Discovered yesterday that if RRS has been used to access performance counters that it encounters an access violation when the service is restarted. This causes the hosting process to go away taking with it all the other services hosted in that process. The work around is to put remote registry in its own process. The AV still occurs of course but no other services are affected. I have a dump. Windows 2012 R2 fully patched. If I attach windbg to the process hosting the service and then do a net stop remote registry this is what happens.
0:007> !analyze -v*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
FAULTING_IP:
regsvc!unloaded+334c
00007ffa`7910334c ?? ???
EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00007ffa7910334c (<Unloaded_regsvc.dll>+0x000000000000334c)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000008
Parameter[1]: 00007ffa7910334c
Attempt to execute non-executable address 00007ffa7910334c
CONTEXT: 0000000000000000 -- (.cxr 0x0;r)
rax=0000000000000001 rbx=000000e600009ad0 rcx=000000e67e64fab0
rdx=0000000000000064 rsi=000000e600009b30 rdi=000000e60088f702
rip=00007ffa7910334c rsp=000000e60088f650 rbp=00000000000001e0
r8=000000e67e550d80 r9=0000000000008000 r10=0000000000000000
r11=0000000000000286 r12=00007ffa7910a250 r13=0000000000000000
r14=0000000000000001 r15=0000000000000001
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
<Unloaded_regsvc.dll>+0x334c:
00007ffa`7910334c ?? ???
FAULTING_THREAD: 00000000000005a8
DEFAULT_BUCKET_ID: BAD_INSTRUCTION_PTR
PROCESS_NAME: svchost.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 0000000000000008
EXCEPTION_PARAMETER2: 00007ffa7910334c
WRITE_ADDRESS: 00007ffa7910334c
FOLLOWUP_IP:
ntdll!TppWorkerThread+0
00007ffa`7e7d45e0 48895c2410 mov qword ptr [rsp+10h],rbx
FAILED_INSTRUCTION_ADDRESS:
regsvc!unloaded+334c
00007ffa`7910334c ?? ???
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
APP: svchost.exe
ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre
IP_MODULE_UNLOADED:
regsvc!unloaded+334c
00007ffa`7910334c ?? ???
ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [ThreadStartAddress] from Frame:[0] on thread:[5a8] ; Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]
LAST_CONTROL_TRANSFER: from 000000e600009ad0 to 00007ffa7910334c
PRIMARY_PROBLEM_CLASS: BAD_INSTRUCTION_PTR
BUGCHECK_STR: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_SOFTWARE_NX_FAULT
IP_ON_HEAP: 000000e600009ad0
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.
FRAME_ONE_INVALID: 1
STACK_TEXT:
00000000`00000000 00000000`00000000 ntdll!TppWorkerThread+0x0
STACK_COMMAND: .ecxr ; ~~[5a8] ; .frame 0 ; ** Pseudo Context ** ; kb
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: ntdll!TppWorkerThread+0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: ntdll
IMAGE_NAME: ntdll.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 54c850f5
FAILURE_BUCKET_ID: BAD_INSTRUCTION_PTR_c0000005_ntdll.dll!TppWorkerThread
BUCKET_ID: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_SOFTWARE_NX_FAULT_UNLOADED_IP_ntdll!TppWorkerThread+0
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:bad_instruction_ptr_c0000005_ntdll.dll!tppworkerthread
FAILURE_ID_HASH: {40e57a58-d46a-509d-31f9-88d2af62e4c8}
Followup: MachineOwner
---------
Other recent topics
