Ask a new question

Application crash in RPCRT4.dll

Hi.




I'm debugging a crash of an application in Microsoft Windows Server 2019 Datacenter [Ver: 10.0.17763.4131].
This is the basic information

Faulting application name: wazuh-agent.exe, version: 0.0.0.0, time stamp: 0x643571e1

Faulting module name: RPCRT4.dll, version: 10.0.17763.4252, time stamp: 0xa85fd1e2

Exception code: 0xc0000005

Fault offset: 0x000281cb

Faulting process id: 0x93c

Faulting application start time: 0x01d97e69405fd862

Faulting application path: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe

Faulting module path: C:\WINDOWS\System32\RPCRT4.dll

Report Id: 3b1c0bfd-324b-4357-b758-370aee2e848e

Faulting package full name:

Faulting package-relative application ID:




After analyzing a core dump, we were able to get a backtrace


Entry point cryptnet!CryptRetrieveObjectByUrlWithTimeoutThreadProc

Create time 5/29/2023 5:30:33 AM

Time spent in user mode 0 Days 0:0:0.15

Time spent in kernel mode 0 Days 0:0:0.31

rpcrt4!NdrGetBuffer+3b

rpcrt4!NdrAsyncClientCall+1ce

winnsi!RpcNsiRegisterChangeNotification+23

winnsi!NsiRpcRegisterChangeNotificationEx+147

winnsi!NsiRpcRegisterChangeNotification+49

IPHLPAPI!InternalRegisterChangeNotification+7b

IPHLPAPI!NotifyIpInterfaceChange+6e

winhttp!NetworkChangeMonitor::Startup+79

winhttp!StartGlobalNetworkChangeMonitor+4e

winhttp!WxRegisterForNetworkChangeNotification+35

winhttp!InitializeNetworkChangeMonitor+64

winhttp!INTERNET_SESSION_HANDLE_OBJECT::LoadAutomaticProxyResolvers+90

winhttp!INTERNET_SESSION_HANDLE_OBJECT::SetProxySettings+77

winhttp!WinHttpSetOptionInternal+8b1

winhttp!WinHttpOpen+3cd

cryptnet!InetGetBindings+1a

cryptnet!CInetSynchronousRetriever::RetrieveObjectByUrl+160

cryptnet!InetRetrieveEncodedObject+58

cryptnet!CObjectRetrievalManager::RetrieveObjectByUrl+9f

cryptnet!CryptRetrieveObjectByUrlWithTimeoutThreadProc+80

kernel32!BaseThreadInitThunk+19

ntdll!__RtlUserThreadStart+2f

ntdll!_RtlUserThreadStart+1b




But still, it isn't clear why our application is calling this thread.

Is it a know issue related to the library version?

Should we install a specific KB to fix it ?

Thank you.




|

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

Hello

The exception code 0xc0000005 indicates an access violation, which can occur when an application tries to access a memory location that it is not allowed to access. This can be caused by a variety of reasons, including a corrupted or faulty hard drive, a virus or malware infection, or even a hardware failure.

In your case, the crash occurred in the RPCRT4.dll module, which is associated with the Remote Procedure Call (RPC) runtime. This module is typically stored in the system32 folder and is used by many programs and systems on Microsoft’s operating systems. The version of the RPCRT4.dll module that you are using is 10.0.17763.4252, with a time stamp of 0xa85fd1e2. However, I couldn’t find any information about known issues related to this specific version of the library.

The faulting application is wazuh-agent.exe, which is part of the Wazuh agent that runs on endpoints and communicates with the Wazuh server to send data in near real-time through an encrypted and authenticated channel. The backtrace you provided suggests that the crash occurred while the application was trying to retrieve an object by URL using the CryptRetrieveObjectByUrlWithTimeoutThreadProc function in the cryptnet module.

It’s not clear from the information provided why this thread was being called by your application. You may want to try updating your system and the Wazuh agent to their latest versions to see if that resolves the issue. If the problem persists, you may want to contact Wazuh support for further assistance.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Hi!

Thank you for your answer.
I'm from the Wazuh team, so I'm sure that updating the agent won't solve the issue.

"The backtrace you provided suggests that the crash occurred while the application was trying to retrieve an object by URL using the CryptRetrieveObjectByUrlWithTimeoutThreadProc function in the cryptnet module."

I know, the thing is that our Wazuh code never calls that method directly.
So I was wondering if anyone could help me find out why the OS is making this RPC call.

Regards.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

To find out why the operating system is making this RPC call, you can use the Process Explorer tool to collect a user mode dump for analysis.

Process Explorer - Sysinternals | Microsoft Learn

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

I was having trouble generating a dump with Process Explorer, the file was always empty.
So I generated it with ProcDump.

But now I have it, I'm not sure how it helps me to trace the function call.

Before posting the question, I tried also setting a breakpoint on these functions but it never gets hit.

Thank you.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

For the dump files, it is better to open start and search for feedback and open the Feedback Hub app and file a bug report and attach dump files there.

Send feedback to Microsoft with the Feedback Hub app - Microsoft Support

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Thank you, I've already provided feedback

https://aka.ms/AAmftag

But still, I'd be wonderful to understand RPC on Windows and why these background calls are being generated in this C/C++ application.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Remote Procedure Call (RPC) is a powerful technology for creating distributed client/server programs. It’s a form of inter-process communication that allows a client process to make requests of a server process. RPC is widely used in Windows operating systems and can be used to create client and server programs for heterogeneous network environments that include such operating systems as Unix and Apple.

In the context of your C/C++ application, RPC might be used for various purposes. For instance, it could be used for communication between different parts of your application that are running as separate processes. This is particularly common in applications that have a modular architecture, where different modules (running as separate processes) need to communicate with each other.

The background calls you’re seeing might be the result of your application making RPC calls to a server process. These calls could be for various purposes, such as retrieving data, invoking functionality in the server process, or sending notifications or updates.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Hi again!

Sorry, but that information isn't specific enough.

I'd need a more precise analysis of the call stack I've uploaded to really understand what is happening.

Regards.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

I'm so glad that I could provide some help here, it will be great to mark any useful answer so other can easily find it.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

I'm so glad that I could provide some help here, it will be great to mark any useful answer so other can easily find it.

Hello again.

Sorry, but you still haven't provided useful information to solve this issue.

Regards.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

 
 

Question Info

Last updated March 17, 2024 Views 928 Applies to: