 |
 | [.04] Multiple and unkillable instances of klwtblfs.exe |  |
|
Franck-guuest
Guest
|
|
When I launch firefox in some of my sandboxes, I end up with 4 instances of klwtblfs.exe which is the Kaspersky web tool bar component. When firefox is closed, these four instances remains running, and are not killable. Therefore, the sandbox is not emptiable.
In the normal situation, there should be only one instance of that process, terminating by itself with firefox. FYI, I'm using sandboxie latest build, and Kaspersky Internet Security 2011. The software compatibility script for KIS is obviously on in each of my sandboxes. I noticed the last line : lingeringProcess = klwtblfs.exe I recently upgraded from KIS 2010 to KIS 2011. My only guess is that sandboxes created before the upgrade work well; those created after encounter this problem. Maybe someone will have an idea! Thanks ! |
|||||||||||
|
|||||||||||||
 |
| |
|
tzuk
|
|
Are you using Sandboxie version 3.46 ?
I also suggest that you take a look here: http://www.sandboxie.com/phpbb/viewtopic.php?t=8329 Do you experience any of the issues reported there? |
|||||||||||
|
_________________ tzuk
|
|||||||||||||
|
| |
|
Franck
Guest
|
|
Thanks Tzuk for your reply.
Yes v346! I read the topic you showed me, but it's not the same problem. Firefox isn't slowed down nor nothing like that. It all works perfectly well, except these 4 instances of the kaspersky add-on that prevent me from emptying the sandbox. I have 2 sandboxes (including defaultbox) that were there before KIS 2011, and all is correctly sandboxed there. If I create now a new sandbox with the same settings as defaultbox, then I get 4 instances of the process. I hope you'll have a little clue 
Thanks again for your quick support and this wonderful piece of software! |
|||||||||||
|
|||||||||||||
|
| |
|
Franck
Guest
|
|
My bad! I have no explanation of why I encounter such a problem, but at least I found out the pattern!
I thought my defaultbox settings were just as they were right out of the box... but they were not, as I ticked "Drop Rights from Administrators..." So technically, defaultbox and any of my newly created boxes were configured the same way. I'm using XP SP3 (x86 edition, quite obviously). I know that's not good but I use the standard admin account. Very bad. But as I'm not that bad, I got accustomed into using DropMyRights to launch firefox. I tweaked my desktop shortcut ; I changed the target path : "C:\Program Files\DropMyRights\DropMyRights.exe" "C:\Program Files\Mozilla Firefox\firefox.exe" I know it's pretty silly to use dropmyrights before sandboxing but : - I'd like to avoid messing my desktop with 2 firefox shortcuts (with and without DMR) - I don't want to systematically use SBIE to launch firefox So, here is the pattern that leads to 4 unkillable instances of klwtblfs.exe. - if I launch Firefox without DMR, the problem doesn't occur, whether the "Drop Rights from..." setting of the box is on or off - if I launch Firefox with DMR (my standard shortcut) withing a sandbox set to "Drop Rights from...", the problem doesn't occur - as far as I can see the problem occurs only when I launch firefox with DMR and within a sandbox set to NOT "drop rights from..." I don't know if you'll find this problem worth fixing. But anyway I still think it's important you know about this behavior. Maybe it's perfectly normal and there is something I don't get... As it's far above my scope of understanding, it seems weird to me and I'm glad I let you know! |
|||||||||||
|
|||||||||||||
|
| |
|
Franck
Guest
|
|
Here are some additionnal information regarding this issue. I guess the explanation between the pattern I've found (see my previous post) is that it's the only case firefox.exe et klwtblfs.exe have not the same privilege status.
When NOT using SBIE, klwtblfs.exe is grand-child of winlogon.exe and child of svchost.exe When firefox is launched normally, it inherits its privilege status from the account status, in my case, admin rights. In that case, klwtblfs.exe also has admin privileges. When firefox is lauched via DropMyRights, obviously it has only standard user privileges. In that case, klwtblfs.exe admin privileges are also dropped. So in both case the browser and Kaspersky addon have the same privilege level. When using SBIE, klwtblfs.exe is now child of SandboxieDComLaunch.exe. If the sandbox is set to DO drop admin rights: When firefox is launched normally, SBIE drops rights from both firefox and klwtblfs.exe. When firefox is launched via my desktop shortcut using dropMyRights: firefox has standard privilege because of DropMyRights and klwtblfs.exe has standard privilege because of SBIE. In both case the browser and Kaspersky addon have the same privilege level. If the sandbox is set to DO NOT drop admin rights: When firefox is launched normally, it inherits its privilege status from the account status, in my case, admin rights. DropMyRights was not invoked and SBIE was not asked to drop rights. Regardinf klwtblfs.exe, it also has admin rights, as it is launched within a sandbox that doesn't drop rights. In that case, teh browser and Kaspersky addon still have the same privilege level. BUT... When firefox is launched via dropmyrights, firefox.exe has standard privilege only. And, in such a case, klwtblfs.exe admin rights are not dropped by SBIE. So the two processes ends up with different rights... And the user ends up with these 4 unkillable instances of the addon. In a nutshell - DropMyRights can't only drop klwtblfs.exe right when not run within a sandbox - Within the sandbox, one can only rely on SBIE to drop klwtblfs.exe rights - klwtblfs.exe doesn't seem to like to have higher rights than the browser I hope all this helps! Thanks for support |
|||||||||||
|
|||||||||||||
|
| |
|
tzuk
|
|
Interesting analysis.
If I understand everything correctly, then this happens because you run Start.exe (the Run Sandboxed action) to run DropMyRights.exe to run Firefox.exe. Start.exe runs SandboxieDcomLaunch.exe before it runs DropMyRights.exe and this is how you get two sets of privileges in the same sandbox. Perhaps you can run DropMyRights.exe Start.exe Firefox.exe I.e. DropMyRights.exe runs Start.exe to start sandboxing, which would then start SandboxieDcomLaunch (with dropped rights this time) and then Firefox (with dropped rights as usual). Of course the real puzzler here is this,
The question is why does this particular scenario turns klwtblfs.exe into a zombie process that can't be killed. I'll take a look into this at some point to see if I can do anything about it. Thank you for the detailed analysis that explains how to reproduce the problem. |
|||||||||||||||
|
|||||||||||||||||
|
| |
|
Franck
|
|
Thanks tzur for your comprehensive reply.
I'll try for sure what you propose, but: - if I do : start > dropMyRights > firefox, won't I end up systematically with a sandboxed browser? At first, I didn't want that; now, I'm wondering what settings would be optimal for transparent browser sandboxing - what's the point of keep on using dropmyrights when you can set the sandbox to drop rights on its own ? Regarding klwtblfs.exe behavior, I've no clue as you can guess. Thanks again! |
|||||||||||
|
|||||||||||||
|
| |
|
tzuk
|
|
No point. I suggested that because it seemed to me that you wanted to keep using DropMyRights, and I respected that. But I agree, switching to Sandboxie Drop Rights may be the easier solution. |
|||||||||||||
|
|||||||||||||||
|
| |
|
tzuk
|
|
|
|||||||||||
|
|||||||||||||
|
 | [.04] Multiple and unkillable instances of klwtblfs.exe | |
|
||
Use the RSS feed to watch this topic for replies |
|
|