Executable crash only on machine upgraded from Windows 8 Enterprise to Windows 8.1 Enterprise
I have a C++ executable created in VS2013 and runs on all windows OS except Windows 8.1 Enterprise(which is upgraded from Windows 8) it crashes. If we use freshly installed Windows 8.1 Enterprise Edition it works.
- [Pass]
Windows 8Enterprise Edition - [Pass]
Windows 8.1Enterprise Edition - [Fail]
Windows 8Enterprise Edition upgraded toWindows 8.1Enterprise
Now on the upgraded Windows 8.1 machine breakpoints gets fired for Memory Corruption(0xc0000374) RtlReportCriticalFailure.
I cant figure out what could be the reason for crash?
- is crash at
RtlpInitializeLfhBitmapData() - is it because windows was upgraded from 8 to 8.1
About exe
ActiveX C++ code is about a RDP connection to a desktop of remote machine
IMsTscAx::Connect().
Event Logs
Faulting application name: Launch.exe, version: 1.0.0.2,
Faulting module name: ntdll.dll, version: 6.3.9600.18202
Exception code: 0xc0000374
Fault offset: 0x00000000000f1b70
Faulting process id: 0xa828
Faulting application start time: 0x01d240c001c0c1fe
Faulting application path: Launch.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 44d0ff4d-acb3-11e6-82b0-2016d86d6542
Crash Trace
00007FF892E1184C call RtlInitUnicodeString (07FF892D4AB80h)
00007FF892E11851 lea r9,[rbp+8]
00007FF892E11855 lea rcx,[rbp+18h]
00007FF892E11859 xor edx,edx
00007FF892E1185B mov r8d,20019h
00007FF892E11861 call LdrpOpenKey (07FF892D43D88h)
00007FF892E11866 test eax,eax
00007FF892E11868 js _RtlpRemovePendingDeleteLanguages+13Ch (07FF892E11920h)
00007FF892E1186E mov ebx,r15d
00007FF892E11871 mov rcx,qword ptr [rbp+8]
00007FF892E11875 lea rax,[rbp+10h]
00007FF892E11879 lea r9,[rbp+40h]
00007FF892E1187D mov qword ptr [rsp+28h],rax
00007FF892E11882 xor r8d,r8d
00007FF892E11885 mov edx,ebx
00007FF892E11887 mov dword ptr [rsp+20h],200h
00007FF892E1188F call NtEnumerateKey (07FF892DB09D0h)
00007FF892E11894 mov esi,eax
00007FF892E11896 test eax,eax
00007FF892E11898 js _RtlpRemovePendingDeleteLanguages+120h (07FF892E11904h)
00007FF892E1189A mov edx,dword ptr [rbp+4Ch]
00007FF892E1189D lea rcx,[rdx+18h]
00007FF892E118A1 cmp rcx,1FEh
00007FF892E118A8 jae _RtlpRemovePendingDeleteLanguages+120h (07FF892E11904h)
00007FF892E118AA shr rdx,1
00007FF892E118AD lea r9,[rbp]
00007FF892E118B1 xor r8d,r8d
00007FF892E118B4 mov word ptr [rbp+rdx*2+50h],r15w
00007FF892E118BA lea rdx,[rbp+50h]
00007FF892E118BE mov rcx,rdi
00007FF892E118C1 call RtlpMuiRegGetInstalledLanguageIndexByName (07FF892D47408h)
00007FF892E118C6 ?? ??
00007FF892E118C7 ?? ??
00007FF892E118C8 ?? ??
00007FF892E118C9 ?? ??
00007FF892E118CA ?? ??
00007FF892E118CB ?? ??
00007FF892E118CC ?? ??
00007FF892E118CD ?? ??
00007FF892E118CE ?? ??
00007FF892E118CF ?? ??
00007FF892E118D0 ?? ??
00007FF892E118D1 ?? ??
00007FF892E118D2 ?? ??
00007FF892E118D3 ?? ??
00007FF892E118D4 ?? ??
00007FF892E118D5 ?? ??
00007FF892E118D6 ?? ??
