Solved

Bug report: certain apps crash with Access Violation at WRDll.x86.dll

  • 29 September 2020
  • 7 replies
  • 4678 views

Certain apps crash randomly at the address within the web root injection DLL (WRDll.x86.dll). I was able to capture the following crash dump from one of the apps. Hard to reproduce, unclear why it happens. Maybe your dev team can look into this. WRDll.x86.dll version 1.1.0.226.
User Mode DumpMicrosoft (R) Windows Debugger Version 10.0.20153.1000 X86Copyright (c) Microsoft Corporation. All rights reserved.Loading Dump File [C:\Users\fmike\Downloads\action1_agent.exe.3548.dmp.gz.dmp]User Mini Dump File with Full Memory: Only application data is available************* Path validation summary **************Response                         Time (ms)     LocationDeferred                                       srv*OK                                             C:\Users\fmike\debug_symbolsOK                                             C:\PDB\3.54.234.1Symbol search path is: srv*;C:\Users\fmike\debug_symbols;C:\PDB\3.54.234.1Executable search path is: Windows 10 Version 18362 MP (8 procs) Free x86 compatibleProduct: WinNt, suite: SingleUserTSEdition build lab: 18362.116.x86fre.19h1_release_svc_im.190516-1930Machine Name:Debug session time: Fri Sep 18 17:33:45.000 2020 (UTC - 7:00)System Uptime: 2 days 3:24:51.843Process Uptime: 0 days 0:00:04.000.........................................................Loading unloaded module list.This dump file has an exception of interest stored in it.The stored exception information can be accessed via .ecxr.(ddc.213c): Access violation - code c0000005 (first/second chance not available)For analysis of this file, run !analyze -veax=00000000 ebx=00000000 ecx=703aef90 edx=703aef90 esi=00000000 edi=00000003eip=7753224c esp=018cf168 ebp=018cf194 iopl=0         nv up ei pl nz na po nccs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202ntdll!NtWaitForMultipleObjects+0xc:7753224c c21400          ret     14h0:001> !analyze -v********************************************************************************                                                                             **                        Exception Analysis                                   **                                                                             *********************************************************************************** WARNING: Unable to verify timestamp for WRDll.x86.dllKEY_VALUES_STRING: 1    Key  : AV.Fault    Value: Execute    Key  : Analysis.CPU.mSec    Value: 2155    Key  : Analysis.DebugAnalysisProvider.CPP    Value: Create: 8007007e on A1MW10    Key  : Analysis.DebugData    Value: CreateObject    Key  : Analysis.DebugModel    Value: CreateObject    Key  : Analysis.Elapsed.mSec    Value: 5666    Key  : Analysis.Memory.CommitPeak.Mb    Value: 87    Key  : Analysis.System    Value: CreateObject    Key  : Timeline.OS.Boot.DeltaSec    Value: 185091    Key  : Timeline.Process.Start.DeltaSec    Value: 4    Key  : WER.OS.Branch    Value: 19h1_release_svc_im    Key  : WER.OS.Timestamp    Value: 2019-05-16T19:30:00Z    Key  : WER.OS.Version    Value: 10.0.18362.116    Key  : WER.Process.Version    Value: 4.6.266.1ADDITIONAL_XML: 1OS_BUILD_LAYERS: 1NTGLOBALFLAG:  0APPLICATION_VERIFIER_FLAGS:  0CONTEXT:  (.ecxr)eax=018cfb28 ebx=703e4668 ecx=703aef90 edx=703aef90 esi=703aef90 edi=703aef90eip=703aef90 esp=018cfad0 ebp=018cfadc iopl=0         nv up ei pl zr na pe nccs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246WRDll_x86+0xef90:703aef90 ??              ???Resetting default scopeEXCEPTION_RECORD:  (.exr -1)ExceptionAddress: 703aef90 (WRDll_x86+0x0000ef90)   ExceptionCode: c0000005 (Access violation)  ExceptionFlags: 00000000NumberParameters: 2   Parameter[0]: 00000008   Parameter[1]: 703aef90Attempt to execute non-executable address 703aef90PROCESS_NAME:  action1_agent.exeEXECUTE_ADDRESS: 703aef90FAILED_INSTRUCTION_ADDRESS: WRDll.x86.dll!Unloaded+ef90703aef90 ??              ???ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.EXCEPTION_CODE_STR:  c0000005EXCEPTION_PARAMETER1:  00000008EXCEPTION_PARAMETER2:  703aef90STACK_TEXT:  WARNING: Stack unwind information not available. Following frames may be wrong.018cfacc 765f6359     703e4668 765f6340 018cfb38 WRDll_x86+0xef90018cfadc 77527a94     703e4668 24029106 00000000 kernel32!BaseThreadInitThunk+0x19018cfb38 77527a64     ffffffff 77548e11 00000000 ntdll!__RtlUserThreadStart+0x2f018cfb48 00000000     703aef90 703e4668 00000000 ntdll!_RtlUserThreadStart+0x1bSYMBOL_NAME:  WRDll.x86.dll!Unloaded+ef90MODULE_NAME: WRDll.x86IMAGE_NAME:  WRDll.x86.dllSTACK_COMMAND:  ~1s ; .ecxr ; kbFAILURE_BUCKET_ID:  BAD_INSTRUCTION_PTR_c0000005_WRDll.x86.dll!UnloadedOS_VERSION:  10.0.18362.116BUILDLAB_STR:  19h1_release_svc_imOSPLATFORM_TYPE:  x86OSNAME:  Windows 10IMAGE_VERSION:  10.0.18362.1FAILURE_ID_HASH:  {1d3e4939-8026-26c5-d263-33e059ef498f}Followup:     MachineOwner---------
icon

Best answer by TripleHelix 29 September 2020, 19:58

View original

7 replies

Userlevel 7
Badge +63

And this is Webroot SecureAnywhere 9.6.14


Hello @fmike7 there is no such version! The current release for PC is v9.0.29.52

 

So please try a clean reinstall and after WRDll.x86.dll version will be 1.1.0.227

 

Please follow the steps closely!

  • Make sure you have a copy of your 20 Character Alphanumeric Keycode! Example: SA69-AAAA-A783-DE78-XXXX
  • Be sure you add your Keycode to your Online Console: Webroot SecureAnywhere Online Console
  • KEEP the computer online for Uninstall and Reinstall to make sure it works correctly
  • Download a Copy Here (Best Buy Geek Squad Subscription PC users click HERE) Let us know if it is the Mac version you need
  • Uninstall WSA and Reboot
  • Look to see if this folder is gone: C:\ProgramData\WRData and if it’s there delete it. (Hidden Area)
  • Install with the new installer, enter your Keycode
  • Let it finish it's install scan
  • Reboot once again
  • DO NOT import any old settings as you can set it up as you like once it's done

Please let us know if that resolves your issue?

Thanks,

Userlevel 7
Badge +63

It’s best to do a reinstall as I posted above as it only takes a few minutes!

 

Look here to see the version number:

 

 

 

Or hover over the Webroot Tray Icon:

 

 

 

 

 

 

Userlevel 7
Badge +63

Hello @fmike7 

 

Have you contacted Webroot support about this issue? If not please do. Also the newest current build is up to v9.0.29.62 https://answers.webroot.com/Webroot/ukp.aspx?pid=12&app=vw&vw=1&login=1&json=1&solutionid=1098

 

Consumer Support: https://www.webroot.com/us/en/support/support-home

 

Business Support: https://www.webroot.com/us/en/business/support

 

Thanks,

For anyone landing here from Google, the resolution we had from Webroot support for this issue was as follows:

Please import the following Registry key, where "image.exe" is replaced with the name of the faulting application.

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\"image.exe"]

"MaxLoaderThreads"=dword:00000001

 

They advise rebooting, however we found this was not required. We deployed this key using group policy for 100’s of machines and it worked following a gpupdate/reboot.

Thanks a lot for posting this! I will try the suggestion above to update the IFEO to see if this helps. But Webroot has to create a permanent fix for this, because this is not good at all.

The issue is still there, sometimes the processes that have WRDll_x86 and WRusr.dll loaded crash. Just a few days ago reproduced it on version 9.0.29.24 (WRusr.dll has this version).

WRdll_x86 has this signature:

    Loaded symbol image file: WRDll.x86.dll
    Image path: WRDll.x86.dll
    Image name: WRDll.x86.dll
    Timestamp:        Tue Aug 25 19:46:26 2020 (5F45CD02)
    CheckSum:         missing
    ImageSize:        0004A000

What happens is this DLL gets unloaded (prematurely?) from the process, while some threads still execute its code.

For anyone landing here from Google, the resolution we had from Webroot support for this issue was as follows:

Please import the following Registry key, where "image.exe" is replaced with the name of the faulting application.

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\"image.exe"]

"MaxLoaderThreads"=dword:00000001

 

They advise rebooting, however we found this was not required. We deployed this key using group policy for 100’s of machines and it worked following a gpupdate/reboot.

For some reason, 9.6.14 is what is shows in Add/Remove Programs in Windows.

Does it automatically update WRDll.x86.dll when you release new versions? This particular application that crashed was 32 bit Windows service. I will see if this crash happens again after the update to the most recent version.

And this is Webroot SecureAnywhere 9.6.14

Reply