none
Process Explorer 16.26 (wrap 64bit driver error) RRS feed

  • Question

  • On a 32-bit system, it will still release the 64-bit driver and load it. This is an obvious mistake.
    • Edited by iiqone Tuesday, August 27, 2019 11:06 AM
    Tuesday, August 27, 2019 11:05 AM

Answers

  • Hello

    many thanks for bringing this to our attention. As part of our ongoing port to ARM64 we recently went through a major overhaul of our build piplelines and the issue you identified was a regression caused during this migration.

    I have resolved the issue and we will be publishing a new version of Process Explorer today or tomorrow.

    Regards

    MarkC (MSFT)

    • Marked as answer by iiqone Saturday, September 7, 2019 5:05 AM
    Thursday, September 5, 2019 8:44 AM
  • Look ok now..

    Thanks
    -mario

    • Marked as answer by iiqone Saturday, September 7, 2019 5:05 AM
    Friday, September 6, 2019 10:31 AM

All replies

  • On what OS?? do you have a Procmon log to show the problem??

    How can a 64 bit driver being loaded in a 32 bit environment?

    I just tried on a windows 2003 server 32 bit and it loads correctly.

    Thanks!

    -mario


    • Edited by mariora_ Tuesday, August 27, 2019 11:48 AM
    Tuesday, August 27, 2019 11:46 AM
  • This is how gets loaded the driver in windows 2003..

    it is extracted in c:\windows\system32\drivers and once loaded in memory it gets deleted from disk.

    HTH
    -mario

    Tuesday, August 27, 2019 12:13 PM
  • Thank you for your reply
    On windows 10 32-bit systems
    1. Kill his delete file operation
    2. Monitor it with procmon and wait for him to release the driver file
    3. It releases a 64-bit driver file, see exeinfo pe
    4. It is obvious that windows10 (csrss.exe) has PPL and it cannot open it successfully, but it can do it with the procexp16.22 version.

    screen snapshot:

    https://mega.nz/#!TWAUlSyY!qL7S6lsPmdCh1Wjn5DSFEh9QuVoyORxUJGX9Fi_tCNk


    • Edited by iiqone Wednesday, August 28, 2019 6:06 AM
    Wednesday, August 28, 2019 2:57 AM
  • Please see my reply to mariora_, thank you!
    Wednesday, August 28, 2019 2:58 AM
  • Really strange.. 

    I've opened with Visual Studio the file named Procxp.exe which is 2761KB in size and should be the 32 bit version..

    When I open it as binary, I can see two more BIN resources in it

    If you export them both, you will see the first is 41KB and is procexp.sys, so it should be the 32 bit driver.
    The other file is procexp64.exe..

    So I wonder how it could extract the 64 bit version as it doesn't exists as a resource in the binary.. to do that it should save the 64 bit version and extract the file from there .. unless they are the same file..

    and in fact it looks like they are the same file..

    I wonder now how it worked on Windows 2003.. but probably the driver was not so useful back then..

    I'll try to repro on Windows 10 32 bit too..

    @MarkC, probably this is another thing to have a look.

    Thanks!
    -mario

    Wednesday, August 28, 2019 8:46 AM
  • Yes, can confirm the problem..

    on a 32 bit Process Explorer the driver contained is the 64 bit version..

    MarkC can you please fix it??

    Thanks!
    -mario

    Wednesday, August 28, 2019 10:09 AM
  • So how do report the developers of sysinternal?
    Wednesday, August 28, 2019 11:11 AM
  • It is enough a report here.. Mark Cook, a Microsoft developer monitor the forum and do the fixes together with Mark Russinovich..

    Probably he is on holiday these days, but will be back soon.. so no need to do anything else..

    Thanks!
    -mario

    Wednesday, August 28, 2019 11:31 AM
  • thank you!
    Friday, August 30, 2019 10:23 AM
  • Hello

    many thanks for bringing this to our attention. As part of our ongoing port to ARM64 we recently went through a major overhaul of our build piplelines and the issue you identified was a regression caused during this migration.

    I have resolved the issue and we will be publishing a new version of Process Explorer today or tomorrow.

    Regards

    MarkC (MSFT)

    • Marked as answer by iiqone Saturday, September 7, 2019 5:05 AM
    Thursday, September 5, 2019 8:44 AM
  • This should now be available in 16.30 which I published yesterday. Please let me know if you experience any further difficulties.

    MarkC (MSFT)

    Friday, September 6, 2019 9:50 AM
  • Look ok now..

    Thanks
    -mario

    • Marked as answer by iiqone Saturday, September 7, 2019 5:05 AM
    Friday, September 6, 2019 10:31 AM