Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: obliv on May 03, 2012, 01:02:38 AM
-
Before installing Avast 7 free on multiple systems (a variety of 32 & 64-bit Windows XP, Vista, and 7 Home premium), I had the MS Sysinternals app - Process Explorer - installed on each system...
After installing Avast on each, Process Explorer crashes every time on every 64-bit system. (Might be because of something related to procexp.exe self-extracting procexp64.exe from itself)...
I tried shutting off each shield within Avast 1 by 1, tried adding exclusions to every shield, tried disabling AutoSandbox -- all with no luck... Process explorer crashes every time..
After uninstalling Avast, it works again...
Avast is great, but I can't do without Process Exlporer...
Anyone else experiencing this? Looking for a workaround or anything to get these 2 apps to coexist.
-
Which version of Avast do you use? Avast 7.0.1426 is the latest version.
-
I'm using the latest.. 7.0.1426
-
Sorry my help ends here,only I can say is:"Update Process Explorer to the latest version but I,m quite sure you already have last one,right." :D
PC:Did you get BSOD when Process Explorer crashes?
-
Nope, no BSOD, just an application crash... "APPCRASH" is all I get under the details of the crash... Standard stuff, not many hints as to what it could be.
Thanks anyway..
-
Well you can send support pack to Avast via FTP server
Open Avast-Maintenance and select Support,now you select also FullDumps if you want and press Generate now,when Avast finish,rename Zip file with unique name (your forum nick+problems Sysinternals Process Explorer) and send file to Avast via FTP server.
-
Have you excluded procexp.exe from Autosandboxed and added it to trusted process to behavior Shield ?
-
Have you excluded procexp.exe from Autosandboxed and added it to trusted process to behavior Shield ?
Yes & Yes.
-
Windbg exe-attached output of the crash of procexp64.exe, if this helps...
0:000> g
ModLoad: 000007fe`fee00000 000007fe`fee2e000 C:\Windows\system32\IMM32.DLL
ModLoad: 000007fe`f5d70000 000007fe`f5d7f000 C:\Windows\system32\CSCAPI.dll
<snip>
ModLoad: 000007fe`f4650000 000007fe`f46d0000 C:\Windows\system32\ntshrui.dll
ModLoad: 000007fe`fced0000 000007fe`fcef3000 C:\Windows\system32\srvcli.dll
ModLoad: 000007fe`faf60000 000007fe`faf6b000 C:\Windows\system32\slc.dll
ModLoad: 000007fe`fce40000 000007fe`fce57000 C:\Windows\system32\CRYPTSP.dll
ModLoad: 000007fe`fc950000 000007fe`fc997000 C:\Windows\system32\rsaenh.dll
ModLoad: 000007fe`fcd80000 000007fe`fcda2000 C:\Windows\system32\bcrypt.dll
ModLoad: 000007fe`fc890000 000007fe`fc8dc000 C:\Windows\system32\bcryptprimitives.dll
(10f4.aa4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
00000000`0008000a f0410fba6a7400 lock bts dword ptr [r10+74h],0 ds:00000000`00082030=? ? ? ? ? ? ? ?
*** ERROR: Module load completed but symbols could not be loaded for procexp.exe
0:042> g
(10f4.aa4): Access violation - code c0000005 (!!! second chance !!!)
00000000`0008000a f0410fba6a7400 lock bts dword ptr [r10+74h],0 ds:00000000`00082030=? ? ? ? ? ? ? ?
