How can service be notified of driver uninstall? - c++

I have a driver that is installed via INF file.
A service will also be started automatically when the driver is installed.
All binary files will be inside %SystemRoot%\System32\DriverStore\FileRepository upon successful install.
Now when I uninstall my driver from device manager>System devices check "Delete the driver software for this device"
My service will receive SERVICE_CONTROL_STOP form Service Control Manager. After receiving this event, I want to call DeleteService() to delete the service and its corresponding registry entries.
However, realized I can't just call DeleteService() immediately because it is possible that the SERVICE_CONTROL_STOP from SCM is triggered by stopping the service manually, service must not be deleted in this case.
So I wonder how can I determine from my service that my driver got uninstalled so that i know when to call DeleteService() properly.
Here's what i got so far after i 'google' for a couple of hours:
In some versions of windows, binary files are deleted immediately in DriverStore\FileRepository after uninstall just before service gets notified with SERVICE_CONTROL_STOP. I can check if driver binaries are deleted and if so, it is uninstalled.
Adding SPSVCINST_STOPSERVICE in DelService section of INF will send a stop event in service when driver is uninstalled. But again, i can't know if the stop event is coming from manual stop or uninstall.

As a workaround I created a separate service that monitors when binary files are deleted in DriverStore\FileRepository by FindNextChangeNotification(m_handle);. Once it detects delete, then I call DeleteService()

Related

My dll service disappears after restarting the system

I wrote a dll service in c++ with API functions and working properly. I implemented a ServiceMain() function as dllexport in which call RegisterServiceCtrlHandlerW() function to handle the incoming signals (e.g. stop, pause, ...) of my service.
Every thing working good and I defined all the necessary functions to run the service :
ServiceMain() is defined and RegisterServiceCtrlHandlerW() calls within to register control handler.
Set service status to SERVICE_START_PENDING then to SERVICE_RUNNING to run the service.
I implemented a thread to do stuffs as service jobs and working properly.
And I can start and stop my service.
My service is a dll not exe so I'm using svchost.exe to host it and I did below steps to register in windows registry:
1. I create a new value in registry as a group to introduce my service to svchost.exe as following :
2. I create Parameters subkey And fill a value with my dll (service file) as following :
3. Also I defined a value (ServiceMain) due to introduce my ServiceMain function to svchost.exe as start point.
So far, my service working even in logged off user BUT when I restart my computer, after logon to windows my service disappeared from Windows Service Manager. Actually it is removed from SCM database.
By the way I installed my service with 3 methods. And I'm using svchost.exe as binarypath to install the service (because svchost.exe behave as host for my dll service). For example with sc.exe program I set binarypath to svchost.exe to run my service indirectly with -k groupname as parameters.
My problem is : When I restart my system then my service disappeared (is deleted) after logging in. Please help me to solve this problem.

ETW how to survive a reboot

Using C++/Win32 API I create myself an event trace session. My application must supported NT5 thus I can't newer the newer APIs.
I am using the circular mode flags and real time flags.
I have everything working apart from one snag, when I reboot the machine the ETW session isn't persisted, my service starts up and recreates the ETW session (as the reboot has wiped it) which then causes the log file to be overwritten.
According to MSDN I must use the "global" logger on NT5 of which there can only be one, or an "AutoLogger" on NT6 of which there can be many. However MSDN says:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa363687(v=vs.85).aspx
The AutoLogger sessions increase the system boot time and should be
used sparingly. Services that want to capture information during the
boot process should consider adding controller logic to itself instead
of using the AutoLogger session.
Sounds like overkill for what I'm trying to do. Indeed my service does contain the "controller" logic itself.
So how do I get ETW to keep my trace session for the next reboot? Or alternatively how do I re-create my ETW session on the next reboot without overwriting the ETW file if its already there?

Windows Service stays in Starting state

I have a Windows service written in CPP that I start manually. The service starts up just fine and works ok. However we have recently noticed in the Windows Services GUI that the service shows in the Starting state. Upon examining the Event Viewer it clearly shows that the service has entered the Running state.
Anyone got any nuggets of gold on this one?
Thanks.
The problem turned out to be an unaccounted for call to the SCM to start the service. Deleted the line and the problem went away.

How to capture that session logoff started from windows service

I have a service which constantly checks some application and assures that it wasn't closed. If this app closed - service launches it again.
The problem starts when user decides to log off the session. During logoff all applications are closing including the mine one. But the service is still running and constantly trying to start it again.
The questions is how to notify the service that user is going to log off and the application doesn't need to be restarted anymore? I've tried to make it using SERVICE_CONTROL_SESSIONCHANGE notification. But in accordance to MSDN they come to services when all apps already closed and logging off procedure completed. It is too late for me. Is there any way to programmatically find out that current session is in process of logging off?
My service launched under LocalSystem account.
Thanks.
p.s. I don't have the access to application source code. The goal need to be achieved without modifying it.
Have your service run two applications: the one it is a watchdog for, and a second one which you implement yourself. This second one can then respond to the log-off event by sending a message to the service (a la David Heffernan's answer), and the service will then know not to restart the watched job.
Open a communication channel between your app and your service and arrange for the app to tell the service that it is closing because of a logoff event.
You may not have access to the source code of the executable, but that doesn't mean that you can't affect the process. For instance, you could inject a DLL. Using SetWindowsHookEx, you'd catch the WM_ENDSESSION sent to the apps main window.
Why don't you create your service under the user that is running the App and tell it to startup automatic? In this case you should get the SERVICE_CONTROL_SHUTDOWN message when your user is logging off since the service would also be terminated.

Windows event log service holding executable file handle

I have a service application that on startup and shutdown logs an event log record.
I rebuild the application frequently and also then the executable on the host machine. And here is the problem, after my service shutdown the Windows Eventlog service (not the event log viewer) is holding an open handle to the executable so I cant update it.
I have the event log messages embedded in the executable, i could move it out but then I just move the update problem to another file.
I've double checked and I have paired ::RegisterEventSource/::DeregisterEventSource correctly.
Anyone encountered this problem ?
I've also run into this issue, so just adding some of my experiences.
I have a Windows 2008 Service system (have not seen this on 2003 Server), and when I stop my service, and instance of svchost.exe loads the service executable (visible using vmmap.exe or Process Hacker) preventing it from being deleted/overwritten during uninstall/install. The instance of svchost.exe is running the DHCP Client (Dhcp), TCP/IP NetBIOS Helper (lmhosts), and Windows Event Log (EventLog) services.
In our case, we have created a registry entry to make our service executable an event source. (though I'm unsure exactly why we are doing this, or whether we should be doing this).
Empirically, if I remove that registry entry before stopping the service, the executable is not loaded by svchost.exe and all is fine. If the service has already been stopped and executable loaded by svchost.exe, restarting the Event Log service (or killing the process) also frees up the executable.
I'm guessing our service is not well-behaved (perhaps a side effect of being a 32-bit process on 64-bit OS?) or correctly installed, but haven't isolated the issue yet.
Update: It appears this issue is only happening on HP systems (and not Dell or IBM) which is curious. There are HP-specific management components installed, so perhaps one of them is altering the behavior somehow?
I've also run into this issue. In my case, nxlog service reading logs. Simply stop nxlog service before replace event source file.
I think it is probably the event log viewer. Close the viewer and you'll be fine.