Windows Faults

tumult-windows is a native plugin that injects faults on Windows hosts — the fault domain the open-source chaos ecosystem (Kubernetes-centric Chaos Mesh, LitmusChaos) does not cover. It shipped in 2.12.0 and is validated live against a real Windows 11 guest.

It is the fifth native executor (tumult-ssh, tumult-net, tumult-kubernetes, tumult-cloud, tumult-windows), discovered and invoked exactly like the others. The plugin is listed by tumult discover on any platform; the faults execute on a Windows host (they shell out to taskkill / netsh or spin CPU threads).

The three faults

Function What it does Arguments
process_kill Terminate a process (taskkill /F) image or pid (exactly one)
cpu_stress Saturate CPU with worker threads workers (default: host parallelism), duration_secs (default: 10)
network_blackhole Block a port/host via Windows Firewall port or remote_host (exactly one)

network_blackhole returns the exact rollback command in its result and the plugin removes the firewall rule when the experiment’s rollback runs (netsh advfirewall firewall delete rule name=<rule>).

Example experiment

version: v1
title: Windows service survives a process kill
steady-state:
  probes[1]:
    - name: service-healthy
      type: probe
      provider:
        type: process
        arguments[3]: ["cmd", "/c", "sc query MyService | findstr RUNNING"]
method[1]:
  - name: kill-the-service
    type: action
    provider:
      type: native
      plugin: tumult-windows
      function: process_kill
      arguments:
        image: MyService.exe

tumult validate and tumult run work as they do for any experiment; the run produces a normal journal that flows into analytics, compliance, and ChaosGraph.

The winfault binary

The crate also builds a small standalone binary, winfault, for direct in-guest use and validation. It runs one fault and prints a JSON result:

winfault process-kill --image notepad.exe
winfault cpu-stress --workers 4 --duration-secs 30
winfault network-blackhole --port 443
winfault network-blackhole-rollback --rule-name tumult-blackhole-port-443

It carries no DuckDB dependency, so it cross-compiles cleanly to x86_64-pc-windows-gnu (from Linux with gcc-mingw-w64 and rustup target add x86_64-pc-windows-gnu, or natively on Windows).

How it’s validated

Command construction (the taskkill / netsh argument vectors, rule-name derivation, arg parsing) is unit-tested on Linux — 24 tests — so correctness is covered in CI without a Windows box. Execution is proven against a running Windows 11 guest: process_kill terminates a live process and confirms it is gone; cpu_stress drives measured guest CPU from baseline to a sustained load and recovers; network_blackhole adds a firewall rule, confirms it via netsh, and rolls it back.

Scope

Three faults, built on Windows’ own tools — not parity with a mature commercial Windows chaos suite. There is no WFP packet manipulation, ETW, or service-control-manager fault yet. What ships is the first, most-reached-for slice, proven on real Windows.


Tumult is open source under the Apache-2.0 license.