I'm currently running the latest version of Webroot (9.0.13.62) and it appears that with the Realtime Shield feature enabled it is causing hangs in .NET executables (running the 2.0 CLR) and possibly others.
I've been able to reproduce this consistently and analyzed a core dump from the process. It appears that the webroot dll (WRusr.dll) is being injected into the .NET process and during DllMain attempt to GetFolderPath which tries to enter a CriticalSection. At the same time the CLR is initializing and it resolves the user folder (which enters the same critical section) and then tried to load a DLL which causes a dead lock. This scenerio is described in detail in the following Microsoft blog post and can occur any time a certain operations (such as resolving a folder location) are done in DllMain:
https://blogs.msdn.microsoft.com/jasone/2014/11/12/what-is-a-deadlock/
Here are the 2 stacks in question that produce the deadlock.
First, here is the thread in which WebRoot is initializing:
0:002> kv
# Child-SP RetAddr : Args to Child : Call Site
00 00000000`023fefd8 00000000`77b8e4e8 : 00000000`01000012 00000000`0000010c 00000000`00092e90 00000000`00000000 : ntdll!ZwWaitForSingleObject+0xa
01 00000000`023fefe0 00000000`77b8e3db : 000007fe`00000000 00000000`000d9850 00000000`023ff348 00000000`000d9890 : ntdll!RtlpWaitOnCriticalSection+0xe8
02 00000000`023ff090 000007fe`fdfc3332 : 00000000`00000000 00000000`000d4c01 00000000`000d9890 00000000`77b95d24 : ntdll!RtlEnterCriticalSection+0xd1
03 00000000`023ff0c0 000007fe`fdf9e7b8 : 00000000`00040000 00000000`00000048 00000000`000902c8 00000000`000d4c20 : shell32!kfapi::CFolderDefinitionCache::Load+0x52
04 00000000`023ff2c0 000007fe`fdfc5062 : 00000000`00000002 00000000`000d4c20 00000000`000faac0 00000000`00000000 : shell32!kfapi::CFolderPathResolver::GetPath+0xb8
05 00000000`023ff3f0 000007fe`fdfc4c12 : 00000000`00000000 00000000`00000000 00000000`023ff5d0 00000000`00098140 : shell32!kfapi::CFolderCache::GetPath+0x191
06 00000000`023ff560 000007fe`fdfc4afa : 00000000`023ff680 000007fe`fdc8c627 00000000`00000000 00000000`00000006 : shell32!kfapi::CKFFacade::GetFolderPath+0x13e
07 00000000`023ff650 000007fe`fdfa3b20 : 00000000`023ff730 00000000`77a2b8df 00000000`023ff860 000007fe`fdfa3adc : shell32!SHGetKnownFolderPath_Internal+0xa8
08 00000000`023ff6d0 000007fe`fdfa3c72 : 00000000`00000000 00000000`77b914a0 00004501`00060009 00000000`21993ffe : shell32!SHGetFolderPathEx+0x2f
09 00000000`023ff720 000007fe`fb5f2edd : 000007fe`fb5f0000 00000000`023ffdb8 000007fe`fb5f0000 00000000`00000000 : shell32!SHGetFolderPathW+0x10b
0a 00000000`023ff790 000007fe`fb5f3964 : 00000000`00000000 000007fe`fdc8af5a 000007fe`fb5f0000 00000000`00010100 : WRusr+0x2edd
0b 00000000`023ff8b0 000007fe`fb5f3a6f : 000007fe`fb5f0000 00000000`d5d47cfb 00000000`00000000 00000000`00000001 : WRusr+0x3964
0c 00000000`023ff8f0 00000000`77b7b0d8 : 00000000`000d9940 00000000`00000000 000007fe`f9e21010 00000000`000d9940 : WRusr!SynExp+0x3f
0d 00000000`023ff920 00000000`77b6784a : 00000000`00000000 00000000`000d9940 00000000`023ffa30 00000000`00000000 : ntdll!LdrpRunInitializeRoutines+0x1fe
