Re: 4.15 Beta Available (Latest Version 4.15.11)
Posted: Sat Jan 31, 2015 10:07 pm
I've been running recent HitmanPro.Alert release candidates along with recent Sandboxie beta versions and Chrome x64 stable versions on Windows 8.1 x64. I randomly get errors executing Chrome sandboxed:
SBIE2205 Service not implemented: NtCreateProcessEx (4024)
SBIE2204 Cannot start sandboxed service RpcSs (-1)
With 4.15.11, I now get something like this:
SBIE2101 Object name not found: OpenProcess (C0000022) 001FFFFF, error
SBIE2314 Canceling process SandboxieRpcSs.exe
SBIE2314 Canceling process SandboxieRpcSs.exe
SBIE2204 Cannot start sandboxed service RpcSs (1)
A few days ago (prior to 4.15.11), I attached WinDbg to the RpcSs process after getting the error:
I have also seen instances where the Chrome window appears but is unresponsive (I have WinDbg output for this as well) and I have seen one instance of Thunderbird failing to execute sandboxed. Would be nice to have HitmanPro.Alert function with sandboxed apps without error. If it's not possible, I'll dump HitmanPro.Alert and reinstall EMET.
SBIE2205 Service not implemented: NtCreateProcessEx (4024)
SBIE2204 Cannot start sandboxed service RpcSs (-1)
With 4.15.11, I now get something like this:
SBIE2101 Object name not found: OpenProcess (C0000022) 001FFFFF, error
SBIE2314 Canceling process SandboxieRpcSs.exe
SBIE2314 Canceling process SandboxieRpcSs.exe
SBIE2204 Cannot start sandboxed service RpcSs (1)
A few days ago (prior to 4.15.11), I attached WinDbg to the RpcSs process after getting the error:
Code: Select all
Microsoft (R) Windows Debugger Version 6.3.9600.16384 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
*** wait with pending attach
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred SRV*your local folder for symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*your local folder for symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00007ff7`982e0000 00007ff7`982eb000 C:\Program Files\Sandboxie\SandboxieRpcSs.exe
ModLoad: 00007ffd`e2a40000 00007ffd`e2be6000 C:\Windows\SYSTEM32\ntdll.dll
ModLoad: 00007ffd`e04e0000 00007ffd`e061a000 C:\Windows\system32\kernel32.dll
ModLoad: 00007ffd`e01b0000 00007ffd`e02bf000 C:\Windows\system32\KERNELBASE.dll
ModLoad: 00000000`71fb0000 00000000`7201d000 C:\Program Files\Sandboxie\SbieDll.dll
ModLoad: 00007ffd`de900000 00007ffd`de9c6000 C:\Windows\system32\hmpalert.dll
ModLoad: 00007ffd`e03a0000 00007ffd`e03f8000 C:\Windows\system32\WS2_32.dll
ModLoad: 00007ffd`e2520000 00007ffd`e25c5000 C:\Windows\system32\ADVAPI32.dll
ModLoad: 00007ffd`e1e70000 00007ffd`e1fe1000 C:\Windows\system32\USER32.dll
ModLoad: 00007ffd`e0430000 00007ffd`e04d7000 C:\Windows\system32\msvcrt.dll
ModLoad: 00007ffd`e0390000 00007ffd`e0399000 C:\Windows\system32\NSI.dll
ModLoad: 00007ffd`e27c0000 00007ffd`e28f7000 C:\Windows\system32\RPCRT4.dll
ModLoad: 00007ffd`e2750000 00007ffd`e27a7000 C:\Windows\SYSTEM32\sechost.dll
ModLoad: 00007ffd`e1ff0000 00007ffd`e2134000 C:\Windows\system32\GDI32.dll
ModLoad: 00007ffd`e2380000 00007ffd`e23b4000 C:\Windows\system32\IMM32.DLL
