Author Topic: Avast 7 crashing Sysinternals Process Explorer  (Read 9954 times)

0 Members and 1 Guest are viewing this topic.

obliv

  • Guest
Avast 7 crashing Sysinternals Process Explorer
« on: May 03, 2012, 01:02:38 AM »
Before installing Avast 7 free on multiple systems (a variety of 32 & 64-bit Windows XP, Vista, and 7 Home premium), I had the MS Sysinternals app -  Process Explorer - installed on each system...
After installing Avast on each, Process Explorer crashes every time on every 64-bit system. (Might be because of something related to procexp.exe self-extracting procexp64.exe from itself)...
I tried shutting off each shield within Avast 1 by 1, tried adding exclusions to every shield, tried disabling AutoSandbox -- all with no luck... Process explorer crashes every time..
After uninstalling Avast, it works again...
Avast is great, but I can't do without Process Exlporer...

Anyone else experiencing this? Looking for a workaround or anything to get these 2 apps to coexist.
« Last Edit: May 03, 2012, 01:46:30 AM by obliv »

Offline JuninhoSlo

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 849
Re: Avast 7 crashing Sysinternals Process Explorer
« Reply #1 on: May 03, 2012, 01:08:32 AM »
Which version of Avast do you use? Avast 7.0.1426 is the latest version. 


obliv

  • Guest
Re: Avast 7 crashing Sysinternals Process Explorer
« Reply #2 on: May 03, 2012, 01:14:14 AM »
I'm using the latest.. 7.0.1426

Offline JuninhoSlo

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 849
Re: Avast 7 crashing Sysinternals Process Explorer
« Reply #3 on: May 03, 2012, 01:33:17 AM »
Sorry my help ends here,only I can say is:"Update Process Explorer to the latest version but I,m quite sure you already have last one,right." :D

PC:Did you get BSOD when Process Explorer crashes?

obliv

  • Guest
Re: Avast 7 crashing Sysinternals Process Explorer
« Reply #4 on: May 03, 2012, 01:41:24 AM »
Nope, no BSOD, just an application crash... "APPCRASH" is all I get under the details of the crash... Standard stuff, not many hints as to what it could be.

Thanks anyway..

Offline JuninhoSlo

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 849
Re: Avast 7 crashing Sysinternals Process Explorer
« Reply #5 on: May 03, 2012, 02:07:04 AM »
Well you can send support pack to Avast via FTP server

Open Avast-Maintenance and select Support,now you select also FullDumps if you want and press Generate now,when Avast finish,rename Zip file with unique name (your forum nick+problems Sysinternals Process Explorer) and send file to Avast via FTP server.


iroc9555

  • Guest
Re: Avast 7 crashing Sysinternals Process Explorer
« Reply #6 on: May 03, 2012, 02:07:46 AM »
Have you excluded procexp.exe from Autosandboxed and added it to trusted process to behavior Shield ?

obliv

  • Guest
Re: Avast 7 crashing Sysinternals Process Explorer
« Reply #7 on: May 03, 2012, 03:51:34 AM »
Have you excluded procexp.exe from Autosandboxed and added it to trusted process to behavior Shield ?

Yes & Yes.

obliv

  • Guest
Re: Avast 7 crashing Sysinternals Process Explorer
« Reply #8 on: May 03, 2012, 04:02:13 AM »
Windbg exe-attached output of the crash of procexp64.exe, if this helps...

Quote
0:000> g
ModLoad: 000007fe`fee00000 000007fe`fee2e000   C:\Windows\system32\IMM32.DLL
ModLoad: 000007fe`f5d70000 000007fe`f5d7f000   C:\Windows\system32\CSCAPI.dll
<snip>
ModLoad: 000007fe`f4650000 000007fe`f46d0000   C:\Windows\system32\ntshrui.dll
ModLoad: 000007fe`fced0000 000007fe`fcef3000   C:\Windows\system32\srvcli.dll
ModLoad: 000007fe`faf60000 000007fe`faf6b000   C:\Windows\system32\slc.dll
ModLoad: 000007fe`fce40000 000007fe`fce57000   C:\Windows\system32\CRYPTSP.dll
ModLoad: 000007fe`fc950000 000007fe`fc997000   C:\Windows\system32\rsaenh.dll
ModLoad: 000007fe`fcd80000 000007fe`fcda2000   C:\Windows\system32\bcrypt.dll
ModLoad: 000007fe`fc890000 000007fe`fc8dc000   C:\Windows\system32\bcryptprimitives.dll
(10f4.aa4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
00000000`0008000a f0410fba6a7400  lock bts dword ptr [r10+74h],0 ds:00000000`00082030=? ? ? ? ? ? ? ?
*** ERROR: Module load completed but symbols could not be loaded for procexp.exe
0:042> g
(10f4.aa4): Access violation - code c0000005 (!!! second chance !!!)
00000000`0008000a f0410fba6a7400  lock bts dword ptr [r10+74h],0 ds:00000000`00082030=? ? ? ? ? ? ? ?
0:042> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

GetPageUrlData failed, server returned HTTP status 404
URL requested: http://watson.microsoft.com/StageOne/procexp_exe/15_13_0_0/4f39b794/unknown/0_0_0_0/bbbbbbb4/c0000005/0008000a.htm?Retriage=1

FAULTING_IP:
+41
00000000`0008000a f0410fba6a7400  lock bts dword ptr [r10+74h],0

EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 000000000008000a
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 0000000000082030
Attempt to write to address 0000000000082030

FAULTING_THREAD:  0000000000000aa4

DEFAULT_BUCKET_ID:  INVALID_POINTER_READ

PROCESS_NAME:  procexp.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  0000000000000001

EXCEPTION_PARAMETER2:  0000000000082030

WRITE_ADDRESS:  0000000000082030

FOLLOWUP_IP:
sechost!LsaLookupOpenLocalPolicy+41
000007fe`fdb3429d 89442440        mov     dword ptr [rsp+40h],eax

FAILED_INSTRUCTION_ADDRESS:
+41
00000000`0008000a f0410fba6a7400  lock bts dword ptr [r10+74h],0

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  70

APPLICATION_VERIFIER_FLAGS:  0

IP_ON_HEAP:  000000000008000a
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_READ

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ_BAD_INSTRUCTION_PTR_INVALID_POINTER_WRITE

LAST_CONTROL_TRANSFER:  from 000007feff04a776 to 000000000008000a

STACK_TEXT: 
00000000`083ce2e8 000007fe`ff04a776 : 00000000`00000000 00000000`083ce5e0 00000000`083cea18 000007fe`ff0598b1 : 0x8000a
00000000`083ce2f0 000007fe`ff0ecc74 : 00000000`083ce6a0 00000000`00000000 00000000`083ce6a0 00000000`083ce6a0 : RPCRT4!LRPC_CCALL::SendReceive+0x156
00000000`083ce3b0 000007fe`ff0ecf25 : 000007fe`fdb230a0 00000000`00000000 00000000`00000000 00000000`0ab84ae0 : RPCRT4!NdrpClientCall3+0x244
00000000`083ce670 000007fe`fdb3429d : 00000000`00000001 00000000`0000000c 00000000`00000000 00000000`00000000 : RPCRT4!NdrClientCall3+0xf2
00000000`083cea00 000007fe`fdb33e17 : 00000000`00000000 00000000`083ceb90 00000000`083ceac8 00000000`00000000 : sechost!LsaLookupOpenLocalPolicy+0x41
00000000`083cea60 000007fe`fdb3422d : 00000000`0ab84bc0 00000000`083cec40 00000000`00000000 00000000`0ab84bc0 : sechost!LookupAccountSidInternal+0x7f
00000000`083ceb30 000007fe`ff16b8ef : 00000000`00000000 00000000`00000000 00000000`00000000 000007fe`00000000 : sechost!LookupAccountSidLocalW+0x25
00000000`083ceb80 000007fe`fd717ba2 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000158 : ADVAPI32!LookupAccountSidW+0x53
00000000`083cebd0 000007fe`fd71b74f : 00000000`00000000 00000000`083cf368 00000000`083cf0cc 00000000`00000000 : Wintrust!_SSCatDBSetupRPCConnection+0x26f
00000000`083cef20 000007fe`fd71b921 : 00000000`00000000 00000000`083cf0cc 00000000`083cf778 00000000`00000014 : Wintrust!Client_SSCatDBEnumCatalogs+0x3f
00000000`083cefc0 000007fe`fd71cecc : 00000000`00000000 00000000`003d51b0 00000000`0040f470 00000000`00000000 : Wintrust!_CatAdminAddCatalogsToCache+0x8c
00000000`083cf070 000007fe`fd71b251 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : Wintrust!CryptCATAdminRemoveCatalog+0x37d
00000000`083cf330 00000001`3fcd4b30 : 00000000`003f2c70 00000000`0344efb0 00000000`00000000 00000000`00000000 : Wintrust!CryptCATAdminEnumCatalogFromHash+0x157
00000000`083cf3e0 00000001`3fcc1a1e : 00000000`0344ee20 00000000`00000000 00000000`00000000 00000000`00000000 : procexp+0x84b30
00000000`083cf7d0 00000001`3fcc1bd5 : 00000000`0344e530 00000000`00000001 00000000`00000000 00000000`00000000 : procexp+0x71a1e
00000000`083cf990 00000001`3fce77ef : 00000000`0344e530 00000000`00000000 00000000`00000000 00000000`00000000 : procexp+0x71bd5
00000000`083cf9c0 00000001`3fce7899 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : procexp+0x977ef
00000000`083cf9f0 00000000`76b6652d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : procexp+0x97899
00000000`083cfa20 00000000`76f4c521 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`083cfa50 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d


SYMBOL_STACK_INDEX:  4

SYMBOL_NAME:  sechost!LsaLookupOpenLocalPolicy+41

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: sechost

IMAGE_NAME:  sechost.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  4a5be05e

STACK_COMMAND:  ~42s ; kb

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_sechost.dll!LsaLookupOpenLocalPolicy

BUCKET_ID:  X64_APPLICATION_FAULT_INVALID_POINTER_READ_BAD_INSTRUCTION_PTR_INVALID_POINTER_WRITE_BAD_IP_sechost!LsaLookupOpenLocalPolicy+41

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/procexp_exe/15_13_0_0/4f39b794/unknown/0_0_0_0/bbbbbbb4/c0000005/0008000a.htm?Retriage=1

Followup: MachineOwner
---------

« Last Edit: May 03, 2012, 04:10:56 AM by obliv »

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Avast 7 crashing Sysinternals Process Explorer
« Reply #9 on: May 03, 2012, 06:40:59 AM »
That's weird, I certainly don't have any problem with Process Explorer, and never had.
So even if you disable all avast! shields simultaneously ("avast! shields control" from the tray icon context menu) - still no change?

obliv

  • Guest
Re: Avast 7 crashing Sysinternals Process Explorer
« Reply #10 on: May 03, 2012, 08:13:52 AM »
Interesting - Are you using the latest and greatest version of process explorer?
Yes, even with all shields disabled, AutoSandbox disabled ... pretty much everything disable'able in Avast - set to disabled --- procexp still crashes.
I can't think of anything else these 5-6 systems have in common other than process explorer, firefox, and avast...

That's weird, I certainly don't have any problem with Process Explorer, and never had.
So even if you disable all avast! shields simultaneously ("avast! shields control" from the tray icon context menu) - still no change?

« Last Edit: May 03, 2012, 08:17:52 AM by obliv »

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2078
Re: Avast 7 crashing Sysinternals Process Explorer
« Reply #11 on: May 03, 2012, 12:27:51 PM »
Quote
00000000`0008000a f0410fba6a7400  lock bts dword ptr [r10+74h],0

This is probably our fault -- or a compatibility issue with other apps.
Can you please upload your dump to our ftp? Thanks!

You can generate App Crash Dump from Task Manager (in Process tab, click on procexp process and select Crash Dump).
« Last Edit: May 03, 2012, 12:34:22 PM by pk »

Offline avast@@dvantage77.com

  • J.R. Guthrie - avast! Sales and Support Specialist
  • Avast Reseller
  • Advanced Poster
  • *
  • Posts: 736
  • the only avast! Distributor & Platinum Reseller
    • Advantage Micro Corporation
Re: Avast 7 crashing Sysinternals Process Explorer
« Reply #12 on: August 25, 2012, 12:40:41 AM »
Dear P.K.

The problem was not in Avast but the 15.21 build of process explorer. Avast in the crash dump was a smokescreen. Process Explorer build 15.22 fixes the problem …
Sincerely,
 
J.R. "AutoSandbox Guy" Guthrie

"At this point in time, the Internet should be regarded as an Enemy Weapons System!"

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2078
Re: Avast 7 crashing Sysinternals Process Explorer
« Reply #13 on: August 25, 2012, 12:43:09 AM »
Thanks for info, I used above mentioned instruction "lock bts dword ptr [r10+74h],0" in sandbox/autosandbox hooking engine -- that's why I thought there's a compatibility issue between avast and other products.

ArkKup

  • Guest
Re: Avast 7 crashing Sysinternals Process Explorer
« Reply #14 on: December 21, 2012, 09:37:26 PM »
I'm having exactly the same problem:

Avast Internet security version: 7.0.1474
Process explorer: v15.23
OS: win7 x64

I just installed avast IS today and its very disappointing suprise  :'(

Exception at the same instruction:
lock bts dword ptr [r10+74h],0 ds:00000000`76f12008=????????