RUNDLL32 subprocesses suspended - Essential Objects, Inc. Support Forum

Welcome Guest

Search | Active Topics | Sign In | Register

Essential Objects Product Support Forum » All Products » Support » RUNDLL32 subprocesses suspended

RUNDLL32 subprocesses suspended

Options

Previous Topic · Next Topic

Wade Humeniuk

Posted: Monday, December 14, 2015 11:46:57 AM

Rank: Newbie
Groups: Member

Joined: 12/14/2015
Posts: 2

We use and deliver EO.WebBrowser (File Version 15.2.5.0) to customer. It runs pretty well everywhere, however with one customer we get this error:

Exception:
System.ArgumentException: Process with an Id of 6576 is not running.
at System.Diagnostics.Process.GetProcessById(Int32 processId, String machineName)
at System.Diagnostics.Process.GetProcessById(Int32 processId)
at EO.Internal.jg.a(String[] A_0, String A_1, String A_2, String A_3, String A_4)
at EO.Internal.aaa.a(String A_0, String A_1)
at EO.Internal.cq.a()
at EO.Internal.wh.k()

Begin_Block_1
gAAAAJOyJvHUEyCRPxjjs7qs6BER827IlJVhZz0zjnysgstMzk9z3Kapez9EXak9vyP69xIjHLob
MMw92K9uVS9+c+l7uBHatdG99/znpQ5C/sXC7+Joqnk+e75RnHtiECZyveu178kxyVUAPx7lFyI+
HRAx6Ozygl/faQYnxT20qbiOEAAAAOxvXee37rGMN0fsB0UglpFwAAAAAUW9mTTPfSsUqsDj384m
0eS9tV/kbkTYUQInaFRlN9fFFpftN1il3EQfRUp5wgV0cuQoA44oGK/b2tEsWH6eK9n3jSThDcLS
Ut/mtGMiCI9Q+1nvCegb24P3zeP4GY91dqzqT5U1dLeQEIBDAr53LQ==
End_Block_1

Begin_Block_2

Begin_Block_3
gAAAADzLRTAAsae0RzMYjEaShMQXvtbrQLe7/a51shYifna6opsa2OiKH21KbBVty5Wc1h5yr99O
vOnw+kw8mC8qi85+MhQnF/DBHVHfYAlNZko+tpugCWFo/eQNFOZXVj55ISEiE8ah6VOgCsaa7SQC
R0q1vA//q6/rUr4j/Y2rHNiQEAAAAFawaVZ1wMI/yl7Yo9Y5aETAAAAABYKqIah8/wUBKXyapL4G
APxjSfr8y/8xIMPkjL+3q1TSYZdmuvmAUpGaJ/E2i64eFJWgqNXhuYh9FAR7gOH6yeKgJqyvgER6
+P6GuiR697oKTF/VdWmz8OcPzi/wgvqmgRJOfUx5l2SJEY16lvldMj/KF/wXqeK+fx2hXTjwtOv1
C0YC1VG1mmMQrI+dpzjaqrSlqftFhhleYw9a8KV7RPJvO+6N7QmX4HvnOwoJm/judReP6RfisuQE
zRD1O3gQ
End_Block_3

They are running Win 7 Professional.

What happens is that there is one rundll32 sub-process created, but it is suspended. No other sub-processes are created.

We assume the call to GetProcessById fails as the process is suspended. Can you confirm?

The customer runs various security software, McAfee and EMET. I tried adding rundll32.exe to the EMET exclusions (so no mitigations are performed), but it has not helped.

eo_support

Posted: Monday, December 14, 2015 11:55:15 AM

Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 24,229

Hi,

Please download the latest build from our download page first and see if that fixes the issue for you. Security software can be an issue, but we have also fixed a number of issues on our end that can cause this problem as well. So let's see if the latest build fixes the problem first.

Thanks!

Wade Humeniuk

Posted: Monday, December 14, 2015 1:29:07 PM

Rank: Newbie
Groups: Member

Joined: 12/14/2015
Posts: 2

We are getting pretty well the same error with the latest version. However the rundll32 sub-process now exits and the parent call fails to GetProcessById.

*CAVEAT* we are running a test program instead of our full product (which produced the previous error).

We snooped into the process activity using procmon and see some other security software 'Digital Guardian Agents' https://digitalguardian.com/products/digital-guardian-agents/windows

There is also something called Tanium (which sems to be remote management software).

We did not get the custom dialog, but a generic Windows unhandled exception dialog.

See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************
System.Exception: ProcessLauncher failed:System.ArgumentException: Process with an Id of 7320 is not running.
at System.Diagnostics.Process.GetProcessById(Int32 processId)
at EO.Internal.jh.a(String[] A_0, String A_1, String A_2, String A_3, String A_4)
at EO.Internal.jh.a(String A_0, Boolean A_1)
at EO.Internal.jh.a(String[] A_0, String A_1, String A_2, String A_3, String A_4)
at EO.Internal.aat.a(String A_0, String A_1)
at EO.Internal.av2.a()
at EO.WebEngine.Engine.Start()
at EO.Internal.co..ctor(WebView A_0)
at EO.WebBrowser.WebView.v()
at EO.WebBrowser.WebView.Create(IntPtr hWnd)
at EO.WebBrowser.WinForm.WebControl.a(Object A_0)

************** Loaded Assemblies **************
mscorlib
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/mscorlib.dll

BrowserTest3
Assembly Version: 1.0.0.0
Win32 Version: 1.0.0.0
CodeBase: file:///C:/Users/Public/Documents/BrowserTest/BrowserTest3.exe

System.Windows.Forms
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34251 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll

System.Drawing
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34270 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll

System
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34238 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll

EO.WebBrowser
Assembly Version: 15.3.43.0
Win32 Version: 15.3.43.0
CodeBase: file:///C:/Users/Public/Documents/BrowserTest/EO.WebBrowser.DLL

EO.Base
Assembly Version: 15.3.43.0
Win32 Version: 15.3.43.0
CodeBase: file:///C:/Users/Public/Documents/BrowserTest/EO.Base.DLL

EO.WebEngine
Assembly Version: 15.3.43.0
Win32 Version: 15.3.43.0
CodeBase: file:///C:/Users/Public/Documents/BrowserTest/EO.WebEngine.DLL

************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.

For example:

<configuration>
<system.windows.forms jitDebugging="true" />
</configuration>

When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.

eo_support

Posted: Monday, December 14, 2015 2:24:36 PM

Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 24,229

Hi,

Please try to disable those and see if it resolves the issue. Because we do create child process and run native code in the child process, it is possible for an Anti-Virus program to incorrectly identify this as a threat and terminate the process. Usually once a false alarm is confirmed, we would report this to the Anti-Virus vendor and they would whitelist us (usually based on our digital signature since our DLLs are signed). However it is not possible for us to test our product with all Anti-Virus products out there since there are many of them and they update frequently as well.

If none of those resolve the issue, then we can take a look of the system remotely as long as you can give us remote access. We might be able to find something additional since we have the source code. However if it is due to a false alarm from another Anti-Virus product, the only way to make the program run is to temporarily disable it until they update their software.

The problem should not have anything to do with whether you are using a test program or the final release of your product.

Thanks!

You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Message