00007FF892E118D7 ?? ??
00007FF892E118D8 ?? ??
00007FF892E118D9 ?? ??
00007FF892E118DA ?? ??
00007FF892E118DB ?? ??
00007FF892E118DC ?? ??
00007FF892E118DD ?? ??
00007FF892E118DE ?? ??
00007FF892E118DF ?? ??
00007FF892E118E0 ?? ??
00007FF892E118E1 ?? ??
00007FF892E118E2 ?? ??
00007FF892E118E3 ?? ??
00007FF892E118E4 sbb byte ptr [r8-75h],r9b
00007FF892E118E8 adc byte ptr [rax+0FFDFh],dil
00007FF892E118EF and word ptr [rcx+rdx],ax
00007FF892E118F3 mov rax,qword ptr [rdi+18h]
00007FF892E118F7 mov rcx,qword ptr [rax+10h]
00007FF892E118FB mov eax,8000h
00007FF892E11900 or word ptr [rcx+rdx],ax
00007FF892E11904 inc ebx
00007FF892E11906 cmp esi,8000001Ah
00007FF892E1190C jne _RtlpRemovePendingDeleteLanguages+8Dh (07FF892E11871h)
00007FF892E11912 mov rcx,qword ptr [rbp+8]
00007FF892E11916 test rcx,rcx
00007FF892E11919 je _RtlpRemovePendingDeleteLanguages+13Ch (07FF892E11920h)
00007FF892E1191B call NtClose (07FF892DB07A0h)
00007FF892E11920 xor eax,eax
00007FF892E11922 mov rcx,qword ptr [rbp+240h]
00007FF892E11929 xor rcx,rsp
00007FF892E1192C call __security_check_cookie (07FF892DA1A80h)
00007FF892E11931 lea r11,[rsp+2A0h]
00007FF892E11939 mov rbx,qword ptr [r11+38h]
00007FF892E1193D mov rsi,qword ptr [r11+40h]
00007FF892E11941 mov rsp,r11
00007FF892E11944 pop r15
00007FF892E11946 pop r14
00007FF892E11948 pop r12
00007FF892E1194A pop rdi
00007FF892E1194B pop rbp
00007FF892E1194C ret
00007FF892E1194D int 3
00007FF892E1194E int 3
00007FF892E1194F int 3
00007FF892E11950 int 3
00007FF892E11951 int 3
00007FF892E11952 int 3
00007FF892E11953 int 3
00007FF892E11954 mov eax,r8d
00007FF892E11957 mov r8,rcx
00007FF892E1195A test rcx,rcx
00007FF892E1195D je _SafeReallocBlob+48h (07FF892E1199Ch)
00007FF892E1195F mov ecx,eax
00007FF892E11961 mov eax,r9d
00007FF892E11964 imul rcx,rax
00007FF892E11968 mov eax,0FFFFFFFFh
00007FF892E1196D cmp rcx,rax
00007FF892E11970 ja _SafeReallocBlob+48h (07FF892E1199Ch)
00007FF892E11972 lea eax,[rcx+rdx]
00007FF892E11975 cmp eax,edx
00007FF892E11977 jb _SafeReallocBlob+48h (07FF892E1199Ch)
00007FF892E11979 mov rcx,qword ptr [rsp+38h]
00007FF892E1197E test rcx,rcx
00007FF892E11981 je _SafeReallocBlob+31h (07FF892E11985h)
00007FF892E11983 mov dword ptr [rcx],eax
00007FF892E11985 mov rcx,qword ptr gs:[60h]
00007FF892E1198E mov r9d,eax
00007FF892E11991 xor edx,edx
00007FF892E11993 mov rcx,qword ptr [rcx+30h]
00007FF892E11997 jmp RtlReAllocateHeap (07FF892D4F040h)
00007FF892E1199C xor eax,eax
00007FF892E1199E ret
00007FF892E1199F int 3
00007FF892E119A0 int 3
00007FF892E119A1 int 3
00007FF892E119A2 int 3
00007FF892E119A3 int 3
00007FF892E119A4 int 3
00007FF892E119A5 int 3