0:042> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
GetPageUrlData failed, server returned HTTP status 404
URL requested: http://watson.microsoft.com/StageOne/procexp_exe/15_13_0_0/4f39b794/unknown/0_0_0_0/bbbbbbb4/c0000005/0008000a.htm?Retriage=1 (http://watson.microsoft.com/StageOne/procexp_exe/15_13_0_0/4f39b794/unknown/0_0_0_0/bbbbbbb4/c0000005/0008000a.htm?Retriage=1)
FAULTING_IP:
+41
00000000`0008000a f0410fba6a7400 lock bts dword ptr [r10+74h],0
EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 000000000008000a
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 0000000000082030
Attempt to write to address 0000000000082030
FAULTING_THREAD: 0000000000000aa4
DEFAULT_BUCKET_ID: INVALID_POINTER_READ
PROCESS_NAME: procexp.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 0000000000000001
EXCEPTION_PARAMETER2: 0000000000082030
WRITE_ADDRESS: 0000000000082030
FOLLOWUP_IP:
sechost!LsaLookupOpenLocalPolicy+41
000007fe`fdb3429d 89442440 mov dword ptr [rsp+40h],eax
FAILED_INSTRUCTION_ADDRESS:
+41
00000000`0008000a f0410fba6a7400 lock bts dword ptr [r10+74h],0
MOD_LIST: <ANALYSIS/>
NTGLOBALFLAG: 70
APPLICATION_VERIFIER_FLAGS: 0
IP_ON_HEAP: 000000000008000a
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_BAD_INSTRUCTION_PTR_INVALID_POINTER_WRITE
LAST_CONTROL_TRANSFER: from 000007feff04a776 to 000000000008000a
STACK_TEXT:
00000000`083ce2e8 000007fe`ff04a776 : 00000000`00000000 00000000`083ce5e0 00000000`083cea18 000007fe`ff0598b1 : 0x8000a
00000000`083ce2f0 000007fe`ff0ecc74 : 00000000`083ce6a0 00000000`00000000 00000000`083ce6a0 00000000`083ce6a0 : RPCRT4!LRPC_CCALL::SendReceive+0x156
00000000`083ce3b0 000007fe`ff0ecf25 : 000007fe`fdb230a0 00000000`00000000 00000000`00000000 00000000`0ab84ae0 : RPCRT4!NdrpClientCall3+0x244
00000000`083ce670 000007fe`fdb3429d : 00000000`00000001 00000000`0000000c 00000000`00000000 00000000`00000000 : RPCRT4!NdrClientCall3+0xf2
00000000`083cea00 000007fe`fdb33e17 : 00000000`00000000 00000000`083ceb90 00000000`083ceac8 00000000`00000000 : sechost!LsaLookupOpenLocalPolicy+0x41
00000000`083cea60 000007fe`fdb3422d : 00000000`0ab84bc0 00000000`083cec40 00000000`00000000 00000000`0ab84bc0 : sechost!LookupAccountSidInternal+0x7f
00000000`083ceb30 000007fe`ff16b8ef : 00000000`00000000 00000000`00000000 00000000`00000000 000007fe`00000000 : sechost!LookupAccountSidLocalW+0x25
00000000`083ceb80 000007fe`fd717ba2 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000158 : ADVAPI32!LookupAccountSidW+0x53
00000000`083cebd0 000007fe`fd71b74f : 00000000`00000000 00000000`083cf368 00000000`083cf0cc 00000000`00000000 : Wintrust!_SSCatDBSetupRPCConnection+0x26f
00000000`083cef20 000007fe`fd71b921 : 00000000`00000000 00000000`083cf0cc 00000000`083cf778 00000000`00000014 : Wintrust!Client_SSCatDBEnumCatalogs+0x3f
00000000`083cefc0 000007fe`fd71cecc : 00000000`00000000 00000000`003d51b0 00000000`0040f470 00000000`00000000 : Wintrust!_CatAdminAddCatalogsToCache+0x8c
00000000`083cf070 000007fe`fd71b251 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : Wintrust!CryptCATAdminRemoveCatalog+0x37d
00000000`083cf330 00000001`3fcd4b30 : 00000000`003f2c70 00000000`0344efb0 00000000`00000000 00000000`00000000 : Wintrust!CryptCATAdminEnumCatalogFromHash+0x157
00000000`083cf3e0 00000001`3fcc1a1e : 00000000`0344ee20 00000000`00000000 00000000`00000000 00000000`00000000 : procexp+0x84b30
00000000`083cf7d0 00000001`3fcc1bd5 : 00000000`0344e530 00000000`00000001 00000000`00000000 00000000`00000000 : procexp+0x71a1e
00000000`083cf990 00000001`3fce77ef : 00000000`0344e530 00000000`00000000 00000000`00000000 00000000`00000000 : procexp+0x71bd5
00000000`083cf9c0 00000001`3fce7899 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : procexp+0x977ef
00000000`083cf9f0 00000000`76b6652d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : procexp+0x97899
00000000`083cfa20 00000000`76f4c521 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`083cfa50 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: sechost!LsaLookupOpenLocalPolicy+41
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: sechost
IMAGE_NAME: sechost.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 4a5be05e
STACK_COMMAND: ~42s ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_sechost.dll!LsaLookupOpenLocalPolicy
BUCKET_ID: X64_APPLICATION_FAULT_INVALID_POINTER_READ_BAD_INSTRUCTION_PTR_INVALID_POINTER_WRITE_BAD_IP_sechost!LsaLookupOpenLocalPolicy+41
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/procexp_exe/15_13_0_0/4f39b794/unknown/0_0_0_0/bbbbbbb4/c0000005/0008000a.htm?Retriage=1 (http://watson.microsoft.com/StageOne/procexp_exe/15_13_0_0/4f39b794/unknown/0_0_0_0/bbbbbbb4/c0000005/0008000a.htm?Retriage=1)
Followup: MachineOwner
---------
-
That's weird, I certainly don't have any problem with Process Explorer, and never had.
