The symptom is eerily similar to this question. However, I have no SN-DBS service installed and it seems to affect all executables ran on the machine not just a couple compiled files.
Normally, when an application hits an error be it exceptions, hung up due to deadlocks, unresponsive UI, or many other reason which Windows deem a process as bad then WerFault.exe will spawn and takes control over the offending process and suspend it. Once WerFault.exe logged the application error in Event Viewer's Application Log it will clean up the process by shutting itself off and kills the suspended process. An example of the log entry:
Faulting application name: exceptiontest.exe, version: 1.0.0.0, time stamp: 0x65fc7138
Faulting module name: KERNELBASE.dll, version: 10.0.22621.3447, time stamp: 0x3d876852
Exception code: 0xe0434352
Fault offset: 0x00000000000653ac
Faulting process id: 0x0xF74
Faulting application start time: 0x0x1DA969431684D42
Faulting application path: D:\Test\bin\Debug\net6.0\exceptiontest.exe
Faulting module path: C:\WINDOWS\System32\KERNELBASE.dll
Report Id: b97a61b6-eef2-4070-8616-2eb88e9ee82b
Faulting package full name:
Faulting package-relative application ID:
However, on this case, it doesn't happen that way. WerFault.exe did suspend the process, wrote log, and proceed to kill itself but as it suspend the process it changed the owner from the user to SYSTEM and elevated the Integrity Level to System Mandatory Level making it unkillable. Originally the offending program ran on a Medium Mandatory Level as it is not run from a command line with administrative privileges.
I can reliably reproduce the issue on my machine (Windows 11 23H2 Build 22631.3447) with the following .Net program:
class Program
{
static void Main(string[] args)
{
throw new Exception();
}
}
I have tried to run sfc scannow followed by dism /online /cleanup-image /scanhealth and found nothing is wrong. sfc says "Windows Resource Protection did not find any integrity violations" and the dism gave "No component store corruption detected."
Its a bizzare issue that I just realized it recently as I curiously took a peek at task manager running processes list. I am not sure when was it started to behave this way.
I do wonder what was causing this problem?
How can I know who else is holding the process after WerFault.exe exitted?
Given that I only have Windows Defender as Anti Virus program, is the new Windows Defender DevDrive protection the culprit? That thing is new and I haven't enabled on any drive I had. I tried to disable it but I can still reproduce the zombie process reliably nevertheless.
How can I kill these zombie process that I could not kill even with Process Explorer ran as administrator?
Is it possible to downgrade a process's Integrity Level and possibly kill it? I have tried to assign all possible permission through Process Explorer to my account and I am still unable to get rid of the zombie process.
EDIT 2024-05-13
After fiddling around for a couple of days, I found out using Process Explorer that Task Manager somehow holds erronous process once WerFault.exe do its job and terminated. I could release those zombie process by.. closing the Task Manager. Its kind of odd for that task manager behave this way.