0e 00000000`023ffaf0 00000000`77b67b2e : 00000000`000d0930 00000000`00000000 00000000`00000003 00000000`00000000 : ntdll!LdrpLoadDll+0x231
0f 00000000`023ffd00 000007fe`fdc8a05c : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00092b60 : ntdll!LdrLoadDll+0x9a
10 00000000`023ffd70 00000000`77a3652d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNELBASE!LoadLibraryExW+0x19c
11 00000000`023ffe00 00000000`77b6c521 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
12 00000000`023ffe30 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
And here is the CLR initializing:
0:000> kv
# Child-SP RetAddr : Args to Child : Call Site
00 00000000`0027dad8 00000000`77b8e4e8 : 000007fe`ffe60000 00000000`0027de88 00000000`00000000 00000000`0027de10 : ntdll!ZwWaitForSingleObject+0xa
01 00000000`0027dae0 00000000`77b8e3db : 00000000`00000001 00000000`0027de10 00000000`00000000 00000000`77c77490 : ntdll!RtlpWaitOnCriticalSection+0xe8
02 00000000`0027db90 00000000`77b67e63 : 00000000`0027de88 00000000`00000000 00000000`c0150008 00000000`0027de88 : ntdll!RtlEnterCriticalSection+0xd1
03 00000000`0027dbc0 00000000`77b67b2e : 00000000`000d0930 00000000`00000000 00000000`00000003 00000000`000944a0 : ntdll!LdrpLoadDll+0x886
04 00000000`0027ddd0 000007fe`fdc8a05c : 000007fe`00000000 00000000`00000000 00000000`00000000 00000000`00092b60 : ntdll!LdrLoadDll+0x9a
05 00000000`0027de40 000007fe`fdc8d0f1 : 00000000`00000000 00000000`00000000 000007fe`fe402588 00000000`00000000 : KERNELBASE!LoadLibraryExW+0x19c
06 00000000`0027ded0 000007fe`fdf9dd06 : 00000000`00000000 ffffffff`80000002 00000000`0027e060 00000000`00000000 : KERNELBASE!LoadLibraryExA+0x51
07 00000000`0027df20 000007fe`fdf9de17 : 00000000`00000000 00000000`0027e718 00000000`0027e5a0 00000000`00020019 : shell32!_delayLoadHelper2+0x96
08 00000000`0027dfb0 000007fe`fdf9f402 : 00000000`0027e718 00000000`0027e080 00000000`00000027 00000000`00000000 : shell32!_tailMerge_ole32_dll+0x3f
09 00000000`0027e020 000007fe`fdf9fb4a : 00000000`77c55410 00000000`00000000 00000000`000fa2c0 00000000`0027e570 : shell32!kfapi::CFolderDefinitionStorage::_LoadRegistry+0x92
0a 00000000`0027e240 000007fe`fdf9f98f : 000007fe`fdf20000 000007fe`fdf9cc5d 00000000`00000001 00000000`00000001 : shell32!kfapi::CFolderDefinitionStorage::Load+0x62
0b 00000000`0027e490 000007fe`fdf9e7b8 : 000007fe`ffc57ec0 00000000`77a2e3a3 ffffffff`ffffffff 00000000`00000000 : shell32!kfapi::CFolderDefinitionCache::Load+0x119
0c 00000000`0027e690 000007fe`fdf9fcc5 : 00000000`00000000 00000000`00000000 00000000`00000040 00000000`00090000 : shell32!kfapi::CFolderPathResolver::GetPath+0xb8
0d 00000000`0027e7c0 000007fe`fdfc4c12 : 00000000`00000000 00000000`00000001 000007fe`f8b11001 00000000`0027ea50 : shell32!kfapi::CFolderCache::GetPath+0x459
0e 00000000`0027e930 000007fe`fdfc4afa : 00000000`0027ea50 00000000`00000000 00000000`00000000 00000000`00000000 : shell32!kfapi::CKFFacade::GetFolderPath+0x13e
0f 00000000`0027ea20 000007fe`fdfa3b20 : 00000000`01000000 ffffffff`ffffffff 000007fe`f8b110d0 000007fe`fdfa3adc : shell32!SHGetKnownFolderPath_Internal+0xa8