ModLoad: 00000000`00b00000 00000000`00c39000 C:\Windows\system32\MSCTF.dll
ModLoad: 00007ffd`dfcc0000 00007ffd`dfd57000 C:\Windows\SYSTEM32\sxs.dll
ModLoad: 00007ffd`df440000 00007ffd`df485000 C:\Windows\SYSTEM32\powrprof.dll
ModLoad: 00007ffd`deeb0000 00007ffd`deec6000 C:\Windows\SYSTEM32\rpcepmap.dll
ModLoad: 00007ffd`dfd60000 00007ffd`dfd8b000 C:\Windows\SYSTEM32\sspicli.dll
ModLoad: 00007ffd`dee90000 00007ffd`deea2000 C:\Windows\SYSTEM32\RpcRtRemote.dll
ModLoad: 00007ffd`deed0000 00007ffd`def8c000 C:\Windows\SYSTEM32\rpcss.dll
ModLoad: 00007ffd`e07c0000 00007ffd`e0996000 C:\Windows\SYSTEM32\combase.dll
ModLoad: 00007ffd`e0a50000 00007ffd`e1e5f000 C:\Windows\system32\shell32.dll
ModLoad: 00007ffd`e24c0000 00007ffd`e2511000 C:\Windows\system32\SHLWAPI.dll
ModLoad: 00007ffd`de300000 00007ffd`de39f000 C:\Windows\SYSTEM32\SHCORE.dll
ModLoad: 00007ffd`df720000 00007ffd`df73e000 C:\Windows\SYSTEM32\CRYPTSP.dll
ModLoad: 00007ffd`df310000 00007ffd`df345000 C:\Windows\system32\rsaenh.dll
ModLoad: 00007ffd`df960000 00007ffd`df986000 C:\Windows\SYSTEM32\bcrypt.dll
ModLoad: 00007ffd`dfd90000 00007ffd`dfd9a000 C:\Windows\SYSTEM32\CRYPTBASE.dll
ModLoad: 00007ffd`dfc60000 00007ffd`dfcc0000 C:\Windows\SYSTEM32\bcryptPrimitives.dll
ModLoad: 00007ffd`deaa0000 00007ffd`debc1000 C:\Windows\system32\uxtheme.dll
ModLoad: 00007ffd`ddf70000 00007ffd`ddf90000 C:\Windows\system32\dwmapi.dll
ModLoad: 00007ffd`db8d0000 00007ffd`dba3f000 C:\Windows\SYSTEM32\PROPSYS.dll
ModLoad: 00007ffd`e02c0000 00007ffd`e0381000 C:\Windows\system32\OLEAUT32.dll
ModLoad: 00007ffd`e25d0000 00007ffd`e2748000 C:\Windows\system32\ole32.dll
(5f4.974): Break instruction exception - code 80000003 (first chance)
ntdll!DbgBreakPoint:
00007ffd`e2ad31a0 cc int 3
0:007> ~* k 99
0 Id: 5f4.bf4 Suspend: 1 Teb: 00007ff7`977ee000 Unfrozen
Child-SP RetAddr Call Site
00000000`006ffb08 00007ffd`e01b124a ntdll!NtDeviceIoControlFile+0xa
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\Sandboxie\SandboxieRpcSs.exe
00000000`006ffb10 00007ff7`982e1559 KERNELBASE!SleepEx+0xa2
00000000`006ffbb0 00007ff7`982e33f6 SandboxieRpcSs+0x1559
00000000`006ffd90 00007ff7`982e4001 SandboxieRpcSs+0x33f6
00000000`006ffe00 00007ffd`e04e16ad SandboxieRpcSs+0x4001
00000000`006ffed0 00007ffd`e2a94409 kernel32!BaseThreadInitThunk+0xd
00000000`006fff00 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
1 Id: 5f4.810 Suspend: 1 Teb: 00007ff7`977ec000 Unfrozen
Child-SP RetAddr Call Site
00000000`0252ef98 00007ffd`e01b13ad ntdll!NtDeviceIoControlFile+0xa
00000000`0252efa0 00007ffd`e04e132f KERNELBASE!WaitForMultipleObjectsEx+0xe1
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Sandboxie\SbieDll.dll -
00000000`0252f280 00000000`71fdb120 kernel32!WaitForMultipleObjects+0xf
00000000`0252f2c0 00000000`71fdc72e SbieDll!SbieDll_IsOpenCOM+0x1330
00000000`0252f650 00007ffd`e27eb12f SbieDll!SbieDll_StartCOM+0x11fe
00000000`0252f740 00007ffd`e27eb2de RPCRT4!LRPC_CASSOCIATION::AlpcConnect+0x17f
00000000`0252f900 00007ffd`e27cff00 RPCRT4!LRPC_CASSOCIATION::Connect+0x177
00000000`0252f9a0 00007ffd`e27d57aa RPCRT4!LRPC_BASE_BINDING_HANDLE::DriveStateForward+0x3b3
