Author: gtirloni
Subject: Intercepting cmd.exe output
Posted: 16 April 2014 at 9:48pm
I'm trying to troubleshoot an application that is a Java applet running inside the browser. Upon clicking a button, it runs a .bat files which in turns calls cscript.exe to run a VBScript file with some options.
The .bat is executed by calling "cmd.exe /c c:\path\file.bat" and this cannot be changed because it's a 3rd-party app and we're not getting much help from their support.
When using Process Monitor, I can see cmd.exe is at a point in the stack where it's calling a PutStdErr function, possibly writing what the error is, but we can't see it because there is no Command Prompt window opened.
To make things worse, this problem happens sporadically. It involves transfering some files, anti-virus delays, etc, etc. There are many variables and we have not been able to determine what exactly is wrong. cmd.exe simply calls ThredExit() and exits. One thing I noticed is that when it works, cmd.exe is not injected with any DLL from the anti-virus (Symantec) and when it fails, the behavior is completely different when it's dealing with files. Unfortunately, running the anti-virus in debug mode has not showed any evidence (and the Security team swears it's not the AV causing it. I'm not expert on it and have no evidence so you get the idea).
Can anyone help me evaluate my options to intercept the cmd.exe functions and syscalls it uses so I can see what the error is?
To make a analogy to Linux, I would use something like strace to see the syscalls and the parameters passed to it, hoping the process would write to standard output at some point and I would be able to see it. I just don't know how to do the same thing with ProcMon. Is it the right tool for this job?
Subject: Intercepting cmd.exe output
Posted: 16 April 2014 at 9:48pm
I'm trying to troubleshoot an application that is a Java applet running inside the browser. Upon clicking a button, it runs a .bat files which in turns calls cscript.exe to run a VBScript file with some options.
The .bat is executed by calling "cmd.exe /c c:\path\file.bat" and this cannot be changed because it's a 3rd-party app and we're not getting much help from their support.
When using Process Monitor, I can see cmd.exe is at a point in the stack where it's calling a PutStdErr function, possibly writing what the error is, but we can't see it because there is no Command Prompt window opened.
To make things worse, this problem happens sporadically. It involves transfering some files, anti-virus delays, etc, etc. There are many variables and we have not been able to determine what exactly is wrong. cmd.exe simply calls ThredExit() and exits. One thing I noticed is that when it works, cmd.exe is not injected with any DLL from the anti-virus (Symantec) and when it fails, the behavior is completely different when it's dealing with files. Unfortunately, running the anti-virus in debug mode has not showed any evidence (and the Security team swears it's not the AV causing it. I'm not expert on it and have no evidence so you get the idea).
Can anyone help me evaluate my options to intercept the cmd.exe functions and syscalls it uses so I can see what the error is?
To make a analogy to Linux, I would use something like strace to see the syscalls and the parameters passed to it, hoping the process would write to standard output at some point and I would be able to see it. I just don't know how to do the same thing with ProcMon. Is it the right tool for this job?