Uploaded image for project: 'Core ReactOS'
  1. Core ReactOS
  2. CORE-16671

MS ProcDump 9.0 fails to generate the minidump from any running process

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 0.4.14
    • None
    • VirtualBox 5.1.38.

    Description

      Tested with ReactOS 0.4.14-dev-844-gea35843.

      To reproduce the problem, do the following:

      1. Download ProcDump v9.0 here: https://download.sysinternals.com/files/Procdump.zip.
      2. Extract it from zip archive to any directory.
      3. Right click on the folder where it has been extracted -> "Command Prompt Here".
      4. In opened cmd, type "procdump -mm processname.exe". Alternatively, you can specify PID or any other information of the process which is visisble in taskmgr. This will (try to) generate a minidump file(s) from the specified process. For example, I tried kbswitch.exe, but you can use for the test any other running process which you want.
      5. After typing the command, press Enter. After pressing, the tool will crash due to unimplemented RtlGetUnloadEventTrace() (in ntdll.dll) and VerifierEnumerateResource() (in verifier.dll):

      WARNING: calling stub RtlGetUnloadEventTrace()
      WARNING: calling stub VerifierEnumerateResource()
      Unhandled exception
      ExceptionCode:    80000100
      CS:EIP 1b:721e1521
      DS 23 ES 23 FS 3b GS 0
      EAX: 007ffb80   EBX: 00049925   ECX: 00000000
      EDX: 00000000   EBP: 007ffbd8   ESI: 00000001   ESP: 007ffb7c
      EDI: 007ffbd0   EFLAGS: 00000212
      Address:
      <verifier.dll:1521> (C:\WINDOWS\System32\verifier.dll@721e0000)
      Frames:
      <dbghelp.dll:67194> (C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll@3000000)
      <dbghelp.dll:64948> (C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll@3000000)
      <dbghelp.dll:5d629> (C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll@3000000)
      <dbghelp.dll:5e65a> (C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll@3000000)
      <dbghelp.dll:5e9cb> (C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll@3000000)
      <procdump.exe:11a8d> (C:\Documents and Settings\Administrator\Мои документы\RAPPS Downloads\Procdump\procdump.exe@400000)
      <procdump.exe:116a6> (C:\Documents and Settings\Administrator\Мои документы\RAPPS Downloads\Procdump\procdump.exe@400000)
      <procdump.exe:11610> (C:\Documents and Settings\Administrator\Мои документы\RAPPS Downloads\Procdump\procdump.exe@400000)
      <procdump.exe:1130a> (C:\Documents and Settings\Administrator\Мои документы\RAPPS Downloads\Procdump\procdump.exe@400000)
      <kernel32.dll:1c5e1> (C:\WINDOWS\system32\kernel32.dll@7c5b0000)
      err:(dll/win32/advapi32/service/eventlog.c:144) RpcBindingFree returned 0x6a6
      err:(win32ss/user/user32/windows/messagebox.c:1048) MessageBox: L"The exception unknown software exception (0x80000100) occurred in the application at location 0x721e1521.\r\n\nClick on OK to terminate the program.\nClick on CANCEL to debug the program."
      

      To fix it, I implemented RtlGetUnloadEventTrace() according to https://docs.microsoft.com/en-us/windows/win32/devnotes/rtlgetunloadeventtrace, and after my changes, it crashes only due to VerifierEnumerateResource(). Since this function is implemented in verifier.dll, after replacing this dll onto version from Win2k3, ProcDump does no longer crash and generates the minidump file(s) successfully. So I think my RtlGetUnloadEventTrace implementation is correct.

      Although there also exists RtlGetUnloadEventTraceEx function, it can't be implemented in ReactOS for now and returned in RtlGetUnloadEventTrace at least due to the two following reasons:

      1. This function is Vista+, while non-Ex function appeared since Windows XP SP2, see https://www.geoffchappell.com/studies/windows/win32/ntdll/api/index.htm.
      2. It has a different parameters and implementation unlike non-Ex function, according to MSDN: https://docs.microsoft.com/en-us/windows/win32/devnotes/rtlgetunloadeventtraceex, so can't be used in pair with RtlGetUnloadEventTrace().

      Attachments

        1. procdump.png
          procdump.png
          32 kB
        2. MS_verifier.png
          MS_verifier.png
          52 kB
        3. fixed.png
          fixed.png
          40 kB
        4. debug.log
          135 kB

        Activity

          People

            ThFabba ThFabba
            Oleg Dubinskij Oleg Dubinskiy
            Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: