Skip to content
20 February 2009

OpenProcess and Audiodg.exe

I'm currently working on getting my malware removal tool FreeFixer up and running on the Windows Vista platform. FreeFixer woks by scanning the registry and the file system to find unwanted software. It is also enumerating processes, their file names and their modules. This is were I ran into some minor problem. On Windows XP I had previously obtained the SeDebugPrivilege privilege (defined as SE_DEBUG_NAME) and then opened all processes with the OpenProcess system call and passing PROCESS_QUERY_INFORMATION | PROCESS_VM_READ as the requested access. However, on Windows Vista OpenProcess failed on Audiodg.exe, with the ERROR_ACCESS_DENIED error code.

Audiodg.exe - a protected process

Windows Vista introduced a new type of process, the protected process. Protected processes are there to enhance support for digital rights management functionality in Windows Vista. [1]

A typical protected process does not allow injecting a thread into the process, accessing virtual memory of process, debugging the process, duplicate handles of the process, changing the quota or working set of a process.
You cannot open a typical protected process with PROCESS_QUERY_INFORMATION nor PROCESS_VM_READ. Luckily Vista introduced the PROCESS_QUERY_LIMITED_INFORMATION, which is a limited version of the PROCESS_QUERY_INFORMATION access right. This will allow you to open the process with OpenProcess and at least get the full path of the protected process. I think - please correct me if I'm wrong - that it's not possible to enumerate the modules of audiodg.exe from without the help of a kernel-mode component?

Comments

guoyafeng writes

1 thumb

your suggestion does well in other process such as csriss ...
but it dose't work on augiodg.exe.

# 13 Oct 2009, 0:32

Roger Karlsson writes

0 thumbs

@guoyafeng: It should work to open the Audiodg.exe process using the PROCESS_QUERY_LIMITED_INFORMATION access flag.

If you like, please post a tiny compilable example program and I might spot were the problem is.

# 13 Oct 2009, 9:21

yuiseto writes

0 thumbs

Agree with @guoyafeng. You can't get the full path of audiod.exe using the PROCESS_QUERY_LIMITED_INFORMATION flag. You can only get the process handle with OpenProcess() but EnumProcessModules() returns NULL for hModule. That's why you can't proceed to get the full path with GetModuleFileNameEx().

You can easily try this out by following the sample at
http://msdn.microsoft.com/en-us/library/ms682623(VS.85).aspx
and setting the priviledge to SE_DEBUG_NAME.

# 29 Oct 2009, 9:03

Roger Karlsson writes

1 thumb

Decided to write a tiny console application to test my process enumeration code.

This is roughly how it works on Windows Vista, Windows 2008 and Windows 7:
1. Obtain the SeDebugPrivilege privilege using the AdjustTokenPrivileges system call.
2. Enumerate all process ids by calling EnumProcesses.
3. For each process id:
3.1 Open the process by calling OpenProcess with PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ as the desired access. If it fails, try without PROCESS_VM_READ.
3.2 Get the process' full path by calling QueryFullProcessImageName.

The following is the output from the command line tool, while running on a Vista machine in an elevated command prompt.
Audiodg.exe appear with a full path:

Microsoft Windows [Version 6.0.6000]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

c:\Users\Roger>rogercmd -printtasks
C:\Windows\System32\smss.exe
C:\Windows\System32\csrss.exe
C:\Windows\System32\csrss.exe
C:\Windows\System32\wininit.exe
C:\Windows\System32\winlogon.exe
C:\Windows\System32\services.exe
C:\Windows\System32\lsass.exe
C:\Windows\System32\lsm.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
>>>> C:\Windows\System32\audiodg.exe <<<<
C:\Windows\System32\SLsvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\VMware\VMware Tools\VMwareService.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\SearchIndexer.exe
C:\Windows\System32\taskeng.exe
C:\Windows\System32\taskeng.exe
C:\Windows\System32\dwm.exe
C:\Windows\explorer.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\VMware\VMware Tools\VMwareTray.exe
C:\Program Files\VMware\VMware Tools\VMwareUser.exe
C:\Windows\System32\conime.exe
C:\Windows\System32\wsqmcons.exe
C:\Windows\System32\taskmgr.exe
C:\Windows\System32\cmd.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\taskeng.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\SearchProtocolHost.exe
C:\Windows\System32\SearchFilterHost.exe
C:\Windows\System32\notepad.exe
C:\Users\Roger\rogercmd.exe

c:\Users\Roger>

@guoyafeng & @yuiseto:
Did this solve the Audiodg.exe problem? Did you get the full path of Audiodg.exe?

# 30 Oct 2009, 2:31

David writes

0 thumbs

When I take my speakers jack out of the back of the computer, & plug the headphone jack in, the "Windows Media Player & or "Winamp" applications have distorted audio, sounding like a person who has swallowed Helium".

# 23 Dec 2009, 14:37

Leave a reply