00000000`0252fa10 00007ffd`e27d5472 RPCRT4!LRPC_FAST_BINDING_HANDLE::Bind+0x3af
00000000`0252fb20 00007ffd`deed848a RPCRT4!RpcBindingBind+0x4a
00000000`0252fb50 00007ffd`def15e52 rpcss!CFastBH::CreateFromBindingString+0xfa
00000000`0252fc20 00007ffd`def15dec rpcss!CFastBH::GetOrCreate+0x32
00000000`0252fc50 00007ffd`def13166 rpcss!CreateActivationClientBinding+0xcc
00000000`0252fcf0 00007ffd`def14907 rpcss!ScmServiceMain+0x8a
00000000`0252fd40 00007ff7`982e1dd3 rpcss!ServiceMain+0x11f
00000000`0252fda0 00007ffd`e04e16ad SandboxieRpcSs+0x1dd3
00000000`0252fdd0 00007ffd`e2a94409 kernel32!BaseThreadInitThunk+0xd
00000000`0252fe00 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
2 Id: 5f4.dec Suspend: 1 Teb: 00007ff7`977ea000 Unfrozen
Child-SP RetAddr Call Site
00000000`0262f778 00007ffd`e01b124a ntdll!NtDeviceIoControlFile+0xa
00000000`0262f780 00007ff7`982e1d0a KERNELBASE!SleepEx+0xa2
00000000`0262f820 00007ffd`e04e16ad SandboxieRpcSs+0x1d0a
00000000`0262fa60 00007ffd`e2a94409 kernel32!BaseThreadInitThunk+0xd
00000000`0262fa90 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
3 Id: 5f4.e4c Suspend: 1 Teb: 00007ff7`977e8000 Unfrozen
Child-SP RetAddr Call Site
00000000`0272f718 00007ffd`e1e72055 USER32!NtUserGetMessage+0xa
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\hmpalert.dll -
00000000`0272f720 00007ffd`de918953 USER32!GetMessageW+0x25
00000000`0272f750 00007ff7`982e1133 hmpalert+0x18953
00000000`0272f780 00007ffd`e04e16ad SandboxieRpcSs+0x1133
00000000`0272f870 00007ffd`e2a94409 kernel32!BaseThreadInitThunk+0xd
00000000`0272f8a0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
4 Id: 5f4.e6c Suspend: 1 Teb: 00007ff7`977e6000 Unfrozen
Child-SP RetAddr Call Site
00000000`0282f888 00007ffd`e2a74ecb ntdll!NtDeviceIoControlFile+0xa
00000000`0282f890 00007ffd`e04e16ad ntdll!TppWorkerThread+0x6eb
00000000`0282fc80 00007ffd`e2a94409 kernel32!BaseThreadInitThunk+0xd
00000000`0282fcb0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
5 Id: 5f4.83c Suspend: 1 Teb: 00007ff7`977e4000 Unfrozen
Child-SP RetAddr Call Site
00000000`0303f7c8 00007ffd`e2a74ecb ntdll!NtDeviceIoControlFile+0xa
00000000`0303f7d0 00007ffd`e04e16ad ntdll!TppWorkerThread+0x6eb
00000000`0303fbc0 00007ffd`e2a94409 kernel32!BaseThreadInitThunk+0xd
00000000`0303fbf0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
6 Id: 5f4.c60 Suspend: 1 Teb: 00007ff7`9764e000 Unfrozen
Child-SP RetAddr Call Site
00000000`0313f4e8 00007ffd`e2a74ecb ntdll!NtDeviceIoControlFile+0xa
00000000`0313f4f0 00007ffd`e04e16ad ntdll!TppWorkerThread+0x6eb
00000000`0313f8e0 00007ffd`e2a94409 kernel32!BaseThreadInitThunk+0xd
00000000`0313f910 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
# 7 Id: 5f4.974 Suspend: 1 Teb: 00007ff7`9764c000 Unfrozen
Child-SP RetAddr Call Site
00000000`0323f958 00007ffd`e2b01ac4 ntdll!DbgBreakPoint
00000000`0323f960 00007ffd`e04e16ad ntdll!DbgUiRemoteBreakin+0x34
00000000`0323f990 00007ffd`e2a94409 kernel32!BaseThreadInitThunk+0xd
00000000`0323f9c0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d