Strange behavior Task Manager in Windows Server 2012
Summary: the story in pictures, as I “improved” the Task Manager in Windows Server 2012
It all started with the fact that I'm in test purposes (to find out if there is a fundamental difference), put Windows Server 2012 . For those who do not know, this is such a Windows 8 , only more expensive. Well, and yet, you can tear off the GUI from it and put all sorts of different roles.
Well, one of the most enjoyable things in Windows 8 for me is the new Task Manager, which is both beautiful and convenient. What was my surprise when I opened it in WinServer 2012 and did not see some data.
Here are a couple of pictures for clarity.
')
Windows 8:
Windows Server 2012
As you can see, there is a lack of a pair of tabs, in addition, there are no columns with a disk and a network. The disk is still missing on the Performance tab, but at least you can enable it with the command:
Armed with Google, I found out that the problem is as follows:
( more info here )
What translates into Russian sounds like "too much load on the disk, so we removed it."
So imagine the picture: the server, everyone runs in the soap, the server does not respond, terrifying load. And a modest admin in the corner: “I accidentally opened a task manager on the server instead of my netbook, I will not download it anymore!”.
That is, according to Microsoft on mighty servers, this causes a huge load, but it doesn’t cause any problems on the tablets, so we’ll remove it, we’ll turn it on. With that, the task manager is launched every six months on the servers, just to look at performance problems, but we are being given this opportunity for some strange reason.
In general, it did not suit me, and I began to investigate the problem.
Knowing Microsoft and the fact that everything is configured in the registry, I started digging taskmgr.exe in order to find possible keys. The only matching key was found in
But as I found out earlier, this key is enabled by the diskperf command and is of no interest.
Not believing at all what this might be (Microsoft usually just cuts out extra files), I decided to check what would happen if I told Task Manager that he was actually on the client system.
To check the version of the system from your application, you need to call the GetVersionEx function. The OSVERSIONINFOEX structure will return, where the server or client version of the system will be specified in the dwProductType field.
In this case, GetVersionEx calls RtlGetNtProductType, which in the ecx register returns 1 for the client and 3 for the server one. With it, let's start.
I used little debuggers under Windows, so I chose the only one I can handle in this case, WinDbg (a direct link to a not-the-latest version). For him, there is a great team that can do an automatic replacement with replacement:
(i.e., open our taskmgr.exe, execute the command, start execution).
And ... the idea worked. All tabs have appeared, and even fully working. Those. everything is functionally present, but disabled only for political reasons (for the same reasons, they could simply be hidden by default).
Accordingly, it is necessary to dig further in this direction. We set the bryak on ntdll! RtlGetNtProductType and look at the Call Stack when the real taskmgr calls us, not the initialization pieces. It looks like this:
We go along the standard stack we put the breakpoint on TaskMgr (or we reach it manually) and see the following code:
This is a return code check, we have nothing to do here, go a little further:
Here it is, the juice!
The register is compared to 1 and 3, and depending on the situation there is a transition to the desired branch.
We put al in 1 and see that everything works successfully. Half way passed. We need to think about solutions, how to arrange this all on a permanent basis.
So, we need to replace this code. There are ways to replace its set: compare al not with 1, but with 3, replace jne, with je, change the address of the jump. In general, I chose the most oaky way, to replace jne with a pair of nop'ov. So as a result, there will be a meaningless comparison, then a jump where necessary. This is done simply. We memorize the desired byte sequence: 8a84244a0100003c01, we find it in your favorite Hex-editor and change it to what you need. In this case, 750c at 9090.
Save and ...
We find out that we broke the digital signature of the file (well, who would doubt). So it must be killed. There are many options, but we are in Habré, so we will use the design program from the DnV habraouser.
We start ... and nothing. The same problems with a damaged signature. Where does he get it from? I will not bore me with a story about how I tried to figure it out, signed the file myself, was ready to drop the whole thing, but it turned out ...
(This is a screenshot from the program Stud_PE ).
Check out Microsoft's joke? The integrity of the file is checked by the flag in the file itself . The secret meaning of this I do not understand, unless the protection against stupid viruses.
As I got to this flag, I do not understand myself, but in general, we remove it, save it, and ... everything works!
After that, we replace the original one (not forgetting to distribute the rights to this action), and use the advanced Task Manager.
Well, and bonus writing article on Habr :) I hope that you were interested in it.
If someone wants to repeat for educational purposes, then to check the correctness of the result, here's a file for you.
UPDATE 10/08/2018
AJlex user updated Taskmgr
Preamble
It all started with the fact that I'm in test purposes (to find out if there is a fundamental difference), put Windows Server 2012 . For those who do not know, this is such a Windows 8 , only more expensive. Well, and yet, you can tear off the GUI from it and put all sorts of different roles.
Well, one of the most enjoyable things in Windows 8 for me is the new Task Manager, which is both beautiful and convenient. What was my surprise when I opened it in WinServer 2012 and did not see some data.
Here are a couple of pictures for clarity.
')
Windows 8:
Windows Server 2012
As you can see, there is a lack of a pair of tabs, in addition, there are no columns with a disk and a network. The disk is still missing on the Performance tab, but at least you can enable it with the command:
diskperf -yArmed with Google, I found out that the problem is as follows:
This is because the disk metrics are disabled by Windows Server 2012. - Syed Yusuf from Microsoft R & D
( more info here )
What translates into Russian sounds like "too much load on the disk, so we removed it."
So imagine the picture: the server, everyone runs in the soap, the server does not respond, terrifying load. And a modest admin in the corner: “I accidentally opened a task manager on the server instead of my netbook, I will not download it anymore!”.
That is, according to Microsoft on mighty servers, this causes a huge load, but it doesn’t cause any problems on the tablets, so we’ll remove it, we’ll turn it on. With that, the task manager is launched every six months on the servers, just to look at performance problems, but we are being given this opportunity for some strange reason.
In general, it did not suit me, and I began to investigate the problem.
Version 1. Registry
Knowing Microsoft and the fact that everything is configured in the registry, I started digging taskmgr.exe in order to find possible keys. The only matching key was found in
HKLM\ System\CurrentControlSet\Services\Partmgr, EnableCounterForIoctlBut as I found out earlier, this key is enabled by the diskperf command and is of no interest.
Version 2. Is it really a check for the type of system?
Not believing at all what this might be (Microsoft usually just cuts out extra files), I decided to check what would happen if I told Task Manager that he was actually on the client system.
To check the version of the system from your application, you need to call the GetVersionEx function. The OSVERSIONINFOEX structure will return, where the server or client version of the system will be specified in the dwProductType field.
In this case, GetVersionEx calls RtlGetNtProductType, which in the ecx register returns 1 for the client and 3 for the server one. With it, let's start.
I used little debuggers under Windows, so I chose the only one I can handle in this case, WinDbg (a direct link to a not-the-latest version). For him, there is a great team that can do an automatic replacement with replacement:
bp ntdll!RtlGetNtProductType "as /x ReturnValue rcx; gu; ed ReturnValue 1; g"(i.e., open our taskmgr.exe, execute the command, start execution).
And ... the idea worked. All tabs have appeared, and even fully working. Those. everything is functionally present, but disabled only for political reasons (for the same reasons, they could simply be hidden by default).
Accordingly, it is necessary to dig further in this direction. We set the bryak on ntdll! RtlGetNtProductType and look at the Call Stack when the real taskmgr calls us, not the initialization pieces. It looks like this:
We go along the standard stack we put the breakpoint on TaskMgr (or we reach it manually) and see the following code:
This is a return code check, we have nothing to do here, go a little further:
Here it is, the juice!
The register is compared to 1 and 3, and depending on the situation there is a transition to the desired branch.
We put al in 1 and see that everything works successfully. Half way passed. We need to think about solutions, how to arrange this all on a permanent basis.
- You can make a script for WInDbg, which will do everything itself. Unsportsmanlike
- Patch memory before running TaskMgr. I had to reject the option, because I do not know how to do it, but to understand for a long time.
- Patch taskmgr.exe itself. The easiest option, just break the integrity of the file and the system can periodically return it to the old version. But I decided that I could live with this and began to think about this option.
So, we need to replace this code. There are ways to replace its set: compare al not with 1, but with 3, replace jne, with je, change the address of the jump. In general, I chose the most oaky way, to replace jne with a pair of nop'ov. So as a result, there will be a meaningless comparison, then a jump where necessary. This is done simply. We memorize the desired byte sequence: 8a84244a0100003c01, we find it in your favorite Hex-editor and change it to what you need. In this case, 750c at 9090.
Save and ...
We find out that we broke the digital signature of the file (well, who would doubt). So it must be killed. There are many options, but we are in Habré, so we will use the design program from the DnV habraouser.
We start ... and nothing. The same problems with a damaged signature. Where does he get it from? I will not bore me with a story about how I tried to figure it out, signed the file myself, was ready to drop the whole thing, but it turned out ...
(This is a screenshot from the program Stud_PE ).
Check out Microsoft's joke? The integrity of the file is checked by the flag in the file itself . The secret meaning of this I do not understand, unless the protection against stupid viruses.
As I got to this flag, I do not understand myself, but in general, we remove it, save it, and ... everything works!
After that, we replace the original one (not forgetting to distribute the rights to this action), and use the advanced Task Manager.
Well, and bonus writing article on Habr :) I hope that you were interested in it.
If someone wants to repeat for educational purposes, then to check the correctness of the result, here's a file for you.
UPDATE 10/08/2018
AJlex user updated Taskmgr
Source: https://habr.com/ru/post/160161/
All Articles