Several weeks ago, my company laptop started having some strange problems. I could no longer launch the Microsoft Developer Web Server (via Visual Studio->Debug). I later figured out that I couldn't execute any .NET application.
In speaking with Microsoft CLR specialist after reviewing my dmp files, he said
When loaded into your process, 8 bytes at offset 0×168 into the .exe files are being set to 0. This is the issue that is causing the CLR to fail. These bits are set correctly in the file you provided to me.
C:\Windows\System32\Detoured.dll is loaded into the process. This means to me that the detours library is being used on your machine to modify the behavior of these processes.
I have also figured out that when I boot into Safe Mode, then everything works.
Also, I've figured out that if I right click on an .NET executable, and choose "Run As" and enter my currently logged in user's credentials, then the application works. It just doesn't work, if I just double click on the app.
There's lots of system event messages and Dr. Watson type errors. Here's a few that I get:
When launching MS Developer Web Server from withing Visual Studio, the Message box pop-up says:
WebDev.WebServer40.exe has encountered a problem and needs
to close. We are sorry for the inconvenience.
VSHost system event log entries:
Event 1:
Application: MyWebSite.vshost.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an internal error
in the .NET Runtime at IP 791A8BBD (79140000) with exit code 80131506.
Event 2:
Faulting application MyWebSite.vshost.exe, version 10.0.30319.1,
stamp 4ba2084b, faulting module clr.dll, version 4.0.30319.1,
stamp 4ba1d9ef, debug? 0, fault address 0x00068bbd.
System event log entries for running third-party apps:
Source: Application Popup
Description: Application popup: #APPNAME#.exe – Application Error : The
application failed to initialize properly (0xc000007b). Click on OK
to terminate the application.
Applications that I've built that uses .NET v4 Framework system event logs say:
Source: .NET Runtime
Framework Version: v4.0.30319
Description: The process was terminated due to an internal error in the
.NET Runtime at IP 791A8BBD (7914000) with exit code 80131506.
Applications that I've built that uses .NET v2 Framework system event logs say:
Source: .NET Runtime
Description: .NET Runtime version 2.0.50727.3053 – Fatal Execution
Engine Error (7A097706) (80131506)
Here's more details on my blog - including everything that I've tried so far and more details and narratives.
As far as restore points go, my oldest restore point is a few weeks ago, at which I still had this problem, so I don't think restoring that point will help much.
How can I figure out which process is causing the problem and then fix the computer?
Since you say that the problem doesn't happen in safe mode, it's clear that this is caused by an installed application, add-on or driver.
In view of the effort you have already invested in this project, I would advice to reformat the hard disk and reinstall XP, then reinstall all the products one-by-one, rebooting to check whether the problem has returned. Alternatively, you may uninstall products using Revo Uninstaller, but even Revo can miss a particularly sneaky installation.
Frankly, executable files being modified when launched have the smell of a viral infection, which is why I exceptionally recommend reformatting in this case.
Your answer may have been in the first paragraph - remove Detours. Go to Add/Remove programs, find Detours, and remove it.
Detours: http://research.microsoft.com/en-us/projects/detours/
I would try using Dependency Walker. Profile your program and save the output. Boot to Safe Mode and profile again. Comparing the output may provide more information about when the program is being modified.
You could also try using WinDbg from the Debugging Tools for Windows. (That link is for driver developers, but I've used WinDbg for .NET programs.) To get the most debugging output, you'll need the Windows Symbol Package for XP as well.
User contributions licensed under CC BY-SA 3.0