crash (offer dmp file) #2353

MrWrong77 · 2025-01-02T03:18:05Z

SystemInformer_DumpFile_SRVRIQPDTNCYTPF.dmp

ge0rdi · 2025-01-02T19:05:20Z

The version of system informer you're running

lm vm systeminformer shows the version was 3.1.24298.0.
Which seems to be the latest stable release.

Here is stack trace of the crash:

 # Child-SP          RetAddr               Call Site
00 000000dd`c06ff190 00007ff7`b7695745     SystemInformer!PhGetServiceConfigFileName+0x40 [phlib\svcsup.c @ 1210] 
01 000000dd`c06ff200 00007ff7`b769628a     SystemInformer!PhUpdateServiceItemConfig+0xc5 [SystemInformer\srvprv.c @ 654] 
02 000000dd`c06ff2a0 00007ff7`b77413b1     SystemInformer!PhServiceProviderUpdate+0x88a [SystemInformer\srvprv.c @ 871] 
03 000000dd`c06ff4e0 00007ff7`b76d91d5     SystemInformer!PhpProviderThreadStart+0x251 [phlib\provider.c @ 183] 
04 000000dd`c06ff760 00007ffc`4979257d     SystemInformer!PhpBaseThreadStart+0x75 [phlib\basesup.c @ 187] 
05 000000dd`c06ff7a0 00007ffc`4b82aa58     kernel32!BaseThreadInitThunk+0x1d
06 000000dd`c06ff7d0 00000000`00000000     ntdll!RtlUserThreadStart+0x28

ServicePathName parameter passed to PhGetServiceConfigFileName is NULL.
The parameter is mandatory so caller is responsible for supplying valid string pointer.

Most likely PhGetServiceConfig didn't return proper service config structure (unfortunately the structure is not present in the mini-dump).

jxy-s · 2025-01-02T21:49:04Z

@MrWrong77 it seems possible that something on your system is interfering with System Informer. I don't see how it is possible for the query to succeed and not return a binary path. Even in the case where there is no binary path defined for a service item, the API does not return null. Instead it returns a pointer to an empty string.

jxy-s · 2025-01-02T22:00:37Z

You could try switching to the Canary build of System Informer. But I don't see any meaningful changes to that code path. So I expect you might find that the same problem exists there.

MrWrong77 · 2025-01-03T03:31:16Z

i can generate the full dmp file, but github doest allow me to upload large file. Can u offer a way for me to send the file to u? @jxy-s

jxy-s · 2025-01-03T03:42:44Z

You can email it to me. I am not sure if it is going to yield more insights, but if you do email it to me, I'll see if I can find anything.

MrWrong77 · 2025-01-03T03:47:10Z

You can email it to me. I am not sure if it is going to yield more insights, but if you do email it to me, I'll see if I can find anything.

thanks, check your email please

jxy-s · 2025-01-03T04:46:23Z

Thanks for sending the complete dump file.

The queried service information pertains to "UniEDRPolicy," which appears to be an Endpoint Detection and Response (EDR) program. It seems likely that this EDR product is zeroing out the result of the service query while still returning a success code for the operation.

From a Google search:

UniEDR is a pluggable module of Leagsoft EPP management and control platform to achieve complementary security capabilities based on unified management platform

Below is the service item information and the _QUERY_SERVICE_CONFIGW buffer:

