VMware Horizon Community
julioposa2
Contributor
Contributor
Jump to solution

svchost.exe left open

Hi,

I have observed than in all ThinApp packages that access internet, two child svchost.exe processes are created and when you exit the application, one of them is terminated but the other one is always left open, so the package is never closed and the OnLastProcessExit function is never called.

First I thought it was a problem of the packaged application but I have confirmed that it occurs in all (internet browsers, ftp programs, download managers, etc)

Is there a problem with ThinApp?

I'm using version 4.6.2 and windows xp with sp3

Thank you in advance.

Reply
0 Kudos
1 Solution

Accepted Solutions
TobyFruthParson
Enthusiast
Enthusiast
Jump to solution

Thanks for the compliment, but I want to temper your enthusiasm slightly.  From page 83 of the ThinApp 4.6.1 PDF:

ChildProcessEnvironmentExceptions

The ChildProcessEnvironmentExceptions parameter notes exceptions to the ChildProcessEnvironmentDefault parameter when you want to specify child processes.  When you set the ChildProcessEnvironmentDefault parameter to Virtual, the ChildProcessEnvironmentExceptions parameter lists the applications that run outside of the virtual environment. When you set the ChildProcessEnvironmentDefault parameter to External, the
ChildProcessEnvironmentExceptions parameter lists the applications that run in the virtual environment.

Examples

You can specify exceptions to running child processes in the virtual environment. When the virtual application starts a notepad.exe child process, the child process runs outside the virtual environment.

[BuildOptions] ChildProcessEnvironmentExceptions=AcroRd.exe;notepad.exe
ChildProcessEnvironmentDefault=Virtual

Why should this be cause for concern?  I can't say with certainty, but I see the potential for exposure to security risks when processes are handled in non-default ways.  In the example above, Acrobat Reader and Notepad will launch and run outside the virtual environment.  Same is true if you utilize these switches to accommodate the svchost.exe issue.  Has this approach worked for me with some applications?  Yes.  Am I still a little concerned that processes are being kicked off outside the bubble?  Yes.  I don't know if security is diminished via this setting, nor do I have any concrete evidence thereof, but I thought it warranted further explanation.

Toby Fruth, Sr. Specialist, The Parsons Corporation

View solution in original post

Reply
0 Kudos
15 Replies
julioposa2
Contributor
Contributor
Jump to solution

Nobody is having this issue?

Reply
0 Kudos
pbjork
VMware Employee
VMware Employee
Jump to solution

May I suggest you look at this block post.. http://blogs.vmware.com/thinapp/2011/04/whats-keeping-my-sandbox-locked.html

Using the method described will indicate what is left running.. Knowing what it is will help move this forward..

Reply
0 Kudos
sba12345
Contributor
Contributor
Jump to solution

Tak for din henvendelse. Jeg er ikke på kontoret før d. 24.10.2011.

Henvendelse vedrørende fejlmeldinger af IT - kan rettes til IT-Centret servicedesk http://servicedesk - Tlf.: 4477 2671

Venlig hilsen/Best regards

Sebastian Larsen - IT Kooridinator

IT-Centret - It og Digitalisering

Ballerup Kommune

Mail: sba@balk.dk

Tlf: 4477 2642

Reply
0 Kudos
julioposa2
Contributor
Contributor
Jump to solution

Thank you very much pbjork.

I was already using ProcessExternalNameBehavior=Original and ProcessHacker to check the real process that is left open. That's how I discovered it was scvhost.exe. It also occurs with Adobe Acrobat (maybe because it connects to internet for some reason) plus all applications that access internet.

First I thought it was a Firefox bug and I wrote a vbs script for the package to kill all svchost.exe child processes in the function OnFirstParentExit , but it happens with many applications, so I think it's a problem of ThinApp.

Best regards

Reply
0 Kudos
julioposa2
Contributor
Contributor
Jump to solution

Finally I found the problem and the solution!!

The problem was that "Internet Explorer 8" was installed in the host machine. Uninstalling it solves the problem, and you get no more svchost.exe children for ThinApp applications.

You can replicate this problem installing IExplorer 8 in a clean VM with Windows XP and running some ThinApp packages such as Adobe Acrobat, firefox, etc.

I don't know if this happens with other versions of Windows or IExplorer, but it was driving me nuts.

Reply
0 Kudos
TobyFruthParson
Enthusiast
Enthusiast
Jump to solution

Right or wrong, for better or for worse, I've used the following in Package.ini to rid our apps of pesky svchost.exe ankle biters:

ChildProcessEnvironmentExceptions=svchost.exe
ChildProcessEnvironmentDefault=Virtual

Toby Fruth, Sr. Specialist, The Parsons Corporation
julioposa2
Contributor
Contributor
Jump to solution

That's also a very good idea, much better than killing the child svchost.exe processes.

Thanks

Reply
0 Kudos
TobyFruthParson
Enthusiast
Enthusiast
Jump to solution

Thanks for the compliment, but I want to temper your enthusiasm slightly.  From page 83 of the ThinApp 4.6.1 PDF:

ChildProcessEnvironmentExceptions

The ChildProcessEnvironmentExceptions parameter notes exceptions to the ChildProcessEnvironmentDefault parameter when you want to specify child processes.  When you set the ChildProcessEnvironmentDefault parameter to Virtual, the ChildProcessEnvironmentExceptions parameter lists the applications that run outside of the virtual environment. When you set the ChildProcessEnvironmentDefault parameter to External, the
ChildProcessEnvironmentExceptions parameter lists the applications that run in the virtual environment.

Examples

You can specify exceptions to running child processes in the virtual environment. When the virtual application starts a notepad.exe child process, the child process runs outside the virtual environment.

[BuildOptions] ChildProcessEnvironmentExceptions=AcroRd.exe;notepad.exe
ChildProcessEnvironmentDefault=Virtual

Why should this be cause for concern?  I can't say with certainty, but I see the potential for exposure to security risks when processes are handled in non-default ways.  In the example above, Acrobat Reader and Notepad will launch and run outside the virtual environment.  Same is true if you utilize these switches to accommodate the svchost.exe issue.  Has this approach worked for me with some applications?  Yes.  Am I still a little concerned that processes are being kicked off outside the bubble?  Yes.  I don't know if security is diminished via this setting, nor do I have any concrete evidence thereof, but I thought it warranted further explanation.

Toby Fruth, Sr. Specialist, The Parsons Corporation
Reply
0 Kudos
shrivastavaa
Enthusiast
Enthusiast
Jump to solution

>>I don't know if security is diminished via this setting, nor do I have any concrete evidence thereof, but I thought it warranted further explanation.

Let me try to answer it,

ThinApp without this parameter will always run all child processes inside the bubble. What does it mean? It means that all the changes will be limited to bubble(merged isolation will still go to system), the child process can access the files inside the bubble (PDC/SANDBOX). And if there is some specifc setting for virtual process; that will be applied.

Though if launched out of bubble, application will be running oputside the bubble, with no control of ThinApp. Which means that it can change system folder and registry (which you may or may not want). It *can not* see inside the folder. And any specific setting for the virtual process will not be applied to it.

Setting could be any thing from privilage to environment variable.(you may ignore this for the moment;)

So if you know your process will not change anything in the system (or you are fine with it doing that), your process does not need any access to the resource inside the bubble. Than you *may* launch it outside the buble.

shrivastavaa
Enthusiast
Enthusiast
Jump to solution

>>It also occurs with Adobe Acrobat (maybe because it connects to internet for some reason) plus all applications that access internet.

It should be Adobe updater, which silently connects to Internet to see if there is a new version for its software.

Reply
0 Kudos
shrivastavaa
Enthusiast
Enthusiast
Jump to solution

"

The problem was that "Internet Explorer 8" was installed in the host machine. Uninstalling it solves the problem, and you get no more svchost.exe children for ThinApp applications.

You can replicate this problem installing IExplorer 8 in a clean VM with Windows XP and running some ThinApp packages such as Adobe Acrobat, firefox, etc.

"

Thanks for information. I will ask our QE team to look into it.

Reply
0 Kudos
julioposa2
Contributor
Contributor
Jump to solution

I was already aware of that parameter, cause I'm using it for applications that require drivers/services installation.

The security problem I see here is that virtualized browsers with this setting have an open backdoor for trojans, that could download an infected svchost.exe to exploit the system.

I don't know the reasons for a virtualized application to open new svchost.exe processes inside of the virtual environment when those services are already running in the host machine, which is my case.

Reply
0 Kudos
shrivastavaa
Enthusiast
Enthusiast
Jump to solution

>>I don't know the reasons for a virtualized application to open new svchost.exe processes inside of the virtual environment when those services are already running in the host machine, which is my case.

I have to see code to answer it accurately, but I think it would be because, when an application launches a service, we can not conclude at launch; whether that service will need access to any resource from the virtual bubble or not. Now we can se if same service is already running non-virtual; but we can not modify the already running service to see inside virtual bubble; so we create another one in virtual mode.(and hence the name virtual service)

Reply
0 Kudos
julioposa2
Contributor
Contributor
Jump to solution

Thank you very much for your answer. I understand know the reason for the duplicate services.

Normally ThinApp shut down those services when the main application exits, but this is not happening for "svchost.exe" processes. It's strange.

Reply
0 Kudos
TobyFruthParson
Enthusiast
Enthusiast
Jump to solution

I hadn't visited this thread in a while, but I'm very appreciative of all the follow-up replies.  The VMware Community acts as my knowledgebase and documentation about 50% of the time.  Heaven forbid they lose this data.

As for Acrobat updater and svchost.exe, in my example, Acrobat is installed natively and launched outside the bubble per the Package.ini syntax.  Are you saying that the updater could have been spawning the svchost.exe instance?

Toby Fruth, Sr. Specialist, The Parsons Corporation
Reply
0 Kudos