10 00000000`0027eaa0 000007fe`fdfa3c72 : 00000000`00000001 000007fe`fdf20000 ffffffff`00000000 000007fe`f8f391ff : shell32!SHGetFolderPathEx+0x2f
11 00000000`0027eaf0 000007fe`f8bcd3c7 : 00000000`00000000 00000000`00000000 00000000`0000801a 00000000`0000801a : shell32!SHGetFolderPathW+0x10b
12 00000000`0027eb60 000007fe`f8bbc50c : 00000000`000fb9d0 00000000`000000d0 00000000`0027eb88 00000000`00000005 : mscorwks!WszSHGetFolderPath+0x8f
13 00000000`0027ebd0 000007fe`f8bc00b1 : 00000000`00000000 00000000`00000000 00000000`00000104 00000000`000fb740 : mscorwks!GetUserDir+0x5c
14 00000000`0027f070 000007fe`f8c0e2d9 : 00000000`0027f340 00000000`000fb740 00000000`00000124 00000000`00000000 : mscorwks!SecurityConfig::GetVIUserDirectory+0x69
15 00000000`0027f300 000007fe`f8be3c02 : 00000000`00000000 00000000`00000031 00000000`00000248 00000000`00000000 : mscorwks!SecurityConfig::GetUserDirectory+0x6d
16 00000000`0027f5a0 000007fe`f8bb5670 : 00000000`000d5da0 00000002`00000002 00000000`00000000 00000000`00000000 : mscorwks!SecurityPolicy::InitPolicyConfig+0x15a
17 00000000`0027f610 000007fe`f9282150 : 00000000`000d5d80 00000002`00000001 000007fe`00000020 00000000`000f75a0 : mscorwks!SecurityPolicy::Start+0x1c
18 00000000`0027f650 000007fe`f8d81381 : 00000000`0000029e 000007fe`f8c64d00 00004032`68a9d200 00000000`00000024 : mscorwks!EEStartupHelper+0xb30
19 00000000`0027f7a0 000007fe`f9282c9a : 00000000`00000002 00000000`0027f910 00000000`00000000 00000000`00000000 : mscorwks!EEStartup+0x19
1a 00000000`0027f7e0 000007fe`f8be3e09 : ffffffff`fffffffe 00000000`00000000 0000bf5b`00000000 00000000`000d0560 : mscorwks!EnsureEEStarted+0x13a
1b 00000000`0027f870 000007fe`f94874e5 : 00000000`00000000 000007fe`00000091 00000000`00000000 00000000`0027f878 : mscorwks!CorExeMain+0x55
1c 00000000`0027f8d0 000007fe`f9525b21 : 00000000`00000000 000007fe`f8be3db4 00000000`00000000 00000000`00000000 : mscoreei!CorExeMain+0xe0
1d 00000000`0027f920 00000000`77a3652d : 000007fe`f9480000 00000000`00000000 00000000`00000000 00000000`00000000 : mscoree!CorExeMain_Exported+0x57
1e 00000000`0027f950 00000000`77b6c521 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
1f 00000000`0027f980 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
And here we can see the two lock producing the deadlock:
0:000> !locks
CritSec ntdll!LdrpLoaderLock+0 at 0000000077c77490
WaiterWoken No
LockCount 1
RecursionCount 1
OwningThread 119c
EntryCount 0
ContentionCount 5
*** Locked
CritSec +d9890 at 00000000000d9890
WaiterWoken No
LockCount 1
RecursionCount 1
OwningThread 6fc
EntryCount 0
ContentionCount 1
*** Locked
Scanned 290 critical sections
0:000> ~
. 0 Id: 1258.6fc Suspend: 0 Teb: 000007ff`fffde000 Unfrozen
1 Id: 1258.944 Suspend: 0 Teb: 000007ff`fffdc000 Unfrozen
2 Id: 1258.119c Suspend: 0 Teb: 000007ff`fffd9000 Unfrozen
Page 1 / 1
I would encourage you to contact support directly and open a case so they can review in detail.
Webroot Support
Webroot Support
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.