0:005> dx -r1 ((SystemInformer!_PH_SERVICE_ITEM *)0x1461d8fd2d0)
((SystemInformer!_PH_SERVICE_ITEM *)0x1461d8fd2d0)                 : 0x1461d8fd2d0 [Type: _PH_SERVICE_ITEM *]
    [+0x000] Key              : "UniEDRPolicy" [Type: _PH_STRINGREF]
    [+0x010] Name             : 0x1461dffb130 : "UniEDRPolicy" [Type: _PH_STRING *]
    [+0x018] DisplayName      : 0x1461dffb6d0 : "UniEDRPolicy" [Type: _PH_STRING *]
    [+0x020] FileName         : 0x0 [Type: _PH_STRING *]
    [+0x028] IconEntry        : 0x0 [Type: _PH_IMAGELIST_ITEM *]
    [+0x030] JustProcessed    : 0 [Type: long]
    [+0x034] Type             : 0x10 [Type: unsigned long]
    [+0x038] State            : 0x1 [Type: unsigned long]
    [+0x03c] ControlsAccepted : 0x0 [Type: unsigned long]
    [+0x040] Flags            : 0x0 [Type: unsigned long]
    [+0x048] ProcessId        : 0x0 [Type: void *]
    [+0x050] StartType        : 0x0 [Type: unsigned long]
    [+0x054] ErrorControl     : 0x0 [Type: unsigned long]
    [+0x058] Win32ExitCode    : 0x435 [Type: unsigned long]
    [+0x05c] ServiceSpecificExitCode : 0x0 [Type: unsigned long]
    [+0x060] VerifyResult     : VrUnknown (0) [Type: _VERIFY_RESULT]
    [+0x068] VerifySignerName : 0x0 [Type: _PH_STRING *]
    [+0x070] ProcessIdString  : "" [Type: wchar_t [13]]
    [+0x08a] BitFlags         : 0x0 [Type: unsigned char]
    [+0x08a ( 0: 0)] DelayedStart     : 0x0 [Type: unsigned char]
    [+0x08a ( 1: 1)] HasTriggers      : 0x0 [Type: unsigned char]
    [+0x08a ( 2: 2)] PendingProcess   : 0x0 [Type: unsigned char]
    [+0x08a ( 3: 3)] NeedsConfigUpdate : 0x0 [Type: unsigned char]
    [+0x08a ( 7: 4)] Spare            : 0x0 [Type: unsigned char]
    [+0x090] NotifyPropertyRegistration : 0x0 [Type: _SC_NOTIFICATION_REGISTRATION *]
    [+0x098] NotifyStatusRegistration : 0x0 [Type: _SC_NOTIFICATION_REGISTRATION *]
    [+0x0a0] NotifyFlags      : 0x0 [Type: unsigned char]
    [+0x0a0 ( 0: 0)] NotifyCreatedPropertyRegistration : 0x0 [Type: unsigned char]
    [+0x0a0 ( 1: 1)] NotifyCreatedStatusRegistration : 0x0 [Type: unsigned char]
    [+0x0a0 ( 7: 2)] NotifySpare      : 0x0 [Type: unsigned char]
0:005> dx -r1 ((SystemInformer!_QUERY_SERVICE_CONFIGW *)0x14619222df0)
((SystemInformer!_QUERY_SERVICE_CONFIGW *)0x14619222df0)                 : 0x14619222df0 [Type: _QUERY_SERVICE_CONFIGW *]
    [+0x000] dwServiceType    : 0x0 [Type: unsigned long]
    [+0x004] dwStartType      : 0x0 [Type: unsigned long]
    [+0x008] dwErrorControl   : 0x0 [Type: unsigned long]
    [+0x010] lpBinaryPathName : 0x0 [Type: wchar_t *]
    [+0x018] lpLoadOrderGroup : 0x0 [Type: wchar_t *]
    [+0x020] dwTagId          : 0x0 [Type: unsigned long]
    [+0x028] lpDependencies   : 0x0 [Type: wchar_t *]
    [+0x030] lpServiceStartName : 0x0 [Type: wchar_t *]
    [+0x038] lpDisplayName    : 0x0 [Type: wchar_t *]

Additionally, there are hooks placed on System Informer by "MozartBreathCore":

0:005> u ntdll!NtCreateFile
ntdll!NtCreateFile:
00007ffc`4b86fe00 e97303febf      jmp     00007ffc`0b850178
00007ffc`4b86fe05 cc              int     3
00007ffc`4b86fe06 cc              int     3
00007ffc`4b86fe07 cc              int     3
00007ffc`4b86fe08 f604250803fe7f01 test    byte ptr [SharedUserData+0x308 (00000000`7ffe0308)],1
00007ffc`4b86fe10 7503            jne     ntdll!NtCreateFile+0x15 (00007ffc`4b86fe15)
00007ffc`4b86fe12 0f05            syscall
00007ffc`4b86fe14 c3              ret
0:005> u 00007ffc`0b850178
00007ffc`0b850178 ff25f2ffffff    jmp     qword ptr [00007ffc`0b850170]
00007ffc`0b85017e cc              int     3
00007ffc`0b85017f cc              int     3
00007ffc`0b850180 4053            push    rbx
00007ffc`0b850182 4883ec20        sub     rsp,20h
00007ffc`0b850186 ff253c000000    jmp     qword ptr [00007ffc`0b8501c8]
00007ffc`0b85018c cc              int     3
00007ffc`0b85018d cc              int     3
0:005> dqs 00007ffc`0b850170 L1
00007ffc`0b850170  00007ffc`1693fe40 MozartBreathCore!MBCProcessCallback::create_proc+0x9500

The third-party software involved is violating reasonable API contracts and expectations of the QueryServiceConfig API. I recommend reporting this issue to the third-party vendor or uninstalling their software.

