

I took the code from https://m417z.com/Implementing-Global-Injection-and-Hooking-in-Windows/ and ran it in a debugger and I think I see where things are failing.

SentinelOne is adding some data to attempt to harden against common code injection attacks. It adds 13 new entries to the beginning of the export table for kernel32.dll. These are all nonsense names but they look designed to have hash collisions with other functions. For example, the first name is "0R\"\na$" and hash("0R\"\na$") == hash("OutputDebugStringA") == 0x470D22BC.

The code in InjectShellcode (https://github.com/m417z/global-inject-demo/blob/608f007e9e0566b340ac2e6684bf2001106cca57/global-inject-lib/inject-shellcode/main.cpp#L193) gets confused. It finds a hash matching OutputDebugStringA and decrements usCounter. Then later on it finds a second hash matching OutputDebugStringA (the real entry this time) and decrements usCounter again. But now usCounter is too low since it has only actually found one function but it has decremented the counter twice. This means it exits the loop early, before it has actually found all functions. The functions that are at the end of the table (e.g. VirtualFree) don't ever get a chance to be looked up and remain as null pointers. Then since some pointers are still null after the loop, InjectShellcode bails out and returns pVirtualFree (which is this case is NULL).

I can think of several ways to try to deal with this:

• Remove the use of usCounter and always continue until the very end of the export table. Then the values from the fake names will always be overwritten in later iterations of the loop by the values from the real names. This only protects against fake names being added to the beginning of the table. Fake names being added to the end of the table would still break you. SentinelOne does not appear to currently be adding any fake names at the end but I suppose they could decide to add some in the future.
• Decrement usCounter only when the destination variable contains NULL. This seems a bit trickier to write but it would still get you all the correct values (bad values will be overwritten by the later entries) and still lets you exit out of the loop early. IMO this seems like more trouble than it is worth but it is an option. This also fails against fake names at the end of the table.
• Skip over any leading entries in the table that do not start with a letter. Since all functions that you care about do start with a letter and since the table must be stored in sorted order this shouldn't prevent you from finding any of the functions that you do care about but it will avoid the fake entries. All the fake entries need to sort before the first actual function (which for me is AcquireSRWLockExclusive). The easiest way to do that is to make sure the first character of each fake name is always less than 'A' and this seems to be what they've done. So either skipping until you find a letter or skipping while less than 'A' both seem like they would avoid the fake names.
• Switch to a different hash, possibly one that's harder to generate collisions for.
• Keep the current hash but add some extra ad-hoc checks to it. For example if you're looking for OutputDebugStringA and you find hash(name) == 0x470D22BC, check also that name[0] == 'O' or that strlen(name) == 18, etc.

For the early return at https://github.com/m417z/global-inject-demo/blob/608f007e9e0566b340ac2e6684bf2001106cca57/global-inject-lib/inject-shellcode/main.cpp#L362 would it make sense to log an error message if OutputDebugStringA has been found but some of the other functions are missing? As it is right now there is nothing logged in this case so the thread quits but there is no indication in the logs of what went wrong.

[m417z]

That's a great analysis, thanks! The shellcode is based on the ReflectiveDLLInjection project: https://github.com/stephenfewer/ReflectiveDLLInjection/blob/master/dll/src/ReflectiveLoader.c

And while I didn't like the idea of using hashes when I saw it, as accidental collisions could theoretically occur, I decided to use it as it's commonly used, and I didn't see people reporting collisions or complaining. I didn't think about having someone creating deliberate collisions, but that's just another reason to stop using hashes.

I lean towards changing the implementation to do an exact string match. And using OutputDebugStringA at the first error if it's available is also a good idea, I'll add that, thanks.

[NaimChabs]

Hello, sorry for not giving a response, I was not in the office. It turns out that I also use the antivirus SentinelOne, so it seems to be the potential source of the problem.

[ted1030]

Is there any update for this issue? I also encountered the issue because my company's laptops have been forcefully installed with SentinelOne.

[m417z]

I reworked the shellcode to avoid hashes altogether, the new implementation will be included in the next version. If you have SentinelOne and would like to test it before the release, please email me.

[m417z]

The incompatibility with SentinelOne should now be fixed in version 1.4.

[Aleksanderis]

Sadly it still doesn't work for me - it just does nothing. I have a SentinelOne, which is handled by organization, so I cannot disable it even temporarly.

My Windows 11 were also updated to 23H2 version two days ago - can it be another incompatibility reason? This update is quite big and includes things like old Windows 10 features to disable "combine buttons in the taskbar". More details about features - https://learn.microsoft.com/en-us/windows/whats-new/whats-new-windows-11-version-23h2 Sadly I wasn't able to test it before this 23H2 update.. :(

I have following Windhawk mods installed:

• Disable grouping on the taskbar
• Middle click to close on the taskbar
• Open pinned items with double click
• Taskbar Thumbnail Reorder

[m417z]

@Aleksanderis Unfortunately, I don't have an environment with SentinelOne, so I can't test it, but I sent the fix to one of the users and they confirmed that the fix worked.

