Cygwin applications behave strangely with 0patch

Mitja Kolsek -

0patch user have reported Cygwin applications freezing or crashing when they installed 0patch Agent. While the most frequently reported application was ssh.exe, we have reasons to believe other apps may be affected too.

Our analysis of the problem brought us to the realm of weird behavior that apparently many security products encounter when coexisting with Cygwin. (In particular, we believe what we're encountering here is "Random fork() failures".)

Comparing process tracing results of failed and successful execution of ssh.exe, combined with the source code of Cygwin, led us to believe CygWin is sensitive to our hooking into the process. Excluding affected Cygwin processes from injection via 0patch registry value ExcludeModules is the only workaround at this time. For instance, to exclude ssh.exe from being injected with 0patch Loader, use the following procedure:

  1. Append "|ssh.exe" (note the initial pipe character) to the existing HKLM\Software\0patch\ExcludeModules registry value.
  2. To enforce this new setting without restarting your computer, change the value of HKLM\SOFTWARE\0patch\CallbackKeys\UnloadLoaderDll\Counter to any other number than it already has (this removes 0patch loader from all processes)
  3. Restart the 0patch Service.

Note, however, that many Cygwin executables may be affected and the ExcludeModules registry value may be too short to list them all.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.