Access violation Remote Registry

-

discovered yesterday if rrs has been used access performance counters encounters access violation when service restarted. causes hosting process go away taking other services hosted in process. work around put remote registry in own process. av still occurs of course no other services affected. have dump. windows 2012 r2 patched. if attach windbg process hosting service , net stop remote registry happens.

0:007> !analyze -v
*******************************************************************************
*                                                                             *
*                        exception analysis                                   *
*                                                                             *
*******************************************************************************


faulting_ip: 
regsvc!unloaded+334c
00007ffa`7910334c ??              ???

exception_record:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
exceptionaddress: 00007ffa7910334c (<unloaded_regsvc.dll>+0x000000000000334c)
   exceptioncode: c0000005 (access violation)
  exceptionflags: 00000000
numberparameters: 2
   parameter[0]: 0000000000000008
   parameter[1]: 00007ffa7910334c
attempt execute non-executable address 00007ffa7910334c

context:  0000000000000000 -- (.cxr 0x0;r)
rax=0000000000000001 rbx=000000e600009ad0 rcx=000000e67e64fab0
rdx=0000000000000064 rsi=000000e600009b30 rdi=000000e60088f702
rip=00007ffa7910334c rsp=000000e60088f650 rbp=00000000000001e0
 r8=000000e67e550d80  r9=0000000000008000 r10=0000000000000000
r11=0000000000000286 r12=00007ffa7910a250 r13=0000000000000000
r14=0000000000000001 r15=0000000000000001
iopl=0         nv ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
<unloaded_regsvc.dll>+0x334c:
00007ffa`7910334c ??              ???

faulting_thread:  00000000000005a8

default_bucket_id:  bad_instruction_ptr

process_name:  svchost.exe

error_code: (ntstatus) 0xc0000005 - instruction @ 0x%08lx referenced memory @ 0x%08lx. memory not %s.

exception_code: (ntstatus) 0xc0000005 - instruction @ 0x%08lx referenced memory @ 0x%08lx. memory not %s.

exception_parameter1:  0000000000000008

exception_parameter2:  00007ffa7910334c

write_address:  00007ffa7910334c 

followup_ip: 
ntdll!tppworkerthread+0
00007ffa`7e7d45e0 48895c2410      mov     qword ptr [rsp+10h],rbx

failed_instruction_address: 
regsvc!unloaded+334c
00007ffa`7910334c ??              ???

ntglobalflag:  0

application_verifier_flags:  0

app:  svchost.exe

analysis_version: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre

ip_module_unloaded: 
regsvc!unloaded+334c
00007ffa`7910334c ??              ???

additional_debug_text:  followup set based on attribute [threadstartaddress] frame:[0] on thread:[5a8] ; followup set based on attribute [is_chosencrashfollowupthread] frame:[0] on thread:[pseudo_thread]

last_control_transfer:  from 000000e600009ad0 00007ffa7910334c

primary_problem_class:  bad_instruction_ptr

bugcheck_str:  application_fault_bad_instruction_ptr_software_nx_fault

ip_on_heap:  000000e600009ad0
fault address in not in loaded module, please check build's rebase
log @ <releasedir>\bin\build_logs\timebuild\ntrebase.log module may
contain address if loaded.

frame_one_invalid: 1

stack_text:  
00000000`00000000 00000000`00000000 ntdll!tppworkerthread+0x0


stack_command:  .ecxr ; ~~[5a8] ; .frame 0 ; ** pseudo context ** ; kb

symbol_stack_index:  0

symbol_name:  ntdll!tppworkerthread+0

followup_name:  machineowner

module_name: ntdll

image_name:  ntdll.dll

debug_flr_image_timestamp:  54c850f5

failure_bucket_id:  bad_instruction_ptr_c0000005_ntdll.dll!tppworkerthread

bucket_id:  application_fault_bad_instruction_ptr_software_nx_fault_unloaded_ip_ntdll!tppworkerthread+0

analysis_source:  um

failure_id_hash_string:  um:bad_instruction_ptr_c0000005_ntdll.dll!tppworkerthread

failure_id_hash:  {40e57a58-d46a-509d-31f9-88d2af62e4c8}

followup: machineowner
---------



Windows Server  >  Windows Server 2012 General



Comments

Post a Comment

Popular posts from this blog

WIMMount (HSM) causing cluster storage to go redirected (2012r2 DC)

-
looking options resolve error , prevent in future. thanks help. hardware: 2 node dell hv cluster running2012r2 dc 8 nic/ea in multiplex mode 4x hyper-v 4x hosts storage: 2x synology nas, accessed through iscsi hosts , cluster relevant logs: log name:      microsoft-windows-failoverclustering/diagnostic source:        microsoft-windows-failoverclustering date:          event id:      2050 task category: none level:         warning keywords:       user:          system computer:      l description: [dcm] filter wimmount found @ unsafe altitude 180700 log name:      system source:        microsoft-windows-failoverclustering date:         event id:      5125 task category: cluster shared volume level:         warning keywords:       user:          system computer: description: cluster shared volume 'volume1' ('cluster disk 1') has identified 1 or more active filter drivers on device stack interfere csv operatio
Read more

Failed to delete the test record dcdiag-test-record in zone test.com

-
ps c:\users\administrator.test> dcdiag /test:dns directory server diagnosis performing initial setup:    trying find home server...    home server = dc02    * identified ad forest.    done gathering initial info. doing initial required tests    testing server: default-first-site-name\dc02       starting test: connectivity          ......................... dc02 passed test connectivity doing primary tests    testing server: default-first-site-name\dc02       starting test: dns          dns tests running , not hung. please wait few minutes...          ......................... dc02 passed test dns    running partition tests on : forestdnszones    running partition tests on : domaindnszones    running partition tests on : schema    running partition tests on : configuration    running partition tests on : test    running enterprise tests on : test.com       starting test: dns          test results domain
Read more

Azure MFA with Azure AD and RDS

-
i have setup following lab in azure , need help. a server (domain controller) , remote desktop services. and server multi factor authentication server. i have setup following one http://www.rdsgurus.com/uncategorized/step-by-step-using-windows-server-2012-r2-rd-gateway-with-azure-multifactor-authentication/ and when im connecting got following error. the user "domain\username", on client computer "xxx.xxx.xxx.xxx", did not meet connection authorization policy requirements , therefore not authorized access rd gateway server. authentication method used was: "ntlm" , connection protocol used: "rpc-http". following error occurred: "23003". also on security log i've got following authentication details: connection request policy name: ts gateway authorization policy network policy name: - authentication provider: radius proxy authentication server: test.test.local authentication type: - eap t
Read more