Faulting module name: ntdll.dll

Arold Frey 96 Reputation points
2021-02-19T09:59:34.09+00:00

Hello everyone,
It seems since Deep Security Manager update performed by our security team on a server, our supervision does not work anymore. We are receiving error like this in Event Viewer :

Faulting application name: NaCl64.exe, version: 2.1.2.32, time stamp: 0x00000000
Faulting module name: ntdll.dll, version: 10.0.14393.3986, time stamp: 0x5f77fd0d
Exception code: 0xc0000005
Fault offset: 0x000000000003469c
Faulting process id: 0x20
Faulting application start time: 0x01d703a91e57082b
Faulting application path: C:\Program Files\XX\XX\XX\NaCl64.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 5e97f4df-a29d-419b-ac0d-395618532ede
Faulting package full name:

Application is runned by a service launched by local system account.
According to what I read on forums, it seems there is a permission issue.
To test it, I configured service to run with my admin account -> It worked perfectly after that but we want to keep initial config.

So we checked

  • NTFS rights -> Nothing suspicious
  • Local policy “log on as a service” -> Nothing either
  • gpresult -> Nothing suspicious but as I don’t know every rule I might missed something.

Question -> Do you have any idea of what else to check ?

Below is WER report :

Version=1
EventType=APPCRASH
EventTime=132579566119256819
ReportType=2
Consent=1
UploadTime=132579575533127660
ReportIdentifier=f49e6b11-705c-11eb-9690-0050569e252f
IntegratorReportIdentifier=0c30ecaa-6a33-4c10-89a2-389385525278
NsAppName=NaCl64.exe
AppSessionGuid=00002c9c-0000-0036-7185-bbb66904d701
TargetAppId=W:0006489a5b316168b3a74c79dcdce0e4005a00000904!000035a06307c2ea70f65a20b6f89eb6ad05cdf42001!NaCl64.exe
TargetAppVer=1970//01//01:00:00:00!16101!NaCl64.exe
BootId=4294967295
Response.type=4
Sig[0].Name=Application Name
Sig[0].Value=NaCl64.exe
Sig[1].Name=Application Version
Sig[1].Value=2.1.2.32
Sig[2].Name=Application Timestamp
Sig[2].Value=00000000
Sig[3].Name=Fault Module Name
Sig[3].Value=ntdll.dll
Sig[4].Name=Fault Module Version
Sig[4].Value=10.0.14393.4225
Sig[5].Name=Fault Module Timestamp
Sig[5].Value=60124392
Sig[6].Name=Exception Code
Sig[6].Value=c0000005
Sig[7].Name=Exception Offset
Sig[7].Value=000000000003472c
DynamicSig[1].Name=OS Version
DynamicSig[1].Value=10.0.14393.2.0.0.272.7
DynamicSig[2].Name=Locale ID
DynamicSig[2].Value=1033
DynamicSig[22].Name=Additional Information 1
DynamicSig[22].Value=3df7
DynamicSig[23].Name=Additional Information 2
DynamicSig[23].Value=3df737fb699df369502c79ca27a65141
DynamicSig[24].Name=Additional Information 3
DynamicSig[24].Value=8dc3
DynamicSig[25].Name=Additional Information 4
DynamicSig[25].Value=8dc39f7e120aec04564d7c0e96489aad
UI[2]=C:\Program Files\XX\XX\XX\NaCl64.exe
UI[5]=Check online for a solution (recommended)
UI[6]=Check for a solution later (recommended)
UI[7]=Close
UI[8]=Nagios Client 'NaCl' v2.1.2 build 32 stopped working and was closed
UI[9]=A problem caused the application to stop working correctly. Windows will notify you if a solution is available.
UI[10]=&Close
LoadedModule[0]=C:\Program Files\XX\XX\XX\NaCl64.exe
LoadedModule[1]=C:\Windows\SYSTEM32\ntdll.dll
LoadedModule[2]=C:\Windows\System32\KERNEL32.DLL
LoadedModule[3]=C:\Windows\System32\KERNELBASE.dll
LoadedModule[4]=C:\Windows\System32\ADVAPI32.dll
LoadedModule[5]=C:\Windows\System32\msvcrt.dll
LoadedModule[6]=C:\Windows\System32\sechost.dll
LoadedModule[7]=C:\Windows\System32\RPCRT4.dll
LoadedModule[8]=C:\Windows\System32\USER32.dll
LoadedModule[9]=C:\Windows\System32\win32u.dll
LoadedModule[10]=C:\Windows\System32\GDI32.dll
LoadedModule[11]=C:\Windows\System32\gdi32full.dll
LoadedModule[12]=C:\Windows\system32\tmumh\20019\AddOn\8.53.0.1066\TmUmEvt64.dll
LoadedModule[13]=C:\Windows\System32\PSAPI.DLL
LoadedModule[14]=C:\Windows\system32\tmumh\20019\TmMon\2.8.0.1045\tmmon64.dll
LoadedModule[15]=C:\Program Files\XX\XX\XX\NaCl64.dll
LoadedModule[16]=C:\Windows\System32\SHELL32.dll
LoadedModule[17]=C:\Windows\System32\cfgmgr32.dll
LoadedModule[18]=C:\Windows\System32\windows.storage.dll
LoadedModule[19]=C:\Windows\System32\combase.dll
LoadedModule[20]=C:\Windows\System32\ucrtbase.dll
LoadedModule[21]=C:\Windows\System32\bcryptPrimitives.dll
LoadedModule[22]=C:\Windows\System32\powrprof.dll
LoadedModule[23]=C:\Windows\System32\shlwapi.dll
LoadedModule[24]=C:\Windows\System32\kernel.appcore.dll
LoadedModule[25]=C:\Windows\System32\shcore.dll
LoadedModule[26]=C:\Windows\System32\profapi.dll
LoadedModule[27]=C:\Windows\System32\WS2_32.dll
LoadedModule[28]=C:\Windows\SYSTEM32\NETAPI32.dll
LoadedModule[29]=C:\Windows\SYSTEM32\WININET.dll
LoadedModule[30]=C:\Windows\SYSTEM32\NETUTILS.DLL
LoadedModule[31]=C:\Windows\SYSTEM32\SRVCLI.DLL
LoadedModule[32]=C:\Windows\SYSTEM32\SAMCLI.DLL
State[0].Key=Transport.DoneStage1
State[0].Value=1
FriendlyEventName=Stopped working
ConsentKey=APPCRASH
AppName=Nagios Client 'NaCl' v2.1.2 build 32
AppPath=C:\Program Files\XX\XX\XX\NaCl64.exe
NsPartner=windows
NsGroup=windows8
ApplicationIdentity=1C113DBAC7045F86122AE3B2757C6282
MetadataHash=1481117901

