MSEdge.exe injection issue

[kariudo]

Description

If msedge.exe is started after windhawk, it seems to cause a looping performance issue with loading profiles and any page within them.

Steps to reproduce

1. Start windhawk (I tested this with all of my windhawk extensions disabled)
2. Start Edge (assumes it was completely closed beforehand)
3. Observe loading state of the first (or any tab)

Expected behavior

Tab should load promptly (including the newtab page).

Actual behavior

Tab is perpetually loading and severely degraded performance is noted.

Notes

• Turning all the extensions off in windhawk has no effect, so I assume its not a specific extension, none of my enabled ones were related to edge either.
• If MSEdge.exe is opened before windhawk (just closing windhawk, then opening edge, then reopening windhawk bypasses the issue)
• Adding msedge.exe to the global settings "more advanced options" process exclusion list prevents the issue.

I have not done any other debugging after finding this behavior for the moment due to time.

[m417z]

One issue I'm aware of is related to a new security feature in Edge/Chromium, which AFAIK isn't enabled globally yet, but perhaps you have it enabled for some reason. Can you please check for crash dumps, and attach the most recent one if you have any? Normally Edge dumps can be found here:

%LocalAppData%\Microsoft\Edge\User Data\Crashpad

[wineggdrop]

edge/Chrome runs in sandbox environment(low integrity level),bad idea to inject dll into it since it always causes issue; better exclude it by checking the process integrity level before injection or adding into exclusion list

[kariudo]

I just removed my exclusion temporarily to see if anything was getting reported to crash pad, and it does not appear to generate a new report while its hanging.

I'd say @wineggdrop is right that it should just generally be excluded; however, I think there are some extensions available (tab scrolling comes to mind) that are intended for use in that context that I assume require injection.

[m417z]

@kariudo while the tab is in loading state, do you see an msedge.exe process in Task Manager that takes a large amount of CPU? If so, can you go to the details tab, right click on it and choose "Create memory dump file", then post it (or email it to me)?

[wineggdrop]

I just removed my exclusion temporarily to see if anything was getting reported to crash pad, and it does not appear to generate a new report while its hanging.

I'd say @wineggdrop is right that it should just generally be excluded; however, I think there are some extensions available (tab scrolling comes to mind) that are intended for use in that context that I assume require injection.

Browser add-ons usually use HTML,CSS,JavaScript or WebAPI + Jason,which means the browser itself render the add-ons code but no injection.

[m417z]

@wineggdrop at least one mod injects code into such sandboxed processes:
https://windhawk.net/mods/cef-titlebar-enabler-universal

Also, I'm not sure that there's a reliable way to detect such processes, especially if they become sandboxed during process initialization. If there's a compatibility problem, I think it's best to understand and fix this problem. Meanwhile, an incompatible program can always be excluded.

[wineggdrop]

@wineggdrop at least one mod injects code into such sandboxed processes: https://windhawk.net/mods/cef-titlebar-enabler-universal

Also, I'm not sure that there's a reliable way to detect such processes, especially if they become sandboxed during process initialization. If there's a compatibility problem, I think it's best to understand and fix this problem. Meanwhile, an incompatible program can always be excluded.

Detecting the low Integrity Level Process By Process Id.

bool IsLowIntegrityLevel(DWORD dwProcessId)
{
bool bSuccess = false;
DWORD dwIntegrityLevel = 0;
HANDLE hToken = NULL;
HANDLE hProcess = NULL;
PTOKEN_MANDATORY_LABEL lpTokenMandatoryLabel = NULL;

do
{
if (0 == dwProcessId)
{
break;
}

 hProcess = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,dwProcessId);
 if (NULL == hProcess)
 {
	 break;
 }
 if (!OpenProcessToken(hProcess, TOKEN_QUERY, &hToken))
 {
	 break;
 }
 DWORD dwSize = 0;
 if (!GetTokenInformation(hToken, TokenIntegrityLevel,NULL,dwSize,&dwSize))
 {
	 if (ERROR_INSUFFICIENT_BUFFER != GetLastError())	// Almost Impossible To Happen Unless OS Has Major Issue
	 {
		 bSuccess = true;
		 break;
	 }
 }
 lpTokenMandatoryLabel = (PTOKEN_MANDATORY_LABEL)LocalAlloc(0,dwSize);
 if (NULL == lpTokenMandatoryLabel)
 {
	 break;
 }
 if (!GetTokenInformation(hToken, TokenIntegrityLevel, lpTokenMandatoryLabel, dwSize, &dwSize))
 {
	 bSuccess = true;
	 break;
 }
 dwIntegrityLevel = *GetSidSubAuthority(lpTokenMandatoryLabel->Label.Sid, *GetSidSubAuthorityCount(lpTokenMandatoryLabel->Label.Sid) - 1);
 if (dwIntegrityLevel < SECURITY_MANDATORY_MEDIUM_RID)
 {
	 bSuccess = true;
 }

}while(0);

if (lpTokenMandatoryLabel)
{
LocalFree(lpTokenMandatoryLabel);
}
if (hToken)
{
CloseHandle(hToken);
}
if (hProcess)
{
CloseHandle(hProcess);
}
return bSuccess;
}

BTW,why use minhook over microsoft's Detours