00007FF892E119A6 int 3
00007FF892E119A7 int 3
00007FF892E119A8 int 3
00007FF892E119A9 int 3
00007FF892E119AA int 3
00007FF892E119AB int 3
00007FF892E119AC int 3
00007FF892E119AD int 3
00007FF892E119AE int 3
00007FF892E119AF int 3
RtlpNtMakeTemporaryKey:
00007FF892E119B0 jmp NtDeleteKey (07FF892DB12E0h)
00007FF892E119B5 int 3
00007FF892E119B6 int 3
00007FF892E119B7 int 3
00007FF892E119B8 int 3
00007FF892E119B9 int 3
00007FF892E119BA int 3
00007FF892E119BB int 3
00007FF892E119BC int 3
00007FF892E119BD int 3
00007FF892E119BE int 3
00007FF892E119BF int 3
RtlpDebugPageHeapCreate:
00007FF892E119C0 mov rax,rsp
00007FF892E119C3 mov qword ptr [rax+8],rbx
00007FF892E119C7 mov qword ptr [rax+10h],rbp
00007FF892E119CB mov qword ptr [rax+18h],rsi
00007FF892E119CF mov qword ptr [rax+20h],rdi
00007FF892E119D3 push r14
00007FF892E119D5 sub rsp,30h
00007FF892E119D9 mov rbx,qword ptr [RtlpDebugPageHeapTable+38h (07FF892E4EC58h)]
00007FF892E119E0 mov r14d,ecx
00007FF892E119E3 mov rdi,r9
00007FF892E119E6 mov rcx,rbx
00007FF892E119E9 mov rsi,r8
00007FF892E119EC mov rbp,rdx
00007FF892E119EF call qword ptr [__guard_check_icall_fptr (07FF892E611D0h)]
00007FF892E119F5 mov r9,rdi
00007FF892E119F8 mov r8,rsi
00007FF892E119FB mov rdx,rbp
00007FF892E119FE mov ecx,r14d
00007FF892E11A01 mov rax,rbx
00007FF892E11A04 mov rbx,qword ptr [rsp+40h]
00007FF892E11A09 mov rbp,qword ptr [rsp+48h]
00007FF892E11A0E mov rsi,qword ptr [rsp+50h]
00007FF892E11A13 mov rdi,qword ptr [rsp+58h]
00007FF892E11A18 add rsp,30h
00007FF892E11A1C pop r14
00007FF892E11A1E jmp rax
00007FF892E11A21 int 3
00007FF892E11A22 int 3
00007FF892E11A23 int 3
00007FF892E11A24 int 3
00007FF892E11A25 int 3
00007FF892E11A26 int 3
00007FF892E11A27 int 3
00007FF892E11A28 int 3
00007FF892E11A29 int 3
00007FF892E11A2A int 3
00007FF892E11A2B int 3
00007FF892E11A2C int 3
00007FF892E11A2D int 3
00007FF892E11A2E int 3
00007FF892E11A2F int 3
RtlpDebugPageHeapDestroy:
00007FF892E11A30 mov qword ptr [rsp+8],rbx
00007FF892E11A35 push rdi
00007FF892E11A36 sub rsp,20h
00007FF892E11A3A mov rbx,qword ptr [RtlpDebugPageHeapTable+40h (07FF892E4EC60h)]
00007FF892E11A41 mov rdi,rcx
00007FF892E11A44 mov rcx,rbx
00007FF892E11A47 call qword ptr [__guard_check_icall_fptr (07FF892E611D0h)]
00007FF892E11A4D mov rcx,rdi
00007FF892E11A50 mov rax,rbx
00007FF892E11A53 mov rbx,qword ptr [rsp+30h]
00007FF892E11A58 add rsp,20h
00007FF892E11A5C pop rdi
00007FF892E11A5D jmp rax
00007FF892E11A60 int 3
00007FF892E11A61 int 3
00007FF892E11A62 int 3
00007FF892E11A63 int 3
00007FF892E11A64 int 3
00007FF892E11A65 int 3
00007FF892E11A66 int 3
00007FF892E11A67 int 3
RtlpInitializeLfhBitmapData:
