eclipse.platform.ui icon indicating copy to clipboard operation
eclipse.platform.ui copied to clipboard
verified publisher icon eclipse-platform

Failed to obtain 'WinDefend' service state

Open vpinna80 opened this issue 1 year ago • 12 comments

What steps will reproduce the problem?

  1. Have an administrator forbid PowerShell usage (i.e. via antimalware such as McAfee Endpoint Security)
  2. Launch Eclipse
  3. Find the error in the Error Log View

-- Error Details -- Date: Wed Apr 03 14:59:32 CEST 2024 Message: Failed to obtain 'WinDefend' service state Severity: Error Product: Eclipse IDE 4.31.0.20240307-1200 (org.eclipse.epp.package.jee.product) Plugin: org.eclipse.ui.workbench Session Data: eclipse.buildId=4.31.0.20240307-1200 java.version=17.0.10 java.vendor=Eclipse Adoptium BootLoader constants: OS=win32, ARCH=x86_64, WS=win32, NL=it_IT Framework arguments: -product org.eclipse.epp.package.jee.product Command-line arguments: -os win32 -ws win32 -arch x86_64 -product org.eclipse.epp.package.jee.product

Exception Stack Trace: java.io.IOException: Cannot run program "powershell.exe": CreateProcess error=5, Accesso negato at java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1143) at java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1073) at org.eclipse.ui.internal.WindowsDefenderConfigurator.runProcess(WindowsDefenderConfigurator.java:372) at org.eclipse.ui.internal.WindowsDefenderConfigurator.isWindowsDefenderServiceRunning(WindowsDefenderConfigurator.java:301) at org.eclipse.ui.internal.WindowsDefenderConfigurator.runExclusionCheck(WindowsDefenderConfigurator.java:154) at org.eclipse.ui.internal.WindowsDefenderConfigurator.lambda$0(WindowsDefenderConfigurator.java:101) at org.eclipse.core.runtime.jobs.Job$2.run(Job.java:187) at org.eclipse.core.internal.jobs.Worker.run(Worker.java:63) Caused by: java.io.IOException: CreateProcess error=5, Accesso negato at java.base/java.lang.ProcessImpl.create(Native Method) at java.base/java.lang.ProcessImpl.(ProcessImpl.java:499) at java.base/java.lang.ProcessImpl.start(ProcessImpl.java:158) at java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1110) ... 7 more

vpinna80 avatar Apr 03 '24 13:04 vpinna80

@HannesWell that code is from you a768a390491b5e6c5a954fa7a29d9c10d5ef760e CreateProcess error=5 most likely translates to ERROR_ACCESS_DENIED see https://learn.microsoft.com/en-us/windows/win32/debug/system-error-codes--0-499- @vpinna80 what is you expectation what should happen in such situation?

jukzi avatar May 13 '24 12:05 jukzi

Hi, my expectation is that Eclipse should not use PowerShell at all, since it is often restricted in an enterprise secured environment.

vpinna80 avatar May 13 '24 13:05 vpinna80

Well, that probably means an enterprise secured environment also does not want to you allow virus scanning to be bypassed since this involved registry changes that are no doubt also restricted. For example, are you able to use regedit personally to make changes on your machine or is that restricted too?

merks avatar May 13 '24 14:05 merks

Obviously I'm not. Why does Eclipse need to bypass the security mechanisms in Windows?

vpinna80 avatar May 13 '24 14:05 vpinna80

The dialog and the preferences explain in quite a bit of detail:

image

If you re-read it again carefully, is there something about that description that isn't entirely clear and could perhaps be better clarified?

In any case, it's definitely clear that your enterprise security environment will not allow you to choose the first choice, so you must choose the second choice.

merks avatar May 13 '24 14:05 merks

If security policies does not allow to execute powershell it does not make sense to ask the user that question and eclipse could be just silent. I also wished it would never ask me again (on the the next install) - Even though i would have the rights to perform it our policies says i must not and i want never to be asked again.

jukzi avatar May 13 '24 14:05 jukzi

Yes, handling the return value to detect permission failure would be a very good thing. I'm not sure if it's possible to determine the permission level without trying to execute the process; of course not prompting would be better in that case. @HannesWell would know best about what's possible.

Note that I was simply trying answer the question "Why does Eclipse need to bypass the security mechanisms in Windows?" which made me wonder why the details of the dialog did not make the answer self-evident as was the design intend of the long descriptive sentence. It would be good to know how we might improve the information presented to avoid that question being asked again in the future.

