SystemInformer constantly hangs after 'upgrade' from ProcessHacker

[SanderBouwhuis]

Brief description of your issue

I've been using ProcessHacker for many years and never had a problem.
The latest 'update' installed SystemInformer. Now, it constantly freezes.

Steps to reproduce (optional)

1. Start SystemInformer.
2. Go to options and click the 'reset options' (SI auto restarts)
3. Click the 'administrator' button (SI auto restarts)
4. SI is already slow now
5. Go to options
6. SI now hangs. It takes about 60 seconds for the window to paint (you can see every single element being painted one by one.

Expected behavior (optional)

No response

Actual behavior (optional)

No response

Environment (optional)

Windows 10 Pro x64 English
System Informer v3.0.5578
Installed FRESH

Where can I download ProcessHacker v3.x? I tried to return to that version, but I can only find v2.39.
HELP, HELP, HELP PLEASE!!!!

I went to https://ci.appveyor.com/project/processhacker/processhacker/history, but I get this message:
"Project not found or access denied"

[thatsprettygood]

It's too late now.
It has begun.
(I seriously have no idea what is happening, not installing informer until they clear this up, the 3.x builds are still here https://processhacker.sourceforge.io/nightly.php)

[Vasilich]

• Start SystemInformer.

• Open SystemInformer window as administrator.

you cannot start process as non-admin and then open its windows as admin. You need to start it as admin.

[UhuruNUru]

First I wouldn't Update from PH, their have been far to many changes, and a fresh install works fine for me.
That PH is even offering an update is unfortunate, but PH is EOL, and that issue is with PH, not SI.
So this is a actually a problem caused by Process Hacker, you have a problem with it NOW.

I also don't understand why you thought updating PH, to SI was a good idea (offered, or not), because (See 2nd).

2nd there is no stable release, I never saw any update, but I don't let PH, or SI start with Windows.
Coming to the site today, I saw my first Nightly Build of System Informer v3.0.5578 [2022-11-23]

Fresh Install worked just fine, and I never considered it a PH update. Too much has changed.
I used Revo Uninstaller to uninstall all traces of programs, and still check for folders manually afterwards.

So I'm assuming you're using nightly builds, to even see an update option in PH?
2nd poster even links to old PH Nightly, as the roll back option.
Nightly builds are NOT a guarantee of Stability that's for sure.
If you want SI to "Just Work" with no effort from yourself, wait for the official Stable release.
Even then, I'd start fresh.

Issues I was seeing were all in Process Hacker v3.0.4953 [2022-06-13] Last "Nightly" Release.
Kernel Driver issues, already explained, and an inability to recognise, my Security tools custom Guard.dll

Both those issues are gone, so for me with a fresh install, SI is already far better than PH was.
Main reason I'm using Nightly Builds is for Dark Mode, that alone is worth a few Nightly Niggles (If I see them).

TLDR (and main point I'm making.
Don't Update from PH, to SI. Start from fresh install instead

[SanderBouwhuis]

@UhuruNUru Do you have a ProcessHacker v3.x installer for me?

[jxy-s]

@SanderBouwhuis thanks for reaching out. I'm sorry you're experiencing these issues in the nightly.

I'd like to better understand the issue you're experiencing. Thank you for providing the steps to reproduce, based on what you described - I would like to know if you have the kernel-mode driver enabled, if you have enabled the driver, does the issue still reproduce without the driver enabled?

We have had reports of an application compatibility problem with the driver. This has since been resolved and we are waiting for Microsoft signing to do another driver release. That said, I can't guarantee this will fix the issue you're experiencing without more details. If you do have the driver enabled and disabling it resolves your issue, I would like to know the list of other drivers enabled on your system. This will help me narrow down to a root cause.

For reference, this is the change that resolves the reported application compatibility problem: b7a2dfe. I've tried to distill and brief explanation here:

In short, another driver on your system might be preforming similar actions that the SystemInformer driver is. And their routine may not be hardened to the point of being able to be executed multiple times. Fundamentally this is a bug in the operating system, and expresses itself as an application compatibility problem based on the drivers queuing APCs on the system. Microsoft isn't going to fix this. So, the fix on our side avoids the bug in the operating system which can cause a "replay" to occur of the other driver's routine.

Finally, I'd like to thank you for using the nightly and taking the time to report issues. The nightly build is not a stable release and the maintainers here seriously appreciate the community using and testing nightly builds. While we do test a wide range of supported operating systems, we are a small team and simply can not test each nightly build against all possible configurations, deployments, applications, etc..

[SanderBouwhuis]

@jxy-s
I updated the OP with clearer steps to reproduce the problem.