00007FF892E11A68 mov qword ptr [rsp+8],rbx
00007FF892E11A6D push rdi
00007FF892E11A6E sub rsp,20h
00007FF892E11A72 mov rbx,qword ptr [rcx]
00007FF892E11A75 mov rdi,qword ptr [rcx+8]
00007FF892E11A79 xor edx,edx
00007FF892E11A7B lea r8,[rbx+7]
00007FF892E11A7F mov rcx,rdi
00007FF892E11A82 shr r8,3
00007FF892E11A86 call memset (07FF892DB4640h)
00007FF892E11A8B mov rcx,rbx
00007FF892E11A8E and ecx,3Fh
00007FF892E11A91 je RtlpInitializeLfhBitmapData+41h (07FF892E11AA9h)
00007FF892E11A93 mov eax,1
00007FF892E11A98 shr rbx,6
00007FF892E11A9C shl rax,cl
00007FF892E11A9F dec rax
00007FF892E11AA2 not rax
00007FF892E11AA5 or qword ptr [rdi+rbx*8],rax
00007FF892E11AA9 mov rbx,qword ptr [rsp+30h]
00007FF892E11AAE add rsp,20h
00007FF892E11AB2 pop rdi
00007FF892E11AB3 ret
00007FF892E11AB4 int 3
00007FF892E11AB5 int 3
00007FF892E11AB6 int 3
00007FF892E11AB7 int 3
00007FF892E11AB8 int 3
00007FF892E11AB9 int 3
00007FF892E11ABA int 3
00007FF892E11ABB int 3
RtlIsAnyDebuggerPresent:
00007FF892E11ABC mov rax,qword ptr gs:[60h]
00007FF892E11AC5 ?? ??
00007FF892E11AC6 ?? ??
00007FF892E11AC7 ?? ??
00007FF892E11AC8 ?? ??
00007FF892E11AC9 ?? ??
00007FF892E11ACA ?? ??
00007FF892E11ACB ?? ??
00007FF892E11ACC ?? ??
00007FF892E11ACD ?? ??
00007FF892E11ACE ?? ??
00007FF892E11ACF ?? ??
00007FF892E11AD0 ?? ??
00007FF892E11AD1 ?? ??
00007FF892E11AD2 ?? ??
00007FF892E11AD3 ?? ??
00007FF892E11AD4 ?? ??
00007FF892E11AD5 ?? ??
00007FF892E11AD6 add ecx,dword ptr [rdi]
00007FF892E11AD8 xchg eax,esp
00007FF892E11AD9 rol bl,0CCh
00007FF892E11ADC int 3
00007FF892E11ADD int 3
00007FF892E11ADE int 3
00007FF892E11ADF int 3
00007FF892E11AE0 int 3
00007FF892E11AE1 int 3
00007FF892E11AE2 int 3
00007FF892E11AE3 int 3
RtlReportCriticalFailure:
00007FF892E11AE4 mov qword ptr [rsp+18h],rbx
00007FF892E11AE9 mov qword ptr [rsp+10h],rdx
00007FF892E11AEE push rdi
00007FF892E11AEF sub rsp,100h
00007FF892E11AF6 mov rax,qword ptr [__security_cookie (07FF892E64388h)]
00007FF892E11AFD xor rax,rsp
00007FF892E11B00 mov qword ptr [rsp+0F0h],rax
00007FF892E11B08 mov rdi,rdx
00007FF892E11B0B mov ebx,ecx
00007FF892E11B0D mov dword ptr [rsp+28h],ecx
00007FF892E11B11 call RtlIsAnyDebuggerPresent (07FF892E11ABCh)
00007FF892E11B16 test al,al
00007FF892E11B18 je RtlReportCriticalFailure+5Ah (07FF892E11B3Eh)
00007FF892E11B1A mov r9d,ecx
00007FF892E11B1D lea r8,[string "Critical error detected %lx\n" (07FF892DBE3A0h)]
00007FF892E11B24 xor edx,edx
00007FF892E11B26 lea ecx,[rdx+65h]
00007FF892E11B29 call DbgPrintEx (07FF892D70C00h)
00007FF892E11B2E nop
00007FF892E11B2F int 3
00007FF892E11B30 jmp RtlReportCriticalFailure+5Ah (07FF892E11B3Eh)
