delete pending caused by mpengine.dll breaks processing of batch f

  • Thread starter Thread starter bgabrhelik
  • Start date Start date
B

bgabrhelik

I am experiencing problem with defender compatibility vs batch processing. We
have a batch file which at some point
1) executes A.exe, the A.exe creates B.exe
2) deletes A.exe
3) renames B.exe to A.exe

A.exe is an executable setup wrapper for MSI package, which provides some
additional functionality, we use for signing of components in MSI cabinets +
signing of MSI wrapped. As A.exe is being executed it cannot overwrite itself
content, so it creates new modified version of binary in B.exe.

Problem is that the rename fails with name conflict as delete is still
pending. After some monitoring with procmon the file deleted in step 2) is
closed later from context of process svchost.exe. Stack of close request
identified that module mpengine.dll is originator of the pended close.

System is Windows 7 x64, cmd.exe is elevated 32bit process running under
Wow64.

Windows defender should somehow handle this problem. In case of delete of
file which is being scanned the CREATE & RENAME should be blocked until scan
is not finished.

Regards,
Bronislav Gabrhelik

procmon log:
6:34:19.6846477
PM cmd.exe 5392 4000 CreateFile D:\projects\!xdng\xdng29\xdng\setup\full\win\dist\xythos-drive-x64-_1.5.11632m_setup\xythos-drive-x64-_1.5.11632m_setup-temp.exe DELETE
PENDING Desired Access: Read Attributes, Synchronize, Disposition: Open,
Options: Synchronous IO Non-Alert, Non-Directory File, Complete If Oplocked,
Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 1700653
6:34:19.6847058
PM cmd.exe 5392 4000 CreateFile D:\projects\!xdng\xdng29\xdng\setup\full\win\dist\xythos-drive-x64-_1.5.11632m_setup\xythos-drive-x64-_1.5.11632m_setup-temp.exe DELETE
PENDING Desired Access: Read Attributes, Synchronize, Disposition: Open,
Options: Synchronous IO Non-Alert, Non-Directory File, Complete If Oplocked,
Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a 1700654
6:34:19.6847553
PM cmd.exe 5392 4000 SetRenameInformationFile D:\projects\!xdng\xdng29\xdng\setup\full\win\dist\xythos-drive-x64-_1.5.11632m_setup\xythos-drive-x64-_1.5.11632m_setup-temp.new.exe NAME
COLLISION ReplaceIfExists: False, FileName:
D:\projects\!xdng\xdng29\xdng\setup\full\win\dist\xythos-drive-x64-_1.5.11632m_setup\xythos-drive-x64-_1.5.11632m_setup-temp.exe 1700655
6:34:19.6847741
PM cmd.exe 5392 4000 CloseFile D:\projects\!xdng\xdng29\xdng\setup\full\win\dist\xythos-drive-x64-_1.5.11632m_setup SUCCESS 1700656
6:34:19.6848130
PM cmd.exe 5392 4000 CreateFile D:\projects\!xdng\xdng29\xdng\setup\full\win\dist\xythos-drive-x64-_1.5.11632m_setup\xythos-drive-x64-_1.5.11632m_setup-temp.exe DELETE
PENDING Desired Access: Read Data/List Directory, Synchronize, Disposition:
Open, Options: Synchronous IO Non-Alert, Non-Directory File, Complete If
Oplocked, Attributes: n/a, ShareMode: Read, AllocationSize: n/a 1700657


