search

winsiderss / systeminformer

A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware. Brought to you by Winsider Seminars & Solutions, Inc. @ http://www.windows-internals.com
https://systeminformer.sourceforge.io
MIT License
10.56k stars 1.36k forks source link

Setup fails to replace some files but doesn't complain #1933

Open AndisGrossteins opened 6 months ago

AndisGrossteins commented 6 months ago

Brief description of your issue

The setup for version 3.0.7407 (and maybe before that) runs successfully but fails to replace the x64 binary SystemInformer.exe and ExtendedNotifications.dll.

I've tried exiting SystemInformer and then running setup but I get the same result. The systeminformer-3.0.7407-setup.exe and systeminformer-3.0.7407-bin.zip contains version 3.0.11934.7407, as verified using 7-zip and WinMerge, but SystemInformer.exe in the installation directory is still at version 3.0.11880.7353.

I used Process Monitor during setup to capture file system events but I can't quite wrap my head around the results. It looks like the file might be FILE LOCKED WITH ONLY READERS and there's no WriteFile operation after a few CreateFileMapping and CreatFile attempts. Searching (in another SistemInformer instance from a zip) for processes holding file handles returns nothing.

Process Monitor screenshot with relevant lines highlighted Note: the screenshot has relevant lines highlighted and the last 9 lines are for comparison of a successful write operation of the x86\SystemInformer.exe file.

Steps to reproduce (optional)

Expected behavior (optional)

Successful update or a failure message if any file can't be replaced.

Actual behavior (optional)

Files are not updated and no indications of an issue

Environment (optional)

System Informer 3.0.11934.7407 Nightly
Windows 11 23H2 (Build 22635.2841) (amd64)
jxy-s commented 6 months ago

Searching (in another SistemInformer instance from a zip) for processes holding file handles returns nothing.

Just to confirm, did you have the driver enabled when searching? Some handles do not have full visibility unless you're searching with the driver.

AndisGrossteins commented 6 months ago

Just to confirm, did you have the driver enabled when searching? Some handles do not have full visibility unless you're searching with the driver.

I'm on a Windows preview build, so no driver for me.

jxy-s commented 6 months ago

It looks like the file might be FILE LOCKED WITH ONLY READERS and there's no WriteFile operation after a few CreateFileMapping and CreatFile attempts.

STATUS_FILE_LOCKED_WITH_ONLY_READERS is a typical return value for IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION (CreateFileMapping). The part that is failing is STATUS_USER_MAPPED_FILE (USER MAPPED FILE) "The requested operation cannot be performed on a file with a user mapped section open." This is returned when something has a mapped section open to the file, not when there is a sharing violation. So the file handle is likely closed, but there is still a section mapping out there somewhere preventing that create from going through (with the desired access and/or disposition).

AndisGrossteins commented 6 months ago

Thank you for your explanation. I did some quick skimming of MS docs and now have a better understanding of the FS event results.

Those files may have been locked (mapped) by Windbg because it'll attach to a crashing SystemInformer.exe process (which is another issue that may have been caused by previously failed SystemInformer updates) or it's the MsMpEng.exe and that's why I can't find any open handles without the driver.

However, file locking is not the main issue here; the SystemInformer setup should fail with an error message if it can't successfully update files.

kotenok2000 commented 2 months ago

I get this. image

Updater for some reason doesn't wait for Systeminformer to exit completely. Window closes, but process doesn't exit for some more time. I have 96% of ram used.

jxy-s commented 2 months ago

@kotenok2000 reboot the computer, ksi.dll won't update until the next reboot. This only happens when ksi.dll needs to be updated. Which it did a few versions ago.

tnodir commented 2 months ago

reboot the computer, ksi.dll won't update until the next reboot.

Can you please unload the ksi.dll and SystemInformer.sys driver, when SystemInformer.exe is running with admin rights and exits?

So we can update to new version without rebooting.

jxy-s commented 2 months ago

reboot the computer, ksi.dll won't update until the next reboot.

Can you please unload the ksi.dll and SystemInformer.sys driver, when SystemInformer.exe is running with admin rights and exits?

So we can update to new version without rebooting.

SystemInformer.sys unloads already when updating. Not every update requires a reboot, only when ksi.dll changes, ksi.dll cannot unload.

tnodir commented 2 months ago

SystemInformer.sys unloads already when updating.

I use portable installation and just copy files from archive. How can I unload the driver?

jxy-s commented 2 months ago

SystemInformer.sys unloads already when updating.

I use portable installation and just copy files from archive. How can I unload the driver?

Stop the KSystemInformer service.