00007FF892E11B32 mov rdi,qword ptr [rsp+118h]
00007FF892E11B3A mov ebx,dword ptr [rsp+28h]
00007FF892E11B3E mov dword ptr [rsp+50h],ebx
00007FF892E11B42 mov ecx,1
00007FF892E11B47 mov dword ptr [rsp+54h],ecx
00007FF892E11B4B and qword ptr [rsp+58h],0
00007FF892E11B51 lea rax,[RtlRaiseException (07FF892D738E0h)]
00007FF892E11B58 mov qword ptr [rsp+60h],rax
00007FF892E11B5D mov dword ptr [rsp+68h],ecx
00007FF892E11B61 mov qword ptr [rsp+70h],rdi
00007FF892E11B66 lea rcx,[rsp+50h]
00007FF892E11B6B call RtlRaiseException (07FF892D738E0h)
==============================>> crash breakpoint
00007FF892E11B70 jmp RtlReportCriticalFailure+8Eh (07FF892E11B72h)
==============================>> crash breakpoint
00007FF892E11B72 mov rcx,qword ptr [rsp+0F0h]
00007FF892E11B7A xor rcx,rsp
00007FF892E11B7D call __security_check_cookie (07FF892DA1A80h)
00007FF892E11B82 mov rbx,qword ptr [rsp+120h]
00007FF892E11B8A add rsp,100h
00007FF892E11B91 pop rdi
00007FF892E11B92 ret
00007FF892E11B93 push rbp
00007FF892E11B95 sub rsp,20h
00007FF892E11B99 mov rbp,rdx
00007FF892E11B9C mov qword ptr [rbp+40h],rcx
00007FF892E11BA0 mov rax,qword ptr [rcx]
00007FF892E11BA3 mov edx,dword ptr [rax]
00007FF892E11BA5 mov dword ptr [rbp+38h],edx
00007FF892E11BA8 mov qword ptr [rbp+30h],rcx
00007FF892E11BAC mov dword ptr [rbp+20h],edx
00007FF892E11BAF mov rdx,qword ptr [rbp+30h]
00007FF892E11BB3 mov rcx,qword ptr [rbp+30h]
00007FF892E11BB7 xor r8d,r8d
00007FF892E11BBA mov rdx,qword ptr [rdx+8]
00007FF892E11BBE mov rcx,qword ptr [rcx]
00007FF892E11BC1 call RtlReportException (07FF892DEAF60h)
00007FF892E11BC6 mov edx,dword ptr [rbp+20h]
00007FF892E11BC9 or rcx,0FFFFFFFFFFFFFFFFh
00007FF892E11BCD call NtTerminateProcess (07FF892DB0970h)
00007FF892E11BD2 mov eax,1
00007FF892E11BD7 add rsp,20h
00007FF892E11BDB pop rbp
00007FF892E11BDC ret
00007FF892E11BDD int 3
00007FF892E11BDE int 3
00007FF892E11BDF int 3
00007FF892E11BE0 int 3
00007FF892E11BE1 int 3
00007FF892E11BE2 int 3
00007FF892E11BE3 int 3
RtlpCreateExecutionRequiredRequest:
00007FF892E11BE4 mov rax,rsp
00007FF892E11BE7 mov qword ptr [rax+8],rbx
00007FF892E11BEB mov qword ptr [rax+10h],rsi
00007FF892E11BEF push rdi
00007FF892E11BF0 sub rsp,0A0h
00007FF892E11BF7 and qword ptr [rsp+20h],0
00007FF892E11BFD mov ebx,40h
00007FF892E11C02 mov rdi,rdx
00007FF892E11C05 lea r8,[rax-48h]
00007FF892E11C09 xor edx,edx
00007FF892E11C0B mov r9d,ebx
00007FF892E11C0E mov rsi,rcx
00007FF892E11C11 mov qword ptr [rax-48h],rbx
00007FF892E11C15 call NtQueryInformationProcess (07FF892DB0840h)
00007FF892E11C1A test eax,eax
00007FF892E11C1C js RtlpCreateExecutionRequiredRequest+0CCh (07FF892E11CB0h)