I am attaching stack.
0 fltmgr.sys FltpPerformPreCallbacks +
0x2f7 0xfffff88001005027 C:\Windows\system32\drivers\fltmgr.sys
1 fltmgr.sys FltpPassThrough +
0x2d9 0xfffff88001005be9 C:\Windows\system32\drivers\fltmgr.sys
2 fltmgr.sys FltpDispatch +
0xb7 0xfffff880010046c7 C:\Windows\system32\drivers\fltmgr.sys
3 ntoskrnl.exe IopCloseFile +
0x11f 0xfffff8000319da0f C:\Windows\system32\ntoskrnl.exe
4 ntoskrnl.exe ObpDecrementHandleCount +
0xb4 0xfffff80003183a24 C:\Windows\system32\ntoskrnl.exe
5 ntoskrnl.exe ObpCloseHandleTableEntry +
0xb1 0xfffff8000319d501 C:\Windows\system32\ntoskrnl.exe
6 ntoskrnl.exe ObpCloseHandle +
0x94 0xfffff8000319d414 C:\Windows\system32\ntoskrnl.exe
7 ntoskrnl.exe KiSystemServiceCopyEnd +
0x13 0xfffff80002e86993 C:\Windows\system32\ntoskrnl.exe
8 ntdll.dll ntdll.dll + 0x4fe4a 0x770efe4a C:\Windows\System32\ntdll.dll
9 KernelBase.dll CloseHandle +
0x13 0x7fefd191843 C:\Windows\System32\KernelBase.dll
10 kernel32.dll CloseHandleImplementation +
0x3d 0x76ea2c41 C:\Windows\System32\kernel32.dll
11 mpengine.dll mpengine.dll +
0x17f25c 0x71dbf25c C:\ProgramData\Microsoft\Windows Defender\Definition
Updates\{8CA80D48-F601-40AA-8C5F-6A9636C9D793}\mpengine.dll
12 mpengine.dll mpengine.dll +
0x17f447 0x71dbf447 C:\ProgramData\Microsoft\Windows Defender\Definition
Updates\{8CA80D48-F601-40AA-8C5F-6A9636C9D793}\mpengine.dll
13 mpengine.dll mpengine.dll +
0x17f38e 0x71dbf38e C:\ProgramData\Microsoft\Windows Defender\Definition
Updates\{8CA80D48-F601-40AA-8C5F-6A9636C9D793}\mpengine.dll
14 mpengine.dll mpengine.dll +
0x31c7b 0x71c71c7b C:\ProgramData\Microsoft\Windows Defender\Definition
Updates\{8CA80D48-F601-40AA-8C5F-6A9636C9D793}\mpengine.dll
15 mpengine.dll mpengine.dll +
0x2cbf8 0x71c6cbf8 C:\ProgramData\Microsoft\Windows Defender\Definition
Updates\{8CA80D48-F601-40AA-8C5F-6A9636C9D793}\mpengine.dll
16 mpengine.dll mpengine.dll +
0x180a0f 0x71dc0a0f C:\ProgramData\Microsoft\Windows Defender\Definition
Updates\{8CA80D48-F601-40AA-8C5F-6A9636C9D793}\mpengine.dll
17 mpengine.dll mpengine.dll +
0x17e5d5 0x71dbe5d5 C:\ProgramData\Microsoft\Windows Defender\Definition
Updates\{8CA80D48-F601-40AA-8C5F-6A9636C9D793}\mpengine.dll
18 mpengine.dll mpengine.dll +
0x17ea1c 0x71dbea1c C:\ProgramData\Microsoft\Windows Defender\Definition
Updates\{8CA80D48-F601-40AA-8C5F-6A9636C9D793}\mpengine.dll
19 mpengine.dll mpengine.dll +
0x17e933 0x71dbe933 C:\ProgramData\Microsoft\Windows Defender\Definition
Updates\{8CA80D48-F601-40AA-8C5F-6A9636C9D793}\mpengine.dll
20 mpengine.dll mpengine.dll +
0x17e78a 0x71dbe78a C:\ProgramData\Microsoft\Windows Defender\Definition
Updates\{8CA80D48-F601-40AA-8C5F-6A9636C9D793}\mpengine.dll
21 mpengine.dll mpengine.dll +
0x17e67b 0x71dbe67b C:\ProgramData\Microsoft\Windows Defender\Definition
Updates\{8CA80D48-F601-40AA-8C5F-6A9636C9D793}\mpengine.dll
22 mpengine.dll mpengine.dll +
0x17e2ce 0x71dbe2ce C:\ProgramData\Microsoft\Windows Defender\Definition
Updates\{8CA80D48-F601-40AA-8C5F-6A9636C9D793}\mpengine.dll
23 mpengine.dll mpengine.dll +
0x1a0be7 0x71de0be7 C:\ProgramData\Microsoft\Windows Defender\Definition
Updates\{8CA80D48-F601-40AA-8C5F-6A9636C9D793}\mpengine.dll
24 mpengine.dll mpengine.dll +
0x1a0829 0x71de0829 C:\ProgramData\Microsoft\Windows Defender\Definition
Updates\{8CA80D48-F601-40AA-8C5F-6A9636C9D793}\mpengine.dll
25 mpengine.dll mpengine.dll +
0x1a01bd 0x71de01bd C:\ProgramData\Microsoft\Windows Defender\Definition
Updates\{8CA80D48-F601-40AA-8C5F-6A9636C9D793}\mpengine.dll
26 mpengine.dll mpengine.dll +
0x19e790 0x71dde790 C:\ProgramData\Microsoft\Windows Defender\Definition
Updates\{8CA80D48-F601-40AA-8C5F-6A9636C9D793}\mpengine.dll
27 mpengine.dll mpengine.dll +
0x1d4ca0 0x71e14ca0 C:\ProgramData\Microsoft\Windows Defender\Definition
Updates\{8CA80D48-F601-40AA-8C5F-6A9636C9D793}\mpengine.dll
28 mpengine.dll mpengine.dll +
0x1d69b9 0x71e169b9 C:\ProgramData\Microsoft\Windows Defender\Definition
Updates\{8CA80D48-F601-40AA-8C5F-6A9636C9D793}\mpengine.dll
29 mpengine.dll mpengine.dll +
0x1d6409 0x71e16409 C:\ProgramData\Microsoft\Windows Defender\Definition
Updates\{8CA80D48-F601-40AA-8C5F-6A9636C9D793}\mpengine.dll
30 mpengine.dll mpengine.dll +
0x1d62e2 0x71e162e2 C:\ProgramData\Microsoft\Windows Defender\Definition
Updates\{8CA80D48-F601-40AA-8C5F-6A9636C9D793}\mpengine.dll
31 mpengine.dll mpengine.dll +
0x17f9d2 0x71dbf9d2 C:\ProgramData\Microsoft\Windows Defender\Definition
Updates\{8CA80D48-F601-40AA-8C5F-6A9636C9D793}\mpengine.dll
32 mpengine.dll mpengine.dll +
0x17fb05 0x71dbfb05 C:\ProgramData\Microsoft\Windows Defender\Definition
Updates\{8CA80D48-F601-40AA-8C5F-6A9636C9D793}\mpengine.dll
33 mpsvc.dll rsignal_wrapper + 0xa8 0x7fef5933e44 c:\program files\windows
defender\mpsvc.dll
34 mpsvc.dll OnDemandScanWorker + 0x16a 0x7fef59410b2 c:\program
files\windows defender\mpsvc.dll
35 mpsvc.dll ShutdownWorkHandler + 0x41b 0x7fef593bf93 c:\program
files\windows defender\mpsvc.dll
36 MpClient.dll CommonUtil::CMpSimpleThreadPool::AsyncDequeue +
0x146 0x7fef58b9b4e c:\program files\windows defender\MpClient.dll
37 ntdll.dll ntdll.dll + 0x10f34 0x770b0f34 C:\Windows\System32\ntdll.dll
38 ntdll.dll ntdll.dll + 0x19d0f 0x770b9d0f C:\Windows\System32\ntdll.dll
39 kernel32.dll BaseThreadInitThunk +
0xd 0x76e9f56d C:\Windows\System32\kernel32.dll
40 ntdll.dll ntdll.dll + 0x33021 0x770d3021 C:\Windows\System32\ntdll.dll
 
Back
Top