I created a dump file for you: (remove the .txt from the filenames. I needed to split and rename them because of some bug/limitation of github which doesn't allow 7z files)
SystemInformer.exe_2022-11-28_09-12-29.7z.001.txt
SystemInformer.exe_2022-11-28_09-12-29.7z.002.txt

Tell me which other logs or dumps you need.

[jxy-s]

@SanderBouwhuis thanks for the extra details. We will review the dump files. The original post indicated that the rest of the machine became unusable/slow. Now the the description and steps to reproduce indicate that the hang/slowness is isolated to SI. I'm going to assume the most recent description here is the problem, i.e. the hang/slowness is isolated to SI (correct me if I'm wrong, please).

[SanderBouwhuis]

@jxy-s
The slowness of the rest of the system is caused by SI using 100% CPU.
If you still have access to Task Manager, then you can forcibly kill SI to regain control. If SI is the default task manager, then you have to restart the computer.

[jxy-s]

Okay, thanks for the clarification, much appreciated!

Might be a bit before we can dig into the dump files. I can try to get time this evening but it might be a day or so. Thanks for your patience and cooperation.

[jxy-s]

@SanderBouwhuis sorry for the delay. The dump you provided is from r5553, r5578 is the latest, would you please try with the latest (https://system-informer.com/nightly.php)? If the issue continues you can email me a new dump file instead of posting it on GitHub (will also avoid whatever filter is preventing you from upload them here).

[numericOverflow]

FYI - I went into the %appdata% folder and removed the settings files to fix this issue.

1. Close (exit) System Informer so that it's not running in the background anywhere (VERY IMPORTANT!).
2. Go to %appdata%\SystemInformer\
3. Delete or Rename settings.xml to something else like settings.xml.bkp
4. Delete or Rename usernotesdb.xml to something else like usernotesdb.xml.bkp
5. Launch System Informer again.

Once you delete/rename the 2 config files, you'll have to re-do any custom settings, but at least SystemInformer will run fine.

[SanderBouwhuis]

I upgraded to the latest version, but it is still hangs my system.

Here is the settings file.
SystemInformer.exe.settings.xml.txt

Your email provider couldn't handle the 29'400'239 bytes archive with the dump, so I've used WeTransfer to send you the files.

[SanderBouwhuis]

What is the status of this bug?
Is there something I can provide to help with this? This bug is a complete showstopper.

[dmex]

What is the status of this bug?

We fixed the issue weeks ago but there's an issue with the hardware dashboard preventing us from signing new versions of the driver.

Is there something I can provide to help with this?

It'll be fixed once Microsoft support resolve the support case.

This bug is a complete showstopper.

Disable the driver until we're able to release a new version.

If you can't start the application without crashing:

1. Run systeminformer.exe -nokph to launch without the driver.
2. Disable the driver from the options window.
3. Reboot (or close and open the application to save the settings).

We'll update the ticket when we have more information.

[SanderBouwhuis]

Which driver should I disable?
Do you mean the 'Enable kernel-mode driver' option?

[Masamune3210]

Yes

[Dim-Tim-1963]

Freezing also occurs with kernel driver disabled. The processing of GUI message queue stops. It seems to be connected with some customizations (processes window columns etc) and options set, but I didn't yet spotted certain setting, after which freezing starts occuring (it does not start instantly). Process Hacker 3.0.4953 works fine (this is the last installer I have on my HDD).

[Dajova]

I had the issue as well a few weeks ago and it did went away with a reset of the settings. But now it's back again after the latest update.

If you can't start the application without crashing:

1. Run **`systeminformer.exe -nokph`** to launch without the driver.

2. Disable the driver from the options window.

3. Reboot (or close and open the application to save the settings).

This fix doesnt work if you have it auto startup and replace default task manager enabled. I needed to go into safe mode and disable the kernel-driver from there.

[jxy-s]

We would like some help collecting information on this issue, we are still unclear if this issue is directly related to the driver, or some interaction with other software. We haven't been able to fully reproduce this to understand root cause. The investigations we have done (based on our suspicions) show that the driver mitigations improve performance/hangs rather than make it worse. But gathering this information will help give us a clearer picture of what's happening.

For those able to reproduce this issue, if possible, please follow these steps to capture a trace of the driver, this will help give us a clearer picture of what might be happening.

