Some Windows Processes not being Monitored


#1

I am using NSClient++ v0.4.4 on several Windows Servers.

I am trying to monitor several critical Windows processes. Most are showing up fine, but csrss.exe (Client Server Runtime Process) and smss.exe (Windows Session Manager) are displaying as not running, despite the fact that they are.

This error is not showing in servers running Windows 2012 Standard, and is only showing in 2012 R2 Standard and 2016 Standard.

Is the solution to upgrade to a later version of NSClient++ or is there another issue I’m missing?

I am using this version as it is the one offered by my current Nagios version. When I tried later versions of NSClient++ previously, Nagios seemed to have difficulty communicating with the agent.


#2

Are you hitting a circumstance where Windows is able to keep running without triggering a BSOD with these processes stopped? I’m curious why you’d even need to check these, as Windows (at least did) bluescreen if these processes died. (All NSClient++ may be able to do I suppose is—with very frequent checks—suggest why a bluescreen occurred here.)

In any case, it seems to be a security limitation somewhere since 2012 R2.

0.4.4.15 in Server 2012: finds csrss.exe just fine.

0.5.0.36 and 0.5.0.62 (~latest) in Server 2012 R2: csrss.exe is shown as “stopped”

Upgrading to 0.5 series from 0.4 series wasn’t painful. We use identical (albeit fairly straightforward) configuration across 0.4 and 0.5 without any real bother. There are some awkward discrepancies in how drive space readouts are formatted that was interesting to compromise across the two, but both work OK (except for relaying, where what we’re doing needs 0.5 due to various fixes implemented during the betas).

However, upgrading won’t (at least not directly) solve your problem.


#3

Sorry, latest is 0.5.2.39 — I grabbed the wrong installer!

Testing with that, I found a real bug: the process name is case sensitive! Oops.

I was testing with notepad.exe and it kept not finding Notepad if I launched a file, but found it when I ran notepad.exe. I discovered that when Notepad is launched via a file, the command line contains “NOTEPAD.EXE” instead of “notepad.exe” and that’s tripping up NSClient++.

So it seems that NSClient++ is reading the command line to get the .exe name, not the image path. Server 2012 shows the command line to csrss.exe in Task Manager, but in 2012 R2, this is suppressed, which may be why NSClient++ cannot locate it.