Share via

Application crash in RPCRT4.dll

Anonymous
2023-08-30T12:52:16+00:00

Hi.

I'm debugging a crash of an application in Microsoft Windows Server 2019 Datacenter [Ver: 10.0.17763.4131].
This is the basic information

Faulting application name: wazuh-agent.exe, version: 0.0.0.0, time stamp: 0x643571e1

Faulting module name: RPCRT4.dll, version: 10.0.17763.4252, time stamp: 0xa85fd1e2

Exception code: 0xc0000005

Fault offset: 0x000281cb

Faulting process id: 0x93c

Faulting application start time: 0x01d97e69405fd862

Faulting application path: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe

Faulting module path: C:\WINDOWS\System32\RPCRT4.dll

Report Id: 3b1c0bfd-324b-4357-b758-370aee2e848e

Faulting package full name:

Faulting package-relative application ID:

After analyzing a core dump, we were able to get a backtrace

Entry point cryptnet!CryptRetrieveObjectByUrlWithTimeoutThreadProc

Create time 5/29/2023 5:30:33 AM

Time spent in user mode 0 Days 0:0:0.15

Time spent in kernel mode 0 Days 0:0:0.31rpcrt4!NdrGetBuffer+3b rpcrt4!NdrAsyncClientCall+1cewinnsi!RpcNsiRegisterChangeNotification+23winnsi!NsiRpcRegisterChangeNotificationEx+147winnsi!NsiRpcRegisterChangeNotification+49IPHLPAPI!InternalRegisterChangeNotification+7bIPHLPAPI!NotifyIpInterfaceChange+6ewinhttp!NetworkChangeMonitor::Startup+79winhttp!StartGlobalNetworkChangeMonitor+4ewinhttp!WxRegisterForNetworkChangeNotification+35winhttp!InitializeNetworkChangeMonitor+64winhttp!INTERNET_SESSION_HANDLE_OBJECT::LoadAutomaticProxyResolvers+90winhttp!INTERNET_SESSION_HANDLE_OBJECT::SetProxySettings+77winhttp!WinHttpSetOptionInternal+8b1winhttp!WinHttpOpen+3cdcryptnet!InetGetBindings+1acryptnet!CInetSynchronousRetriever::RetrieveObjectByUrl+160cryptnet!InetRetrieveEncodedObject+58cryptnet!CObjectRetrievalManager::RetrieveObjectByUrl+9fcryptnet!CryptRetrieveObjectByUrlWithTimeoutThreadProc+80kernel32!BaseThreadInitThunk+19ntdll!__RtlUserThreadStart+2f**ntdll!_RtlUserThreadStart+1b

But still, it isn't clear why our application is calling this thread.

Is it a know issue related to the library version?

Should we install a specific KB to fix it ?

Thank you.

Windows Server | Performance and maintenance | System performance

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

19 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-08-31T03:03:17+00:00

    Hello

    The exception code 0xc0000005 indicates an access violation, which can occur when an application tries to access a memory location that it is not allowed to access. This can be caused by a variety of reasons, including a corrupted or faulty hard drive, a virus or malware infection, or even a hardware failure.

    In your case, the crash occurred in the RPCRT4.dll module, which is associated with the Remote Procedure Call (RPC) runtime. This module is typically stored in the system32 folder and is used by many programs and systems on Microsoft’s operating systems. The version of the RPCRT4.dll module that you are using is 10.0.17763.4252, with a time stamp of 0xa85fd1e2. However, I couldn’t find any information about known issues related to this specific version of the library.

    The faulting application is wazuh-agent.exe, which is part of the Wazuh agent that runs on endpoints and communicates with the Wazuh server to send data in near real-time through an encrypted and authenticated channel. The backtrace you provided suggests that the crash occurred while the application was trying to retrieve an object by URL using the CryptRetrieveObjectByUrlWithTimeoutThreadProc function in the cryptnet module.

    It’s not clear from the information provided why this thread was being called by your application. You may want to try updating your system and the Wazuh agent to their latest versions to see if that resolves the issue. If the problem persists, you may want to contact Wazuh support for further assistance.

    0 comments
  2. Anonymous
    2023-08-31T03:40:13+00:00

    Hi!

    Thank you for your answer.
    I'm from the Wazuh team, so I'm sure that updating the agent won't solve the issue.

    "The backtrace you provided suggests that the crash occurred while the application was trying to retrieve an object by URL using the CryptRetrieveObjectByUrlWithTimeoutThreadProc function in the cryptnet module."

    I know, the thing is that our Wazuh code never calls that method directly.
    So I was wondering if anyone could help me find out why the OS is making this RPC call.

    Regards.

    0 comments
  3. Anonymous
    2023-09-01T01:42:37+00:00

    To find out why the operating system is making this RPC call, you can use the Process Explorer tool to collect a user mode dump for analysis.

    Process Explorer - Sysinternals | Microsoft Learn

    0 comments
  4. Anonymous
    2023-09-02T03:44:19+00:00

    I was having trouble generating a dump with Process Explorer, the file was always empty.
    So I generated it with ProcDump.

    But now I have it, I'm not sure how it helps me to trace the function call.

    Before posting the question, I tried also setting a breakpoint on these functions but it never gets hit.

    Thank you.

    0 comments
  5. Anonymous
    2023-09-05T02:15:32+00:00

    For the dump files, it is better to open start and search for feedback and open the Feedback Hub app and file a bug report and attach dump files there.

    Send feedback to Microsoft with the Feedback Hub app - Microsoft Support

    0 comments