The 23H2 update wouldn't cause all of your listed mods to cease working, it must be something else. All four mods rely on symbols, can you try another mod, for example Slick Window Arrangement, and check whether it works?

If it doesn't, please collect and post verbose logs: https://github.com/ramensoftware/windhawk/issues/79#issuecomment-1541898005

[Aleksanderis]

Left it over for a weekend and on Monday, out of sudden it started to work. 🤷‍♂️ However while testing I was trying to move Windhawk folder to different locations - to/from "Program Files" (because "Program Files" folder is treated differently in Windows/SentinelOne). Eventually it was working from neither location (although from "Program Files" it was needing "Run as admin"), but while moving the folder I noticed that Windhawk was locked by some processes, looked like it wasn't able to fully unload itself from modules where it was injected (even disabling all extensions).

There were different windows-related processes (like ShellExperienceHost.exe, backgroundTask.exe), etc. One of these processes also was git.exe spawned by Windhawk, and which was remaining open after quiting Windhawk. Why is it needed? For updates checking? Or for something else?

But.. there were more serious blockers for which I guess I need to create a separate issue. When Windhawk is running, even with all extensions disabled - it breaks many other Windows 11 explorer-related things. Like searching: pressing 'win' and typing for example "settings" - it gets stuck. Or another thing - emoji UI doesn't open (win+. combination). Are these known issues (it can be related to 23H2 update), or should I create a separate issue?

[m417z]

while moving the folder I noticed that Windhawk was locked by some processes, looked like it wasn't able to fully unload itself from modules where it was injected (even disabling all extensions).

It may happen if code is loaded into a process which is suspended, which is quite common. Generally, it's better not to move it manually, but instead to uninstall it and then install it into the new location. Settings will be kept unless you choose to explicitly remove them while uninstalling.

git.exe spawned by Windhawk, and which was remaining open after quiting Windhawk. Why is it needed? For updates checking? Or for something else?

git is used in editing mode to mark code changes. Have you used editing mode? Also I believe that it shouldn't stay after quitting Windhawk, but it's managed by VSCode so it might be a bug on their side.

Are these known issues (it can be related to 23H2 update), or should I create a separate issue?

I haven't heard about those issues. They might be related to SentinelOne as well, but it's difficult to say without more information, and tricky to check since you cannot disable it.

[Aleksanderis]

git is used in editing mode to mark code changes. Have you used editing mode? Also I believe that it shouldn't stay after quitting Windhawk, but it's managed by VSCode so it might be a bug on their side.

Not sure what is editing mode, but git.exe is spawned right after I start Windhawk and stays there if I quit it. However as you say it might be not Windhawk issue, I also noticed git.exe is remaining when I'm quitting other apps using Git (like VS Code, Rider, etc). So perhaps it's an issue not even with VS Code, but rather with Git for Windows itself.

I haven't heard about those issues. They might be related to SentinelOne as well, but it's difficult to say without more information, and tricky to check since you cannot disable it.

Can logs help somehow to identify it? I will attach them as a file, since they are quite long. I see there are some errors mentioned, so perhaps they can say something to you. To narrow down it as much as possible I exited pretty much all foreground applications, disabled all extensions in Windhawk, starting just plain empty Windhawk - and this issue is reproducible. Basically when you click a thing previously known as "Start menu" (with "Win" key), where you can type and search for an app you want, etc - that "Start menu" is buggy and not responsive. Also things like emoji dialog (win+.) also doesn't work. So in general - Explorer shell behaves buggy.

Log file: windhawk.log

[m417z]

git.exe is spawned right after I start Windhawk and stays there if I quit it

git.exe is spawned for me as well, but it exists right away. Perhaps an issue with git on your side. You can configure Windhawk to not use git, let me know if you want to know how.

Editing mode is for developing or editing mods. It's activated if you create a new mod or fork and existing one.

Can logs help somehow to identify it?

Maybe, I'll take a look soon. BTW, this issue looks similar to what you describe: https://github.com/ramensoftware/windhawk/issues/126

[Aleksanderis]

Editing mode is for developing or editing mods. It's activated if you create a new mod or fork and existing one.

Then I definitely wasn't using editing mode. I was just running Windhawk. :) I'm curious how to run Windhawk without git if it's not something totally "on your own risk and don't try it at home" thing. Not something critical, but just strange to have additional stuff running when I need just mods.

Yes, #126 looks indeed similar, so will move to monitoring that one instead. Perhaps not related to SentinelOne after all, but I guess it could be related to fixes which were needed to make it work with SentinelOne.

[m417z]

I'm curious how to run Windhawk without git

Since it's based on VSCode (or, to be persice, VSCodium), it's enough to set "git.enabled": false in settings. In Windhawk, this can be done via the on-your-own-risk keyboard shortcut of Ctrl+Alt+Shift+P.

In Windhawk v1.4.1, git is now disabled by default, and is only enabled while using editing mode.

[Aleksanderis]

Smart. Many thanks for the improvement! 👏

[obones]

I was badly hit by SentinelOne and I'm very glad to report that 1.4.1 now works just fine! At last I have a usable taskbar, many thanks for all the efforts