none
UEV causes explorer.exe crash RRS feed

  • Question

  • Windows 1703

    UEV enabled; settings stored in homedir; sync provider = None

    When using explorer to connect to smb server using alternate credentials explorer.exe will crash.

    Microsoft (R) Windows Debugger Version 10.0.15063.468 AMD64 Copyright (c) Microsoft Corporation. All rights reserved.

    Loading Dump File [C:\dumps\explorer.exe.3976.dmp] User Mini Dump File with Full Memory: Only application data is available

    ************* Symbol Path validation summary ************** Response                         Time (ms)     Location Deferred                                       srv*c:\MyServerSymbols*http://msdl.microsoft.com/download/symbols Symbol search path is: srv*c:\MyServerSymbols*http://msdl.microsoft.com/download/symbols Executable search path is: Windows 10 Version 15063 MP (2 procs) Free x64 Product: WinNt, suite: SingleUserTS 15063.0.amd64fre.rs2_release.170317-1834 Machine Name: Debug session time: Sat Sep  2 11:23:43.000 2017 (UTC - 4:00) System Uptime: 0 days 0:02:13.823 Process Uptime: 0 days 0:00:43.000 ................................................................ ................................................................ ................................................................ ........................................ Loading unloaded module list ................. This dump file has an exception of interest stored in it. The stored exception information can be accessed via .ecxr. (f88.290): Security check failure or stack buffer overrun - code c0000409 (first/second chance not available) Windows_UI_XamlHost!wil::details::ReportFailure+0xe5: 00007ffa`6a561cd9 cd29            int     29h 0:072> !analyze -v ******************************************************************************* *                                                                             * *                        Exception Analysis                                   * *                                                                             * *******************************************************************************

    *** WARNING: Unable to verify checksum for explorer.exe *** ERROR: Symbol file could not be found.  Defaulted to export symbols for sppc.dll - GetUrlPageData2 (WinHttp) failed: 12002.

    DUMP_CLASS: 2

    DUMP_QUALIFIER: 400

    CONTEXT:  (.ecxr) rax=0000000000000000 rbx=0000000080000000 rcx=0000000000000007 rdx=0000000000000041 rsi=0000000000000000 rdi=0000000000000003 rip=00007ffa6a561cd9 rsp=000000000922e440 rbp=000000000922fad9  r8=0000000000000006  r9=0000000000000290 r10=00007ffa6a585000 r11=000000000922e320 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=00000000091af860 iopl=0         nv up ei pl zr na po nc cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246 Windows_UI_XamlHost!wil::details::ReportFailure+0xe5: 00007ffa`6a561cd9 cd29            int     29h Resetting default scope

    FAULTING_IP: Windows_UI_XamlHost!wil::details::ReportFailure+e5 00007ffa`6a561cd9 cd29            int     29h

    EXCEPTION_RECORD:  (.exr -1) ExceptionAddress: 00007ffa6a561cd9 (Windows_UI_XamlHost!wil::details::ReportFailure+0x00000000000000e5)    ExceptionCode: c0000409 (Security check failure or stack buffer overrun)   ExceptionFlags: 00000001 NumberParameters: 1    Parameter[0]: 0000000000000007 Subcode: 0x7 FAST_FAIL_FATAL_APP_EXIT

    PROCESS_NAME:  explorer.exe

    ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

    EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

    EXCEPTION_CODE_STR:  c0000409

    EXCEPTION_PARAMETER1:  0000000000000007

    WATSON_BKT_PROCSTAMP:  951324bb

    WATSON_BKT_PROCVER:  10.0.15063.447

    PROCESS_VER_PRODUCT:  Microsoft® Windows® Operating System

    WATSON_BKT_MODULE:  Windows.UI.XamlHost.dll

    WATSON_BKT_MODSTAMP:  ec5ab091

    WATSON_BKT_MODOFFSET:  1cd9

    WATSON_BKT_MODVER:  10.0.15063.0

    MODULE_VER_PRODUCT:  Microsoft® Windows® Operating System

    BUILD_VERSION_STRING:  10.0.15063.296 (WinBuild.160101.0800)

    MODLIST_WITH_TSCHKSUM_HASH:  7bd71ff62fd3c2612d70251ecaa5c134e7642ad6

    MODLIST_SHA1_HASH:  6dd882e9114ea09215226af201ec52e2ca319c38

    NTGLOBALFLAG:  0

    APPLICATION_VERIFIER_FLAGS:  0

    PRODUCT_TYPE:  1

    SUITE_MASK:  272

    DUMP_FLAGS:  8000c07

    DUMP_TYPE:  3

    ANALYSIS_SESSION_HOST:  ITS-CIS-10-1607

    ANALYSIS_SESSION_TIME:  09-02-2017 11:38:36.0936

    ANALYSIS_VERSION: 10.0.15063.468 amd64fre

    THREAD_ATTRIBUTES: OS_LOCALE:  ENU

    PROBLEM_CLASSES:

        ID:     [0n262]     Type:   [FAIL_FAST]     Class:  Primary     Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)             BUCKET_ID     Name:   Add     Data:   Omit     PID:    [Unspecified]     TID:    [Unspecified]     Frame:  [0]

        ID:     [0n253]     Type:   [FATAL_APP_EXIT]     Class:  Addendum     Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)             BUCKET_ID     Name:   Add     Data:   Omit     PID:    [Unspecified]     TID:    [Unspecified]     Frame:  [0]

    BUGCHECK_STR:  FAIL_FAST_FATAL_APP_EXIT

    DEFAULT_BUCKET_ID:  FAIL_FAST_FATAL_APP_EXIT

    PRIMARY_PROBLEM_CLASS:  FAIL_FAST

    LAST_CONTROL_TRANSFER:  from 00007ffa6a561d31 to 00007ffa6a561cd9

    STACK_TEXT:  00000000`0922e440 00007ffa`6a561d31 : 00000000`00000001 00000000`8000000e 00000551`d4778d43 00000000`00000000 : Windows_UI_XamlHost!wil::details::ReportFailure+0xe5 00000000`0922f980 00007ffa`6a5785a0 : 00000000`00000001 00000000`8000000e 00000000`02385ba0 00007ffa`6a571c06 : Windows_UI_XamlHost!wil::details::ReportFailure_Hr+0x39 00000000`0922f9e0 00007ffa`6a578251 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : Windows_UI_XamlHost!wil::details::in1diag3::_FailFast_Hr+0x34 00000000`0922fa30 00007ffa`9756c99d : 00000000`8000000e 00000000`00000f88 00000000`00000000 00000000`00000000 : Windows_UI_XamlHost!ASTAThreadHost::s_ASTAThreadHostStartThreadProc+0x121 00000000`0922fa60 00007ffa`97752774 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : SHCore!_WrapperThreadProc+0x19d 00000000`0922fb40 00007ffa`99ff0d51 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14 00000000`0922fb70 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21

    THREAD_SHA1_HASH_MOD_FUNC:  2a47db9cb9ac0cabdf97e66ee6db588a9c19686c

    THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  cd19e4853e27fe24612fdea921fe842d4035cb43

    THREAD_SHA1_HASH_MOD:  5f67ea9f7f4a395445ed97f4ff9e06ce24497833

    FOLLOWUP_IP: Windows_UI_XamlHost!wil::details::ReportFailure+e5 00007ffa`6a561cd9 cd29            int     29h

    FAULT_INSTR_CODE:  8b4829cd

    SYMBOL_STACK_INDEX:  0

    SYMBOL_NAME:  Windows_UI_XamlHost!wil::details::ReportFailure+e5

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: Windows_UI_XamlHost

    IMAGE_NAME:  Windows.UI.XamlHost.dll

    DEBUG_FLR_IMAGE_TIMESTAMP:  0

    STACK_COMMAND:  .ecxr ; kb

    BUCKET_ID:  FAIL_FAST_FATAL_APP_EXIT_Windows_UI_XamlHost!wil::details::ReportFailure+e5

