Can't attach to services for debugging

[Samurai]

Hi,

I recently had a spyware attack on my development machine, which I was able
to cleanup. However, after this I am not able to attach to any program for
debugging.

My development machine is a Win2003 Server using Visual Studio.NET 2003. I
have developed many native C++ windows services and not I am unable to
attach to any of them. It keeps saying "Unable to attach to the process.
Access is denied". I have already added myself back into "User Rights
Assignment\Debug Programs" in the Local Security Settings, didn't help.

I have admin privilege on the server and I used to debug successfully before
this spyware attack. Any idea how to get back my debugging privilege on this
server?

Regards,
Sharath

[Oleg Starodumov]

Try to attach NTSD debugger to the service - will it be able to attach?
What messages will it display if it cannot attach?

ntsd -p <pid>

Regards,
Oleg
[VC++ MVP]

[Samurai]

Hi Oleg,

Yes, I have done that before. This is what I get:

Microsoft (R) Windows Debugger Version 5.2.3790.1830
Copyright (c) Microsoft Corporation. All rights reserved.

Cannot debug pid 3400, Win32 error 5
"Access is denied."
Debuggee initialization failed, Win32 error 5
"Access is denied."
ntsd: exiting - press enter ---

Regards,
Sharath

"Oleg Starodumov" <com-dot-debuginfo-at-oleg> wrote in message
news:uGSSjgeW...@TK2MSFTNGP09.phx.gbl...

[Oleg Starodumov]

> Cannot debug pid 3400, Win32 error 5
> "Access is denied."
> Debuggee initialization failed, Win32 error 5
> "Access is denied."
> ntsd: exiting - press enter ---
>

Then it's a system configuration issue, not the debugger's one.
May be you will get better help if you post to the kernel newsgroup
(microsoft.public.win32.programmer.kernel), or to a security-related
newsgroup.

What kind of spyware was it? What tool have you used to remove it?
You can also try to look at the process token of a process running under
your user account and see if the debug privilege is listed there (e.g. you can
use !token command in WinDbg)

Oleg

[Pavel Lebedinsky]

What happens if you do ntsd -pv -p <pid>?

[Samurai]

Well, nothing really. There is a quick flash of a console window and it
comes out.

"Pavel Lebedinsky" <m underscore pll at hotmail com> wrote in message
news:ewPZdFlW...@TK2MSFTNGP15.phx.gbl...

[Rhett Gong [MSFT]]

Hello Sharath,
It is difficult to tell what may cause the problem if i only know you get
error 5 when attaching. So could you help answer following questions so
that I can better understand this problem.
1>What is the owner of this service you are trying to debug? Is it system?
2>What group the currently user belongs to?
3>Are you debugging the service locally or remotely?
4>If locally, have you added the user to "Debugger Users" group?
I look forward to hearing back from you with the details above.

Thanks,
Rhett Gong [MSFT]
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
http://support.microsoft.com/default.aspx?scid=/servicedesks/msdn/nospam.asp
&SD=msdn

This posting is provided "AS IS" with no warranties and confers no rights.

[Samurai]

Hi Rhett,

> 1>What is the owner of this service you are trying to debug? Is it system?

I have tried it as local system account as well as my account, same result.

> 2>What group the currently user belongs to?

My user account belongs to domain admin as well as local machine admin
group.

> 3>Are you debugging the service locally or remotely?

Locally.

> 4>If locally, have you added the user to "Debugger Users" group?

I didn't find such a group in my Win2003 server, so I went ahead and added
"Debugger Users" group and added myself to that group. Same result.

I have already added myself back into "User Rights
Assignment\Debug Programs" in the Local Security Settings, didn't help.

Regards,
Sharath

"Rhett Gong [MSFT]" <v-ra...@online.microsoft.com> wrote in message
news:H%23wKQ1rW...@TK2MSFTNGXA01.phx.gbl...

[Rhett Gong [MSFT]]

If you are an local admin and add you to Debug Programs, you should be able
to debug. I saw you get a quick flash when calling ntsd -pv -p <pid>, it
seems like you are debugging an anti-debug program.

Are you able to attach to svchost?
Does this happen only on this certain service? If yes, could check which
company made this service program?
And please turn off all your anti-virus softwares and try again.

Please let me know what result you get.

[Samurai]

No, I get the same result while trying to attach svchost process.

I am trying to attach to a C++ service designed and developed by me. This is
not even a new program, it is deployed at client locations. I retried
attaching to my service program after disabling Microsoft Antispyware and
Macfee Viruscan. No difference at all.

One more thing, I applied Windows 2003 SP1 recently. I don't recall
attaching/debugging the service since then. Frankly I don't know whether
this happened because of spyware attack or SP1 installation.

How can my own code become anti-debug program?

Regards,
Sharath

"Rhett Gong [MSFT]" <v-ra...@online.microsoft.com> wrote in message

news:QHfDdh3W...@TK2MSFTNGXA01.phx.gbl...

[Samurai]

BTW, the problem got solved, please look at the same thread at
microsoft.public.win32.programmer.kernel group.

Thanks for all the help.

Regards,
Sharath

"Samurai" <sam...@newsgroup.nospam> wrote in message
news:eLC2PZ4...@TK2MSFTNGP15.phx.gbl...

[Rhett Gong [MSFT]]

SeDebugPrivilege is granted if you join in Debug Programs group. Since you
said you have done that, we all forget to verify and make sure it is
actually granted.
Thanks for your update. I am glad to see this problem has been resolved.

Best regards,