00007FF892E11C22 test byte ptr [rsp+98h],bl
00007FF892E11C29 jne RtlpCreateExecutionRequiredRequest+4Fh (07FF892E11C33h)
00007FF892E11C2B and qword ptr [rdi],0
00007FF892E11C2F xor eax,eax
00007FF892E11C31 jmp RtlpCreateExecutionRequiredRequest+0CCh (07FF892E11CB0h)
00007FF892E11C33 and dword ptr [rsp+30h],0
00007FF892E11C38 lea rdx,[string L"QueryDebugInformatio"... (07FF892DBE3C0h)]
00007FF892E11C3F lea rcx,[rsp+38h]
00007FF892E11C44 mov dword ptr [rsp+34h],1
00007FF892E11C4C call RtlInitUnicodeString (07FF892D4AB80h)
00007FF892E11C51 mov r8d,28h
00007FF892E11C57 lea r9,[rsp+0C0h]
00007FF892E11C5F lea rdx,[rsp+30h]
00007FF892E11C64 lea ecx,[r8+20h]
00007FF892E11C68 mov dword ptr [rsp+20h],8
00007FF892E11C70 call NtPowerInformation (07FF892DB0CA0h)
00007FF892E11C75 mov ebx,eax
00007FF892E11C77 test eax,eax
00007FF892E11C79 js RtlpCreateExecutionRequiredRequest+0CAh (07FF892E11CAEh)
00007FF892E11C7B mov rcx,qword ptr [rsp+0C0h]
00007FF892E11C83 mov r8b,1
00007FF892E11C86 mov rdx,rsi
00007FF892E11C89 call RtlpSetClearExecutionRequiredRequest (07FF892E11CF4h)
00007FF892E11C8E mov ebx,eax
00007FF892E11C90 test eax,eax
00007FF892E11C92 jns RtlpCreateExecutionRequiredRequest+0BFh (07FF892E11CA3h)
00007FF892E11C94 mov rcx,qword ptr [rsp+0C0h]
00007FF892E11C9C call NtClose (07FF892DB07A0h)
00007FF892E11CA1 jmp RtlpCreateExecutionRequiredRequest+0CAh (07FF892E11CAEh)
00007FF892E11CA3 mov rax,qword ptr [rsp+0C0h]
00007FF892E11CAB mov qword ptr [rdi],rax
00007FF892E11CAE mov eax,ebx
00007FF892E11CB0 lea r11,[rsp+0A0h]
00007FF892E11CB8 mov rbx,qword ptr [r11+10h]
00007FF892E11CBC mov rsi,qword ptr [r11+18h]
00007FF892E11CC0 mov rsp,r11
00007FF892E11CC3 pop rdi
00007FF892E11CC4 ret
00007FF892E11CC5 int 3
00007FF892E11CC6 int 3
00007FF892E11CC7 int 3
Update: 1 (24 November 2016)
I tried running mstsc.exe(remoteApp) and the behavior was same. I found some information on this issue at forum link which say that it is because the ntdll.dll 6.3.9600.18202 from KB3147071 and KB3146723 updates are slightly different at a binary level.
Is there any problem with my mstsc or ntdll?
Faulting application name: mstsc.exe, version: 6.3.9600.17415, time stamp: 0x5450434f
Faulting module name: ntdll.dll, version: 6.3.9600.18202, time stamp: 0x569e7d02
Exception code: 0xc0000374
Fault offset: 0x00000000000f1b70
Faulting process id: 0xef0
Faulting application start time: 0x01d241a5a2f9553b
Faulting application path: C:\Windows\System32\mstsc.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: e55dc0b4-ad98-11e6-82b1-2016d86d6542
Mandar0 Answers
Nobody has answered this question yet.
User contributions licensed under CC BY-SA 3.0