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,420 questions
0 comments No comments
{count} votes

Accepted answer
  1. Arold Frey 96 Reputation points
    2021-02-25T14:37:31.033+00:00

    Hello,

    After exploring both process monitor log file, there seem to have behavior differences between both scenarios but I can't explain why.

    What I found for example (See screenshot)

    Left is OK scenario with admin account and right is NOK scenario with local system account

    72136-processmon1.png

    72128-processmon2.png

    And then after some time scenario 2 crashes as you can see below :

    72137-processmonexit.png


5 additional answers

Sort by: Most helpful
  1. Kent Chalmers 6 Reputation points
    2021-11-20T22:08:50.533+00:00

    I had this problem, replaced the ntdll.dll from a server I trusted seemed to resolve it for some users, for others resetting local user profiles in the registry seemed to resolve also.

    1 person found this answer helpful.

  2. Cheong00 3,471 Reputation points
    2021-02-19T10:20:46.107+00:00

    "Access violation" exception (0xc0000005) is commonly related to bugs inside application too, say when a pointer is passed to some function to write value to but the underlying memory has already be freed.

    You should contact the vendor of this application and see if they can help you sort out the problem.

    0 comments No comments

  3. Jenny Feng 14,096 Reputation points
    2021-02-22T02:55:13.927+00:00

    @Arold Frey
    Hi,
    The nacl64.exe file is a software component of Google Chrome by Google.
    Exception code 0xc0000005 is an Access Violation.
    To debug these kind of system internal issues, I suggest you try Process Monitor.
    Hope above information can help you.

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  4. Arold Frey 96 Reputation points
    2021-02-24T10:06:04.42+00:00

    Hello, thank you for your help.

    @Cheong -> Vendor replied that it is an OS issue and can't do anything ...

    @JennyFeng -> I captured process Monitor log between when it works and when it crashes. I will analyse data when tomorrow. I will keep you informed.