    FAILURE_EXCEPTION_CODE:  c0000409

    FAILURE_IMAGE_NAME:  Windows.UI.XamlHost.dll

    BUCKET_ID_IMAGE_STR:  Windows.UI.XamlHost.dll

    FAILURE_MODULE_NAME:  Windows_UI_XamlHost

    BUCKET_ID_MODULE_STR:  Windows_UI_XamlHost

    FAILURE_FUNCTION_NAME:  wil::details::ReportFailure

    BUCKET_ID_FUNCTION_STR:  wil::details::ReportFailure

    BUCKET_ID_OFFSET:  e5

    BUCKET_ID_MODTIMEDATESTAMP:  0

    BUCKET_ID_MODCHECKSUM:  328ef

    BUCKET_ID_MODVER_STR:  10.0.15063.0

    BUCKET_ID_PREFIX_STR:  FAIL_FAST_FATAL_APP_EXIT_

    FAILURE_PROBLEM_CLASS:  FAIL_FAST

    FAILURE_SYMBOL_NAME:  Windows.UI.XamlHost.dll!wil::details::ReportFailure

    FAILURE_BUCKET_ID:  FAIL_FAST_FATAL_APP_EXIT_c0000409_Windows.UI.XamlHost.dll!wil::details::ReportFailure

    WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/explorer.exe/10.0.15063.447/951324bb/Windows.UI.XamlHost.dll/10.0.15063.0/ec5ab091/c0000409/00001cd9.htm?Retriage=1

    TARGET_TIME:  2017-09-02T15:23:43.000Z

    OSBUILD:  15063

    OSSERVICEPACK:  296

    SERVICEPACK_NUMBER: 0

    OS_REVISION: 0

    OSPLATFORM_TYPE:  x64

    OSNAME:  Windows 10

    OSEDITION:  Windows 10 WinNt SingleUserTS

    USER_LCID:  0

    OSBUILD_TIMESTAMP:  unknown_date

    BUILDDATESTAMP_STR:  160101.0800

    BUILDLAB_STR:  WinBuild

    BUILDOSVER_STR:  10.0.15063.296

    ANALYSIS_SESSION_ELAPSED_TIME:  e8a7

    ANALYSIS_SOURCE:  UM

    FAILURE_ID_HASH_STRING:  um:fail_fast_fatal_app_exit_c0000409_windows.ui.xamlhost.dll!wil::details::reportfailure

    FAILURE_ID_HASH:  {bd48905c-70ac-e0f3-855d-4f88261bf6c3}

    Followup:     MachineOwner ---------

      

    Saturday, September 2, 2017 4:19 PM

All replies

  • Confirmed bug from Microsoft. They will release fix in October patch. 
    Wednesday, September 13, 2017 1:25 PM
  • Just curious is that documented anywhere?

    THX!

    Wednesday, September 13, 2017 7:57 PM
  • We have a similar problem with UEV causing Explorer to crash when running as a different user. Is this bug documented anywhere?

    Thursday, September 14, 2017 10:19 AM
  • Hi,

    found a solution:

    Create a new policy with the new ADMX files. Don´t use the old one for enabling UE-V. The registry key is different in 1703. You may use WMI filter if you have 1607 and 1703 clients.

    Delete the key under "HKLM\Software\Microsoft\UEV" and then reboot the machine. 

    Monday, October 9, 2017 2:18 PM
  • You are correct that they changed the GPO setting that enables UEV.  However, the issue was reproducible on a clean non-domain joined pc having had the two GPO settings that are referenced at the top of the post configured via local gpedit.msc.  That rules out 1607 ADMX files as being apart of the equation.
    Monday, October 9, 2017 8:14 PM
  • This is fixed by installing October hotfixes, I just tried it out and after reboot I could run as different users and access SMB shares with different credentials without Explorer crashing.
    Wednesday, October 11, 2017 12:30 PM