1. with the kernel-mode driver enabled and loaded
2. open an elevated command prompt
3. execute: logman create trace ksi -p {F64B58A2-8214-4037-8C7D-B96CE6098F3D} 0xffffffff 0xff -bs 64 -nb 16 128 -o "kph.etl" -v mmddhhmm -ow
4. execute: logman start ksi
5. reproduce the issue
6. execute: logman stop ksi
7. execute: logman delete -n ksi
8. harvest the kph_nnnnnnnn.etl trace log from disk
9. attach the log file here or email it to us

[PortalKillerPro]

We would like some help collecting information on this issue, we are still unclear if this issue is directly related to the driver, or some interaction with other software. We haven't been able to fully reproduce this to understand root cause. The investigations we have done (based on our suspicions) show that the driver mitigations improve performance/hangs rather than make it worse. But gathering this information will help give us a clearer picture of what's happening.

For those able to reproduce this issue, if possible, please follow these steps to capture a trace of the driver, this will help give us a clearer picture of what might be happening.

1. with the kernel-mode driver enabled and loaded

2. open an elevated command prompt

3. execute: `logman create trace ksi -p {F64B58A2-8214-4037-8C7D-B96CE6098F3D} 0xffffffff 0xff -bs 64 -nb 16 128 -o "kph.etl" -v mmddhhmm -ow`

4. execute: `logman start ksi`

5. reproduce the issue

6. execute: `logman stop ksi`

7. execute: logman delete -n ksi

8. harvest the `kph_nnnnnnnn.etl` trace log from disk

9. attach the log file here or email it to us

Im not quite sure that i capture it correctly. So i attached two records one with already stated si, other with started during record.
kernel mode enabled.zip

[jxy-s]

verify.c	KphVerifyFile	9528	12736	TRACE_LEVEL_VERBOSE	Failed to open signature file "\Device\HarddiskVolume9\Program Files (x86)\DisplayFusion\Hooks\AppHook64_42D524C1-C62C-43A6-A196-11DE71FE4E1D.sig": STATUS_OBJECT_NAME_NOT_FOUND (0xC0000034)
protection.c	KphpApplyImageProtections	9528	12736	TRACE_LEVEL_VERBOSE	KphVerifyFile: 9528 "\Device\HarddiskVolume9\Program Files (x86)\DisplayFusion\Hooks\AppHook64_42D524C1-C62C-43A6-A196-11DE71FE4E1D.dll": STATUS_OBJECT_NAME_NOT_FOUND (0xC0000034)
protection.c	KphpApplyImageProtections	9528	12736	TRACE_LEVEL_VERBOSE	KphGetSigningInfoByFileName: "\Device\HarddiskVolume9\Program Files (x86)\DisplayFusion\Hooks\AppHook64_42D524C1-C62C-43A6-A196-11DE71FE4E1D.dll" 0x00040000 "" "" "" STATUS_INVALID_IMAGE_HASH (0xC0000428) STATUS_INVALID_IMAGE_HASH (0xC0000428)
protection.c	KphpImageLoadKernelNormalRoutine	9528	12736	TRACE_LEVEL_VERBOSE	Unmapped 0000000180000000 from process 9528

The log files is full of these lines. This means the driver is disallowing the DisplayFusion library from loading into the process. This is likely happening in the window messages through a SetWindowsHookEx. This happens constantly, which is causing the UI to hang. The error that is returned in this scenario doesn't inform the UI thread to stop trying to load the hooks. @dmex and myself have been discussing how to address this problem, we have a few options but haven't decided on the best one yet.

For the time being. Disable this mitigation in SI. The DLL will be permitted to load, but access to the functionality exposed by driver will be limited. You can do this by: Options > Show advanced options > Advanced > KphDisableImageLoadProtection > 1. Once set, please unload and reload the driver.

[Dajova]

verify.c	KphVerifyFile	9528	12736	TRACE_LEVEL_VERBOSE	Failed to open signature file "\Device\HarddiskVolume9\Program Files (x86)\DisplayFusion\Hooks\AppHook64_42D524C1-C62C-43A6-A196-11DE71FE4E1D.sig": STATUS_OBJECT_NAME_NOT_FOUND (0xC0000034)
protection.c	KphpApplyImageProtections	9528	12736	TRACE_LEVEL_VERBOSE	KphVerifyFile: 9528 "\Device\HarddiskVolume9\Program Files (x86)\DisplayFusion\Hooks\AppHook64_42D524C1-C62C-43A6-A196-11DE71FE4E1D.dll": STATUS_OBJECT_NAME_NOT_FOUND (0xC0000034)
protection.c	KphpApplyImageProtections	9528	12736	TRACE_LEVEL_VERBOSE	KphGetSigningInfoByFileName: "\Device\HarddiskVolume9\Program Files (x86)\DisplayFusion\Hooks\AppHook64_42D524C1-C62C-43A6-A196-11DE71FE4E1D.dll" 0x00040000 "" "" "" STATUS_INVALID_IMAGE_HASH (0xC0000428) STATUS_INVALID_IMAGE_HASH (0xC0000428)
protection.c	KphpImageLoadKernelNormalRoutine	9528	12736	TRACE_LEVEL_VERBOSE	Unmapped 0000000180000000 from process 9528

The log files is full of these lines. This means the driver is disallowing the DisplayFusion library from loading into the process. This is likely happening in the window messages through a SetWindowsHookEx. This happens constantly, which is causing the UI to hang. The error that is returned in this scenario doesn't inform the UI thread to stop trying to load the hooks. @dmex and myself have been discussing how to address this problem, we have a few options but haven't decided on the best one yet.

