leakhunt/bin/admin_hklm_only.ps1
acbot 57b5e43d0e Initial commit — leak-hunt project complete
Five bugs identified and patched in retail Asheron's Call client:
- v3b: palette refcount over-increment (3-byte NOP at two sites)
- v5: RenderSurface PurgeResource no-op stub (vtable slot 2 thunk)
- v11: two dangling-pointer crash guards (NULL-check + reorder)
- v14: CEnvCell::Destroy ClipPlaneList leak (18-byte JMP to cleanup thunk)
- v22: unpacker stale-pointer SEH guard (whole-function __try/__except)

All five ship in leakfix.dll (117 KB, SHA d282f23c…) which is loaded
by acclient.exe at process start via PE import table patching by
tools/install_leakfix.py.

Controlled 15-client fleet soak: unpatched control died at 26h with
palette exhaustion; all 14 patched clients survived past that point
and reached ≥5-day uptime.

Residual ~15 MB/h growth traced to d3d9.dll's internal slab allocator
(260KB surface backing buffers retained after Release). See REPORT.md
§10 for the full investigation; conclusion is that it's unfixable from
outside d3d9.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-23 21:07:58 +02:00

57 lines
2.3 KiB
PowerShell

#requires -Version 5.1
<#
admin_hklm_only.ps1 — minimal admin script for the two HKLM writes.
SDK Debuggers are already extracted as flat files; this script only
handles the things gflags + WER need that touch HKLM:
1. Configure WER LocalDumps for acclient.exe (auto-dumps on crash).
2. gflags +ust on acclient.exe (heap-allocation stack tagging on
FUTURE acclient spawns; current ones won't pick it up).
#>
$ErrorActionPreference = 'Continue'
$log = 'C:\Users\acbot\leakhunt\artifacts\soak\admin_hklm.log'
Start-Transcript -Path $log -Force | Out-Null
try {
if (-not ([Security.Principal.WindowsPrincipal]::new(
[Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole(
[Security.Principal.WindowsBuiltInRole]::Administrator)) {
Write-Host 'ERROR: not elevated. Aborting.' -ForegroundColor Red
Stop-Transcript | Out-Null
Read-Host 'press enter to close'
exit 1
}
Write-Host "=== admin_hklm_only.ps1 started @ $(Get-Date -Format o) ===" -ForegroundColor Cyan
# [1/2] WER LocalDumps
Write-Host '[1/2] Configuring WER LocalDumps for acclient.exe...' -ForegroundColor Cyan
$dumpDir = 'C:\Users\acbot\leakhunt\artifacts\crashdumps'
New-Item -ItemType Directory -Path $dumpDir -Force | Out-Null
$werKey = 'HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\acclient.exe'
New-Item -Path $werKey -Force | Out-Null
New-ItemProperty -Path $werKey -Name 'DumpFolder' -Value $dumpDir -PropertyType ExpandString -Force | Out-Null
New-ItemProperty -Path $werKey -Name 'DumpType' -Value 2 -PropertyType DWord -Force | Out-Null # 2 = Full
New-ItemProperty -Path $werKey -Name 'DumpCount' -Value 25 -PropertyType DWord -Force | Out-Null
Get-ItemProperty -Path $werKey | Format-List DumpFolder, DumpType, DumpCount
# [2/2] gflags +ust
$gflags = 'C:\Users\acbot\Tools\WindowsKits\Windows Kits\10\Debuggers\x86\gflags.exe'
Write-Host '[2/2] Enabling gflags +ust on acclient.exe...' -ForegroundColor Cyan
if (Test-Path $gflags) {
& $gflags /i acclient.exe +ust
" current image-file flags:"
& $gflags /i acclient.exe
} else {
Write-Warning "gflags.exe not found at $gflags"
}
Write-Host "=== admin_hklm_only.ps1 finished @ $(Get-Date -Format o) ===" -ForegroundColor Green
} catch {
Write-Host "FATAL: $($_ | Out-String)" -ForegroundColor Red
}
Stop-Transcript | Out-Null
Read-Host 'press enter to close'