Certain apps crash randomly at the address within the web root injection DLL (WRDll.x86.dll). I was able to capture the following crash dump from one of the apps. Hard to reproduce, unclear why it happens. Maybe your dev team can look into this. WRDll.x86.dll version 1.1.0.226.
User Mode DumpMicrosoft (R) Windows Debugger Version 10.0.20153.1000 X86Copyright (c) Microsoft Corporation. All rights reserved.Loading Dump File [C:\Users\fmike\Downloads\action1_agent.exe.3548.dmp.gz.dmp]User Mini Dump File with Full Memory: Only application data is available************* Path validation summary **************Response Time (ms) LocationDeferred srv*OK C:\Users\fmike\debug_symbolsOK C:\PDB\3.54.234.1Symbol search path is: srv*;C:\Users\fmike\debug_symbols;C:\PDB\3.54.234.1Executable search path is: Windows 10 Version 18362 MP (8 procs) Free x86 compatibleProduct: WinNt, suite: SingleUserTSEdition build lab: 18362.116.x86fre.19h1_release_svc_im.190516-1930Machine Name:Debug session time: Fri Sep 18 17:33:45.000 2020 (UTC - 7:00)System Uptime: 2 days 3:24:51.843Process Uptime: 0 days 0:00:04.000.........................................................Loading unloaded module list.This dump file has an exception of interest stored in it.The stored exception information can be accessed via .ecxr.(ddc.213c): Access violation - code c0000005 (first/second chance not available)For analysis of this file, run !analyze -veax=00000000 ebx=00000000 ecx=703aef90 edx=703aef90 esi=00000000 edi=00000003eip=7753224c esp=018cf168 ebp=018cf194 iopl=0 nv up ei pl nz na po nccs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202ntdll!NtWaitForMultipleObjects+0xc:7753224c c21400 ret 14h0:001> !analyze -v******************************************************************************** ** Exception Analysis ** *********************************************************************************** WARNING: Unable to verify timestamp for WRDll.x86.dllKEY_VALUES_STRING: 1 Key : AV.Fault Value: Execute Key : Analysis.CPU.mSec Value: 2155 Key : Analysis.DebugAnalysisProvider.CPP Value: Create: 8007007e on A1MW10 Key : Analysis.DebugData Value: CreateObject Key : Analysis.DebugModel Value: CreateObject Key : Analysis.Elapsed.mSec Value: 5666 Key : Analysis.Memory.CommitPeak.Mb Value: 87 Key : Analysis.System Value: CreateObject Key : Timeline.OS.Boot.DeltaSec Value: 185091 Key : Timeline.Process.Start.DeltaSec Value: 4 Key : WER.OS.Branch Value: 19h1_release_svc_im Key : WER.OS.Timestamp Value: 2019-05-16T19:30:00Z Key : WER.OS.Version Value: 10.0.18362.116 Key : WER.Process.Version Value: 4.6.266.1ADDITIONAL_XML: 1OS_BUILD_LAYERS: 1NTGLOBALFLAG: 0APPLICATION_VERIFIER_FLAGS: 0CONTEXT: (.ecxr)eax=018cfb28 ebx=703e4668 ecx=703aef90 edx=703aef90 esi=703aef90 edi=703aef90eip=703aef90 esp=018cfad0 ebp=018cfadc iopl=0 nv up ei pl zr na pe nccs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246WRDll_x86+0xef90:703aef90 ?? ???Resetting default scopeEXCEPTION_RECORD: (.exr -1)ExceptionAddress: 703aef90 (WRDll_x86+0x0000ef90) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000NumberParameters: 2 Parameter[0]: 00000008 Parameter[1]: 703aef90Attempt to execute non-executable address 703aef90PROCESS_NAME: action1_agent.exeEXECUTE_ADDRESS: 703aef90FAILED_INSTRUCTION_ADDRESS: WRDll.x86.dll!Unloaded+ef90703aef90 ?? ???ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.EXCEPTION_CODE_STR: c0000005EXCEPTION_PARAMETER1: 00000008EXCEPTION_PARAMETER2: 703aef90STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong.018cfacc 765f6359 703e4668 765f6340 018cfb38 WRDll_x86+0xef90018cfadc 77527a94 703e4668 24029106 00000000 kernel32!BaseThreadInitThunk+0x19018cfb38 77527a64 ffffffff 77548e11 00000000 ntdll!__RtlUserThreadStart+0x2f018cfb48 00000000 703aef90 703e4668 00000000 ntdll!_RtlUserThreadStart+0x1bSYMBOL_NAME: WRDll.x86.dll!Unloaded+ef90MODULE_NAME: WRDll.x86IMAGE_NAME: WRDll.x86.dllSTACK_COMMAND: ~1s ; .ecxr ; kbFAILURE_BUCKET_ID: BAD_INSTRUCTION_PTR_c0000005_WRDll.x86.dll!UnloadedOS_VERSION: 10.0.18362.116BUILDLAB_STR: 19h1_release_svc_imOSPLATFORM_TYPE: x86OSNAME: Windows 10IMAGE_VERSION: 10.0.18362.1FAILURE_ID_HASH: {1d3e4939-8026-26c5-d263-33e059ef498f}Followup: MachineOwner---------
Best answer by TripleHelix
It’s best to do a reinstall as I posted above as it only takes a few minutes!
For some reason, 9.6.14 is what is shows in Add/Remove Programs in Windows.
Does it automatically update WRDll.x86.dll when you release new versions? This particular application that crashed was 32 bit Windows service. I will see if this crash happens again after the update to the most recent version.
They advise rebooting, however we found this was not required. We deployed this key using group policy for 100’s of machines and it worked following a gpupdate/reboot.
They advise rebooting, however we found this was not required. We deployed this key using group policy for 100’s of machines and it worked following a gpupdate/reboot.
Thanks a lot for posting this! I will try the suggestion above to update the IFEO to see if this helps. But Webroot has to create a permanent fix for this, because this is not good at all.
The issue is still there, sometimes the processes that have WRDll_x86 and WRusr.dll loaded crash. Just a few days ago reproduced it on version 9.0.29.24 (WRusr.dll has this version).
