3

I am attempting to find the name of a process that owns a handle from a list of handles obtained through NtQueryObject. I am running through each handle to check its process name and occasionally it throws the "com.sun.jna.platform.win32.Win32Exception: A device attached to the system is not functioning." error. This normally works fine but when it does happen it seems to throw it for a large number of handles on several processes. I am using JNA to make all the calls from a java program running on Windows 10.

I have tried narrowing it down as much as possible but I cannot figure out why it would be throwing this error sometimes.

NtDllX.SYSTEM_HANDLE_INFORMATION info = getSystemHandleInfo();

for(int i = 0; i < info.HandleCount; i++) {
    //For each handle check for target handle
    NtDllX.SYSTEM_HANDLE sh = info.Handles[i];
    HANDLE sHandle = new HANDLE(new Pointer(sh.Handle));
    HANDLE rProcess = Kernel32.INSTANCE.OpenProcess(Kernel32.PROCESS_DUP_HANDLE | Kernel32.PROCESS_QUERY_INFORMATION | Kernel32.PROCESS_VM_READ, false, sh.ProcessId);
    //Check for target process
    if(rProcess != null) {
        String p = "";
        try {
            p = Kernel32Util.QueryFullProcessImageName(rProcess, 0); //Throwing Error Occasionally
        } catch (Exception e) {
...

The error being thrown:

com.sun.jna.platform.win32.Win32Exception: A device attached to the system is not functioning. at com.sun.jna.platform.win32.Kernel32Util.QueryFullProcessImageName(Kernel32Util.java:842)

SJN
  • 377
  • 2
  • 8
  • 18
Kmara
  • 33
  • 6
  • Are you using a virtual machine? Are the processes being queried running from an external (USB) drive? Are the processes being queried long-running/sleeping processes? – Daniel Widdis Nov 04 '19 at 20:00
  • The main system I have done most of my testing on is not on a virtual machine (other than Java's) and does not have an external drive. It is querying all handles (and therefore processes) on the system. The code needs to be able to deal will any it might run into. – Kmara Nov 04 '19 at 21:29
  • Not sure I can help much here. This isn't particularly a java or jna problem, or even a winapi issue. Common thread in google searches indicates network activity (DNS) may be relevant. – Daniel Widdis Nov 05 '19 at 02:46
  • It's not issue with winapi. Have you check the version of JNA? – Jeffreys Nov 05 '19 at 06:38
  • JNA is latest (5.5) With some additional testing it seems like it may be being caused by handles of a process that has just been launched (by my program in this case). Some sort of race condition? Would there be a good way to safely handle this? – Kmara Nov 05 '19 at 18:29
  • you got here win32 error `ERROR_GEN_FAILURE`, internal `QueryFullProcessImageName` call `NtQueryInformationProcess` with `ProcessImageFileNameWin32` and if this api return error status - it converted to win32 error. the `STATUS_UNSUCCESSFUL` is converted to `ERROR_GEN_FAILURE`. so your initial erros is `STATUS_UNSUCCESSFUL` - hard say why - from my knowledge `ProcessImageFileNameWin32` must not return such status, but this is very general code, when no more concrete error – RbMm Nov 05 '19 at 21:34
  • If it's a new startup thing, check for the error and retry a little later, perhaps with exponentially increasing delay. I think you're on track with a race condition in which the process hasn't yet acquired some system resource. – Daniel Widdis Nov 06 '19 at 18:22

1 Answers1

0

QueryFullProcessImageNameW fails with ERROR_GEN_FAILURE (31 or 0x1f, "A device attached to the system is not functioning") if the process is a "zombie" process, i.e. the process terminated but not all handles to it were closed. In this case, you can still use QueryFullProcessImageNameW with the PROCESS_NAME_NATIVE flag to get the native path, but you probably just want to skip it since it's no longer running.

Paul
  • 6,061
  • 6
  • 39
  • 70