For the time being. Disable this mitigation in SI. The DLL will be permitted to load, but access to the functionality exposed by driver will be limited. You can do this by: Options > Show advanced options > Advanced > KphDisableImageLoadProtection > 1. Once set, please unload and reload the driver.

Would it be possible to just disable hooks to SI? DF have a option like that.

[jxy-s]

Would it be possible to just disable hooks to SI? DF have a option like that.

@Dajova - Thanks for pointing this out. Seems like it would work, I haven't tested it. I'm not familiar with the Display Fusion options.

[Dajova]

Would it be possible to just disable hooks to SI? DF have a option like that.

@Dajova - Thanks for pointing this out. Seems like it would work, I haven't tested it. I'm not familiar with the Display Fusion options.

From what i can tell, it seems to work. Enabled it, restarted PC... no slowdown or hangups.

edit: nwm, spoke too soon. This apparently makes it so you can't modify/edit/close programs or anything similar from SI either...

[PortalKillerPro]

verify.c	KphVerifyFile	9528	12736	TRACE_LEVEL_VERBOSE	Failed to open signature file "\Device\HarddiskVolume9\Program Files (x86)\DisplayFusion\Hooks\AppHook64_42D524C1-C62C-43A6-A196-11DE71FE4E1D.sig": STATUS_OBJECT_NAME_NOT_FOUND (0xC0000034)
protection.c	KphpApplyImageProtections	9528	12736	TRACE_LEVEL_VERBOSE	KphVerifyFile: 9528 "\Device\HarddiskVolume9\Program Files (x86)\DisplayFusion\Hooks\AppHook64_42D524C1-C62C-43A6-A196-11DE71FE4E1D.dll": STATUS_OBJECT_NAME_NOT_FOUND (0xC0000034)
protection.c	KphpApplyImageProtections	9528	12736	TRACE_LEVEL_VERBOSE	KphGetSigningInfoByFileName: "\Device\HarddiskVolume9\Program Files (x86)\DisplayFusion\Hooks\AppHook64_42D524C1-C62C-43A6-A196-11DE71FE4E1D.dll" 0x00040000 "" "" "" STATUS_INVALID_IMAGE_HASH (0xC0000428) STATUS_INVALID_IMAGE_HASH (0xC0000428)
protection.c	KphpImageLoadKernelNormalRoutine	9528	12736	TRACE_LEVEL_VERBOSE	Unmapped 0000000180000000 from process 9528

The log files is full of these lines. This means the driver is disallowing the DisplayFusion library from loading into the process. This is likely happening in the window messages through a SetWindowsHookEx. This happens constantly, which is causing the UI to hang. The error that is returned in this scenario doesn't inform the UI thread to stop trying to load the hooks. @dmex and myself have been discussing how to address this problem, we have a few options but haven't decided on the best one yet.
For the time being. Disable this mitigation in SI. The DLL will be permitted to load, but access to the functionality exposed by driver will be limited. You can do this by: Options > Show advanced options > Advanced > KphDisableImageLoadProtection > 1. Once set, please unload and reload the driver.

Would it be possible to just disable hooks to SI? DF have a option like that.

I tested it right now, same problem.

[SanderBouwhuis]

Oh, that would explain a lot. I too use DisplayFusion!

[erik-bryan-hp]

FWIW I'm able to reproduce this behavior on the latest nightly build 3.0.7429 (f94e667) and I am also using DisplayFusion. I see that SI is maxing out one CPU core and the SI UI is extremely unresponsive; seems to match what others were seeing above. If any more information would help with addressing this from the SI side of things, let me know and I'll be happy to gather logs, etc.

That said, I was able to work around this by going to DisplayFusion's Settings -> Compatibility and adding the "Disable Application Hooks (this application only)" option for both the x64 and x86 SystemInformer.exe files. So, I'm good for now, but if I hadn't found this issue on GitHub, I would have kept thinking that the problem was a bug in SI instead of some weird interaction between it and DisplayFusion.