Application crash in RPCRT4.dll

Question

Hi.

I'm debugging a crash of an application in Microsoft Windows Server 2019 Datacenter [Ver: 10.0.17763.4131].
This is the basic information

Faulting application name: wazuh-agent.exe, version: 0.0.0.0, time stamp: 0x643571e1

Faulting module name: RPCRT4.dll, version: 10.0.17763.4252, time stamp: 0xa85fd1e2

Exception code: 0xc0000005

Fault offset: 0x000281cb

Faulting process id: 0x93c

Faulting application start time: 0x01d97e69405fd862

Faulting application path: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe

Faulting module path: C:\WINDOWS\System32\RPCRT4.dll

Report Id: 3b1c0bfd-324b-4357-b758-370aee2e848e

Faulting package full name:

Faulting package-relative application ID:

After analyzing a core dump, we were able to get a backtrace

Entry point cryptnet!CryptRetrieveObjectByUrlWithTimeoutThreadProc

Create time 5/29/2023 5:30:33 AM

Time spent in user mode 0 Days 0:0:0.15

Time spent in kernel mode 0 Days 0:0:0.31rpcrt4!NdrGetBuffer+3b rpcrt4!NdrAsyncClientCall+1cewinnsi!RpcNsiRegisterChangeNotification+23winnsi!NsiRpcRegisterChangeNotificationEx+147winnsi!NsiRpcRegisterChangeNotification+49IPHLPAPI!InternalRegisterChangeNotification+7bIPHLPAPI!NotifyIpInterfaceChange+6ewinhttp!NetworkChangeMonitor::Startup+79winhttp!StartGlobalNetworkChangeMonitor+4ewinhttp!WxRegisterForNetworkChangeNotification+35winhttp!InitializeNetworkChangeMonitor+64winhttp!INTERNET_SESSION_HANDLE_OBJECT::LoadAutomaticProxyResolvers+90winhttp!INTERNET_SESSION_HANDLE_OBJECT::SetProxySettings+77winhttp!WinHttpSetOptionInternal+8b1winhttp!WinHttpOpen+3cdcryptnet!InetGetBindings+1acryptnet!CInetSynchronousRetriever::RetrieveObjectByUrl+160cryptnet!InetRetrieveEncodedObject+58cryptnet!CObjectRetrievalManager::RetrieveObjectByUrl+9fcryptnet!CryptRetrieveObjectByUrlWithTimeoutThreadProc+80kernel32!BaseThreadInitThunk+19ntdll!__RtlUserThreadStart+2f**ntdll!_RtlUserThreadStart+1b

But still, it isn't clear why our application is calling this thread.

Is it a know issue related to the library version?

Should we install a specific KB to fix it ?

Thank you.

Answer 1

Thank you, I've already provided feedback

https://aka.ms/AAmftag

But still, I'd be wonderful to understand RPC on Windows and why these background calls are being generated in this C/C++ application.

Answer 2

Remote Procedure Call (RPC) is a powerful technology for creating distributed client/server programs. It’s a form of inter-process communication that allows a client process to make requests of a server process. RPC is widely used in Windows operating systems and can be used to create client and server programs for heterogeneous network environments that include such operating systems as Unix and Apple.

In the context of your C/C++ application, RPC might be used for various purposes. For instance, it could be used for communication between different parts of your application that are running as separate processes. This is particularly common in applications that have a modular architecture, where different modules (running as separate processes) need to communicate with each other.

The background calls you’re seeing might be the result of your application making RPC calls to a server process. These calls could be for various purposes, such as retrieving data, invoking functionality in the server process, or sending notifications or updates.

Answer 3

Hi again!

Sorry, but that information isn't specific enough.

I'd need a more precise analysis of the call stack I've uploaded to really understand what is happening.

Regards.

Answer 4

I'm so glad that I could provide some help here, it will be great to mark any useful answer so other can easily find it.

Answer 5

I'm so glad that I could provide some help here, it will be great to mark any useful answer so other can easily find it.

Hello again.

Sorry, but you still haven't provided useful information to solve this issue.

Regards.