There is no justification to modify System Informer code to account for such a blatant disregard for expected API behavior by a third-party program.

MrWrong77 · 2025-01-03T06:20:41Z

Thanks for sending the complete dump file.

The queried service information pertains to "UniEDRPolicy," which appears to be an Endpoint Detection and Response (EDR) program. It seems likely that this EDR product is zeroing out the result of the service query while still returning a success code for the operation.

From a Google search:

UniEDR is a pluggable module of Leagsoft EPP management and control platform to achieve complementary security capabilities based on unified management platform

Below is the service item information and the _QUERY_SERVICE_CONFIGW buffer:

0:005> dx -r1 ((SystemInformer!_PH_SERVICE_ITEM *)0x1461d8fd2d0)
((SystemInformer!_PH_SERVICE_ITEM *)0x1461d8fd2d0)                 : 0x1461d8fd2d0 [Type: _PH_SERVICE_ITEM *]
    [+0x000] Key              : "UniEDRPolicy" [Type: _PH_STRINGREF]
    [+0x010] Name             : 0x1461dffb130 : "UniEDRPolicy" [Type: _PH_STRING *]
    [+0x018] DisplayName      : 0x1461dffb6d0 : "UniEDRPolicy" [Type: _PH_STRING *]
    [+0x020] FileName         : 0x0 [Type: _PH_STRING *]
    [+0x028] IconEntry        : 0x0 [Type: _PH_IMAGELIST_ITEM *]
    [+0x030] JustProcessed    : 0 [Type: long]
    [+0x034] Type             : 0x10 [Type: unsigned long]
    [+0x038] State            : 0x1 [Type: unsigned long]
    [+0x03c] ControlsAccepted : 0x0 [Type: unsigned long]
    [+0x040] Flags            : 0x0 [Type: unsigned long]
    [+0x048] ProcessId        : 0x0 [Type: void *]
    [+0x050] StartType        : 0x0 [Type: unsigned long]
    [+0x054] ErrorControl     : 0x0 [Type: unsigned long]
    [+0x058] Win32ExitCode    : 0x435 [Type: unsigned long]
    [+0x05c] ServiceSpecificExitCode : 0x0 [Type: unsigned long]
    [+0x060] VerifyResult     : VrUnknown (0) [Type: _VERIFY_RESULT]
    [+0x068] VerifySignerName : 0x0 [Type: _PH_STRING *]
    [+0x070] ProcessIdString  : "" [Type: wchar_t [13]]
    [+0x08a] BitFlags         : 0x0 [Type: unsigned char]
    [+0x08a ( 0: 0)] DelayedStart     : 0x0 [Type: unsigned char]
    [+0x08a ( 1: 1)] HasTriggers      : 0x0 [Type: unsigned char]
    [+0x08a ( 2: 2)] PendingProcess   : 0x0 [Type: unsigned char]
    [+0x08a ( 3: 3)] NeedsConfigUpdate : 0x0 [Type: unsigned char]
    [+0x08a ( 7: 4)] Spare            : 0x0 [Type: unsigned char]
    [+0x090] NotifyPropertyRegistration : 0x0 [Type: _SC_NOTIFICATION_REGISTRATION *]
    [+0x098] NotifyStatusRegistration : 0x0 [Type: _SC_NOTIFICATION_REGISTRATION *]
    [+0x0a0] NotifyFlags      : 0x0 [Type: unsigned char]
    [+0x0a0 ( 0: 0)] NotifyCreatedPropertyRegistration : 0x0 [Type: unsigned char]
    [+0x0a0 ( 1: 1)] NotifyCreatedStatusRegistration : 0x0 [Type: unsigned char]
    [+0x0a0 ( 7: 2)] NotifySpare      : 0x0 [Type: unsigned char]
0:005> dx -r1 ((SystemInformer!_QUERY_SERVICE_CONFIGW *)0x14619222df0)
((SystemInformer!_QUERY_SERVICE_CONFIGW *)0x14619222df0)                 : 0x14619222df0 [Type: _QUERY_SERVICE_CONFIGW *]
    [+0x000] dwServiceType    : 0x0 [Type: unsigned long]
    [+0x004] dwStartType      : 0x0 [Type: unsigned long]
    [+0x008] dwErrorControl   : 0x0 [Type: unsigned long]
    [+0x010] lpBinaryPathName : 0x0 [Type: wchar_t *]
    [+0x018] lpLoadOrderGroup : 0x0 [Type: wchar_t *]
    [+0x020] dwTagId          : 0x0 [Type: unsigned long]
    [+0x028] lpDependencies   : 0x0 [Type: wchar_t *]
    [+0x030] lpServiceStartName : 0x0 [Type: wchar_t *]
    [+0x038] lpDisplayName    : 0x0 [Type: wchar_t *]