I believe the desired behavior of never to be asked again is supported by the preferences:

image

I think it was decided to make the dialog less complicated, hence it is shown with a link to the "more details and configuration options". I guess @jukzi that you didn't consider that what you wanted my well be supported if you follow the link.

merks avatar May 13 '24 15:05 merks

Yea i never followed that link. Thanks for the hint. It will help me. But will it help others? Should everybody need to dig into the details of such dialog? It is not intuitive. I would have expected a "never ask again" checkbox in the dialog that popped up. image

jukzi avatar May 13 '24 15:05 jukzi

There was a long, oh so very, very long, discussion about the dialog when it was being designed. 😱That would have been the best time to chime in and I would be dismayed if that discussion needs to be repeated short months later. It’s hard to argue that providing a link to “more configuration options” is not intuitive.

It’s my general experience that people just don’t actually read the information presented and often the more information you provide the less people read it. For example, I find it next to impossible to get people to click on the “Show Log” link when the installer fails. The issue template even says “I have clicked on the Show Log link and have pasted the details below.” But they don’t actually do that and happily hit the submit button. And more often than not, such people never any follow-up questions.

merks avatar May 13 '24 16:05 merks

CreateProcess error=5 most likely translates to ERROR_ACCESS_DENIED see https://learn.microsoft.com/en-us/windows/win32/debug/system-error-codes--0-499-

Yes, handling the return value to detect permission failure would be a very good thing. I'm not sure if it's possible to determine the permission level without trying to execute the process; of course not prompting would be better in that case. @HannesWell would know best about what's possible.

Based on the link Jörg posted, I think in that case the only way to handle this is to treat the return value 5 as ERROR_ACCESS_DENIED and assume we can't do anything and just be silent. Maybe just log an info or at most a warning?

I think it was decided to make the dialog less complicated, hence it is shown with a link to the "more details and configuration options".

Yes that was a decision made in https://github.com/eclipse-platform/eclipse.platform.ui/pull/1453. Everyone interested in more details, please read through that PR first. We tried to find a balance between amount of information provided and simplicity of the dialog. Initially such check-box was in the pop-up, but we decided that is is over all better to move it. Really a lot of time was spent only on designing that single dialog, not only by me but also by the very helpful UI-Expert from SAP. It's not easy to find the perfect design, if there is any at all?

HannesWell avatar May 13 '24 22:05 HannesWell

Yea i never followed that link. Thanks for the hint. It will help me. But will it help others? Should everybody need to dig into the details of such dialog? It is not intuitive. I would have expected a "never ask again" checkbox in the dialog that popped up. image

We discussed this in the UX review and did decide against it by intention.

BeckerWdf avatar May 14 '24 06:05 BeckerWdf

I understand there can be different opinions about UI Design. For me its ages ago that i fully read a dialog. Since then i just skip reading and i am not alone: https://www.youtube.com/watch?v=lbJ51AJuR7E ;-)

Maybe just log an info or at most a warning?

When that action starts automatically it would be ok to be totally silent. If on the other hand the user presses the "Run exclusion check" button then it would be best to show Error Dialog + log the error.

jukzi avatar May 14 '24 10:05 jukzi

@vpinna80 can you please try out the latest I-build at https://download.eclipse.org/eclipse/downloads/drops4/I20240818-1800/ and verify that this problem is fixed for you?

HannesWell avatar Aug 19 '24 05:08 HannesWell

I have set the "skip exclusion check at startup" flag to avoid further messages, I didn't know there was a check until now... The error message disappeared, this issue can be closed for me.

vpinna80 avatar Aug 19 '24 07:08 vpinna80

@jukzi why should this be marked as 'not planned'? It was fixed with https://github.com/eclipse-platform/eclipse.platform.ui/pull/2204.

HannesWell avatar Aug 19 '24 17:08 HannesWell

for unknown reason that was the only option available.

jukzi avatar Aug 19 '24 19:08 jukzi

for unknown reason that was the only option available.

This PR was already closed as completed (the log above shows this) by submitting https://github.com/eclipse-platform/eclipse.platform.ui/pull/2204 (which was marked to fix this issue). Maybe you didn't refresh the page? That's at least why I occasionally encounter.

HannesWell avatar Aug 19 '24 20:08 HannesWell