Wazuh Agent randomly crashes.

Question

Hi there.

We've noticed that this program (Wazuh Agent) randomly crashes in our Windows 10 machines and in our Windows Servers.

Is it possible to know the root of the problem and the respective solution through the analysis of this crash dump

************* Preparing the environment for Debugger Extensions Gallery repositories **************    ExtensionRepository : Implicit    UseExperimentalFeatureForNugetShare : true    AllowNugetExeUpdate : true    AllowNugetMSCredentialProviderInstall : true    AllowParallelInitializationOfLocalRepositories : true     -- Configuring repositories       ----> Repository : LocalInstalled, Enabled: true       ----> Repository : UserExtensions, Enabled: true  >>>>>>>>>>>>> Preparing the environment for Debugger Extensions Gallery repositories completed, duration 0.000 seconds  ************* Waiting for Debugger Extensions Gallery to Initialize **************  >>>>>>>>>>>>> Waiting for Debugger Extensions Gallery to Initialize completed, duration 0.031 seconds    ----> Repository : UserExtensions, Enabled: true, Packages count: 0    ----> Repository : LocalInstalled, Enabled: true, Packages count: 36  Microsoft (R) Windows Debugger Version 10.0.25921.1001 X86 Copyright (c) Microsoft Corporation. All rights reserved.   Loading Dump File [C:\Users\daoliveira\OneDrive - Fin-Prisma\Desktop\wazuh-agent.exe.3872.dmp] User Mini Dump File with Full Memory: Only application data is available   ************* Path validation summary ************** Response                         Time (ms)     Location Deferred                                       SRV*https://msdl.microsoft.com/download/symbols Symbol search path is: SRV*https://msdl.microsoft.com/download/symbols Executable search path is:  Windows 10 Version 19045 MP (4 procs) Free x86 compatible Product: WinNt, suite: SingleUserTS Edition build lab: 19041.1.amd64fre.vb_release.191206-1406 Debug session time: Mon Oct  2 17:52:31.000 2023 (UTC + 1:00) System Uptime: 0 days 0:00:46.139 Process Uptime: 0 days 0:00:32.000 ....................................................... Loading unloaded module list .. This dump file has an exception of interest stored in it. The stored exception information can be accessed via .ecxr. (f20.1578): Access violation - code c0000005 (first/second chance not available) For analysis of this file, run !analyze -v eax=00000000 ebx=00000000 ecx=0000003c edx=00000001 esi=00000003 edi=00000003 eip=778d300c esp=02f4e530 ebp=02f4e6c0 iopl=0         nv up ei pl nz ac pe nc cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000216 ntdll!NtWaitForMultipleObjects+0xc: 778d300c c21400          ret     14h 0:030> !analyze -v ******************************************************************************* *                                                                             * *                        Exception Analysis                                   * *                                                                             * *******************************************************************************  *** WARNING: Check Image - Checksum mismatch - Dump: 0xcd0ee, File: 0xbe819 - C:\ProgramData\Dbg\sym\rpcrt4.dll\86417B77bf000\rpcrt4.dll  KEY_VALUES_STRING: 1      Key  : AV.Dereference     Value: NullClassPtr      Key  : AV.Fault     Value: Read      Key  : Analysis.CPU.mSec     Value: 921      Key  : Analysis.Elapsed.mSec     Value: 9698      Key  : Analysis.IO.Other.Mb     Value: 17      Key  : Analysis.IO.Read.Mb     Value: 0      Key  : Analysis.IO.Write.Mb     Value: 21      Key  : Analysis.Init.CPU.mSec     Value: 671      Key  : Analysis.Init.Elapsed.mSec     Value: 50341      Key  : Analysis.Memory.CommitPeak.Mb     Value: 77      Key  : Failure.Bucket     Value: NULL_CLASS_PTR_READ_c0000005_winnsi.dll!RpcNsiRegisterChangeNotification      Key  : Failure.Hash     Value: {fa4fe29a-56a5-9456-16d4-773eb6835a43}      Key  : Timeline.OS.Boot.DeltaSec     Value: 46      Key  : Timeline.Process.Start.DeltaSec     Value: 32      Key  : WER.OS.Branch     Value: vb_release      Key  : WER.OS.Version     Value: 10.0.19041.1   FILE_IN_CAB:  wazuh-agent.exe.3872.dmp  NTGLOBALFLAG:  0  PROCESS_BAM_CURRENT_THROTTLED: 0  PROCESS_BAM_PREVIOUS_THROTTLED: 0  APPLICATION_VERIFIER_FLAGS:  0  CONTEXT:  (.ecxr) eax=013b6798 ebx=ffffffff ecx=0000003c edx=00000001 esi=013b67c4 edi=013b6798 eip=758f70db esp=02f4ee6c ebp=02f4ee88 iopl=0         nv up ei ng nz na pe nc cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010286 rpcrt4!NdrGetBuffer+0x3b: 758f70db 817b04efcdab89  cmp     dword ptr [ebx+4],89ABCDEFh ds:002b:00000003=???????? Resetting default scope  EXCEPTION_RECORD:  (.exr -1) ExceptionAddress: 758f70db (rpcrt4!NdrGetBuffer+0x0000003b)    ExceptionCode: c0000005 (Access violation)   ExceptionFlags: 00000000 NumberParameters: 2    Parameter[0]: 00000000    Parameter[1]: 00000003 Attempt to read from address 00000003  PROCESS_NAME:  wazuh-agent.exe  READ_ADDRESS:  00000003   ERROR_CODE: (NTSTATUS) 0xc0000005 - A instru  o no 0x%p fez refer ncia   mem ria no 0x%p. A mem ria n o p de ser %s.  EXCEPTION_CODE_STR:  c0000005  EXCEPTION_PARAMETER1:  00000000  EXCEPTION_PARAMETER2:  00000003  STACK_TEXT:   02f4ee88 758d593c     013b67c4 0000003c ffffffff rpcrt4!NdrGetBuffer+0x3b 02f4f2a4 6f822895     6f821008 6f821350 02f4f2c0 rpcrt4!NdrAsyncClientCall+0x1ac 02f4f2b8 6f821aeb     02f4f32c ffffffff 00000000 winnsi!RpcNsiRegisterChangeNotification+0x23 02f4f38c 6f821999     ffffffff 02f4f39c 00000000 winnsi!NsiRpcRegisterChangeNotificationEx+0x13b 02f4f3c4 74b56c9b     ffffffff 74b51b60 00000007 winnsi!NsiRpcRegisterChangeNotification+0x49 02f4f3f8 74b56bfe     74b5be20 00000000 013530b8 IPHLPAPI!InternalRegisterChangeNotification+0x7b 02f4f410 7106a37a     00000000 7108bbc0 013530b8 IPHLPAPI!NotifyIpInterfaceChange+0x6e 02f4f458 7106ae38     00000000 00000000 02f4f47c winhttp!NetworkChangeMonitor::Startup+0x79 02f4f480 71069f5c     00000000 00000000 01362558 winhttp!StartGlobalNetworkChangeMonitor+0x4e 02f4f4a4 71069ee5     71103cb8 00000000 00000000 winhttp!WxRegisterForNetworkChangeNotification+0x35 02f4f4d0 710921d4     01362558 71078b30 01362608 winhttp!InitializeNetworkChangeMonitor+0x64 02f4f570 71078ba3     01362558 71078b30 02f4f604 winhttp!INTERNET_SESSION_HANDLE_OBJECT::LoadAutomaticProxyResolvers+0x90 02f4f590 71075805     02f4f604 00000000 01362558 winhttp!INTERNET_SESSION_HANDLE_OBJECT::SetProxySettings+0x73 02f4f5d4 71072f27     02f4f604 0000000c 00000000 winhttp!WinHttpSetOptionInternal+0xa25 02f4f628 749060f4     74901b30 00000004 00000000 winhttp!WinHttpOpen+0x1d7 02f4f650 749070f0     01348f58 02f4f688 00202004 cryptnet!InetGetBindings+0x1a 02f4f68c 749065a8     013baff0 00000006 00202004 cryptnet!CInetSynchronousRetriever::RetrieveObjectByUrl+0x160 02f4f6c8 74905dcf     013baff0 00000006 00202004 cryptnet!InetRetrieveEncodedObject+0x58 02f4f72c 74905c30     013baff0 00000006 00202004 cryptnet!CObjectRetrievalManager::RetrieveObjectByUrl+0x9f 02f4f7ac 775bfcc9     013baf30 775bfcb0 02f4f818 cryptnet!CryptRetrieveObjectByUrlWithTimeoutThreadProc+0x80 02f4f7bc 778c7b1e     013baf30 2426d025 00000000 kernel32!BaseThreadInitThunk+0x19 02f4f818 778c7aee     ffffffff 778e8ad3 00000000 ntdll!__RtlUserThreadStart+0x2f 02f4f828 00000000     74905bb0 013baf30 00000000 ntdll!_RtlUserThreadStart+0x1b   STACK_COMMAND:  ~9s; .ecxr ; kb  SYMBOL_NAME:  winnsi!RpcNsiRegisterChangeNotification+23  MODULE_NAME: winnsi  IMAGE_NAME:  winnsi.dll  FAILURE_BUCKET_ID:  NULL_CLASS_PTR_READ_c0000005_winnsi.dll!RpcNsiRegisterChangeNotification  OS_VERSION:  10.0.19041.1  BUILDLAB_STR:  vb_release  OSPLATFORM_TYPE:  x86  OSNAME:  Windows 10  IMAGE_VERSION:  10.0.19041.546  FAILURE_ID_HASH:  {fa4fe29a-56a5-9456-16d4-773eb6835a43}  Followup:     MachineOwner ---------