Additionally, there are hooks placed on System Informer by "MozartBreathCore":

0:005> u ntdll!NtCreateFile
ntdll!NtCreateFile:
00007ffc`4b86fe00 e97303febf      jmp     00007ffc`0b850178
00007ffc`4b86fe05 cc              int     3
00007ffc`4b86fe06 cc              int     3
00007ffc`4b86fe07 cc              int     3
00007ffc`4b86fe08 f604250803fe7f01 test    byte ptr [SharedUserData+0x308 (00000000`7ffe0308)],1
00007ffc`4b86fe10 7503            jne     ntdll!NtCreateFile+0x15 (00007ffc`4b86fe15)
00007ffc`4b86fe12 0f05            syscall
00007ffc`4b86fe14 c3              ret
0:005> u 00007ffc`0b850178
00007ffc`0b850178 ff25f2ffffff    jmp     qword ptr [00007ffc`0b850170]
00007ffc`0b85017e cc              int     3
00007ffc`0b85017f cc              int     3
00007ffc`0b850180 4053            push    rbx
00007ffc`0b850182 4883ec20        sub     rsp,20h
00007ffc`0b850186 ff253c000000    jmp     qword ptr [00007ffc`0b8501c8]
00007ffc`0b85018c cc              int     3
00007ffc`0b85018d cc              int     3
0:005> dqs 00007ffc`0b850170 L1
00007ffc`0b850170  00007ffc`1693fe40 MozartBreathCore!MBCProcessCallback::create_proc+0x9500

The third-party software involved is violating reasonable API contracts and expectations of the QueryServiceConfig API. I recommend reporting this issue to the third-party vendor or uninstalling their software.

There is no justification to modify System Informer code to account for such a blatant disregard for expected API behavior by a third-party program.

Thank you very much for your help. I think I figured out the cause. A few days ago, the company’s computer silently installed this security monitoring software and service, which led to the issue. You were right, this is unrelated to systemInformer. I will try to report this to get the issue resolved.

MrWrong77 · 2025-01-03T06:25:55Z

solved

This comment was marked as outdated.

Sign in to view

jxy-s added the needs more information label Jan 2, 2025

jxy-s added under investigation and removed needs more information labels Jan 2, 2025

jxy-s added third party and removed under investigation labels Jan 2, 2025

MrWrong77 closed this as completed Jan 3, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

crash (offer dmp file) #2353

crash (offer dmp file) #2353

MrWrong77 commented Jan 2, 2025 •

edited

Loading

This comment was marked as outdated.

ge0rdi commented Jan 2, 2025

jxy-s commented Jan 2, 2025 •

edited

Loading

jxy-s commented Jan 2, 2025

MrWrong77 commented Jan 3, 2025 •

edited

Loading

jxy-s commented Jan 3, 2025

MrWrong77 commented Jan 3, 2025

jxy-s commented Jan 3, 2025

MrWrong77 commented Jan 3, 2025

MrWrong77 commented Jan 3, 2025

crash (offer dmp file) #2353

crash (offer dmp file) #2353

Comments

MrWrong77 commented Jan 2, 2025 • edited Loading

This comment was marked as outdated.

ge0rdi commented Jan 2, 2025

jxy-s commented Jan 2, 2025 • edited Loading

jxy-s commented Jan 2, 2025

MrWrong77 commented Jan 3, 2025 • edited Loading

jxy-s commented Jan 3, 2025

MrWrong77 commented Jan 3, 2025

jxy-s commented Jan 3, 2025

MrWrong77 commented Jan 3, 2025

MrWrong77 commented Jan 3, 2025

MrWrong77 commented Jan 2, 2025 •

edited

Loading

jxy-s commented Jan 2, 2025 •

edited

Loading

MrWrong77 commented Jan 3, 2025 •

edited

Loading