So even if you disable all avast! shields simultaneously ("avast! shields control" from the tray icon context menu) - still no change?
-
Interesting - Are you using the latest and greatest version of process explorer?
Yes, even with all shields disabled, AutoSandbox disabled ... pretty much everything disable'able in Avast - set to disabled --- procexp still crashes.
I can't think of anything else these 5-6 systems have in common other than process explorer, firefox, and avast...
That's weird, I certainly don't have any problem with Process Explorer, and never had.
So even if you disable all avast! shields simultaneously ("avast! shields control" from the tray icon context menu) - still no change?
-
00000000`0008000a f0410fba6a7400 lock bts dword ptr [r10+74h],0
This is probably our fault -- or a compatibility issue with other apps.
Can you please upload your dump to our ftp? Thanks!
You can generate App Crash Dump from Task Manager (in Process tab, click on procexp process and select Crash Dump).
-
Dear P.K.
The problem was not in Avast but the 15.21 build of process explorer. Avast in the crash dump was a smokescreen. Process Explorer build 15.22 fixes the problem …
-
Thanks for info, I used above mentioned instruction "lock bts dword ptr [r10+74h],0" in sandbox/autosandbox hooking engine -- that's why I thought there's a compatibility issue between avast and other products.
-
I'm having exactly the same problem:
Avast Internet security version: 7.0.1474
Process explorer: v15.23
OS: win7 x64
I just installed avast IS today and its very disappointing suprise :'(
Exception at the same instruction:
lock bts dword ptr [r10+74h],0 ds:00000000`76f12008=????????
-
I found the problem. How do you use process explorer that it leads to BSOD? Is it running for long time?
Thanks.
-
no BSOD, just process explorer crash.
I start process explorer and ~2sec later crash. I not able to do anything in process explorer, its crashing so quickly.
-
Can you please generate a user dump and upload it somewhere? (our ftp: http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=18)
When you receive the application error, run Task Manager, go to Processes tab, find proceexp64.exe, right click and choose generate dump option.
Thanks.
-
well, the problem is that procexp64.DMP dump is 110MB, and my network connection is very slow at the moment, so unfortunately I wont be able to do that at least today, maybe tomorrow
-
never mind, you can compress it (7z/rar), thanks.
-
ok I'll uploaded crash dump, I did send you PM yestarday with the name.
-
UPDATE: I deleted the registry items for the column sets and all is OK on both systems.
HKEY_CURRENT_USER\Software\Sysinternals\Process Explorer\ColumnSet0 and ColumnSet1 and so on.
Very interesting issue. Now I have to rebuild eight column sets. Like I'm going to remember all of that... :P
So, any progress on this issue? I've just run Process Explorer for the first time since installing Avast 8 Free three weeks ago. It's otherwise run OK on this Win7x64 box I built last July and a laptop running since Nov. 2011. I've been using Process Explorer since version 1 to troubleshoot 100's of systems and this is the first time I've ever seen it belch. Please advise. Thank you!
1) Not a BSOD
2) Shields disable, no fix.
Problem signature:
Problem Event Name: APPCRASH
Application Name: procexp64.exe
Application Version: 15.30.0.0
Application Timestamp: 510f1680
Fault Module Name: StackHash_0c29
Fault Module Version: 0.0.0.0
Fault Module Timestamp: 00000000
Exception Code: c0000005
Exception Offset: 0000000076ed000a
OS Version: 6.1.7601.2.1.0.768.3
Locale ID: 1033
Additional Information 1: 0c29
Additional Information 2: 0c29f3d89da072401f8ff40434d0a4c0
Additional Information 3: b896
Additional Information 4: b8969c534b31c7037d717075dbc4f788
-
I've been having the same issue with Process Explorer lately. =( I'm uploading procexp64DMP.zip now.