Click here for important information about Computing.net.

How do I Debug a Windows 10-aware 3rd-party app installer AV

January 23, 2021 at 07:43:55
Specs: Windows 10, 3600XT/32GB/SSD&HDD
I have uninstalled suspected causes to no avail.

These three apps insist on AVing upon my attempts to run each installer.

I have re-downloaded all of these at least a dozen times each in half a baker's dozen browsers each, all with the same results, so I must be Insane.
---
AV 7B
Zenbeats_Installer.exe - Application Error
I hit g in WinDbg upon load and it goes straight to here.
The application was unable to start correctly (0xc000007b). Click OK to close the application.
---
AV 05
GOG_Galaxy_2.0.exe - Application Error
I hit g in WinDbg upon load and it goes straight to here.
The application was unable to start correctly (0xc0000005). Click OK to close the application.
---
OperaSetup.exe - Application Error
I hit g in WinDbg upon load and it goes straight to here.
The application was unable to start correctly (0xc0000005). Click OK to close the application.
---

All I get in !analyze -v is nothing but header and footer result, no code.

JIT debugging got me to where I can enable Disassembly, but that stupid thing refuses to allow me to save its result, so far as I can find, so far, still new, so it must be there somewhere, right? ;) But, it still gives very little debug info to reveal root cause for these insistent AVs.

---

How do I use WinDbg on an app installer AV Crash?

Some other debugger, maybe?


See More: How do I Debug a Windows 10-aware 3rd-party app installer AV


#1
January 23, 2021 at 07:47:09
I ran this script to be sure Windows 10 20H2 with latest Updates has healthy files first.

No errors, zero

DISM.exe /Online /Cleanup-image /Scanhealth

DISM.exe /Online /Cleanup-image /Restorehealth

DISM.exe /online /cleanup-image /startcomponentcleanup
(ran those because I do not trust sfc alone.)

sfc /scannow

I just now finished a 40 minute Windows 10 Pro "Keep Apps & Files" Install/Repair from a 20H2 Microsoft Windows 10 Install Media Creator 16GB USB stick and these errors persist.

oh well ;)

message edited by RicardoMadGello


Reply ↓  Report •

#2
January 24, 2021 at 08:05:11
Are you downloading from reputable sites? I have no knowledge of Zen or Gog, but Opera should be downloaded from the Opera website - https://www.opera.com/

Which AV program are you using? If you're not using Windows Defender, why not? When you install a program, do you right click on the EXE file & select "Run as administrator"?


Reply ↓  Report •

#3
January 24, 2021 at 12:18:20
GOG Galaxy 2 (Beta) came from GOG's HomePage.
1st: https://www.gog.com/galaxy
has direct link to GOG_Galaxy_2.0.exe (983,624 bytes) here:
https://webinstallers.gog-statics.c...
Verisign Cert S/N: 05b5d9d6bb2960fbd330c5d6b9b7b7d2

Opera came from Opera's HomePage
1st: https://www.opera.com/
has embedded link to OperaSetup.exe (2,405,072 bytes) here:
https://www.opera.com/computer/than...
Verisign Cert S/N: 05f4210db2b283a32ff2aed29fcb68a4

Roland ZenBeats came from Roland US's HomePage:
1st: https://www.roland.com/us/products/...
has direct link to Zenbeats_Installer.exe (299,788,752 bytes) here:
https://static.roland.com/assets/me...
Verisign Cert S/N: 0fa9849efb9c3e94e683ad53bf9e7ca5

Windows Defender, with ioLo's System Mechanic's AV DISABLED AND THEN UNINSTALLED COMPLETELY!!!

I almost ALWAYS Right-Click Run as Administrator, WHICH IS REALLY STUPID THESE DAYS!!!

BUT YES!!! About Five Dozen Times and ALL of them, on Both my Brand-New Machine running brand-new Windows 10 Home (upgraded right away to Pro, as I bought a TPM for my new motherboard, and ASUS Prime B500M-a (WiFi), AMD Ryzen 5 3600XT ($238 when I bought it, $380 less than a week later), HyperX Predator 2x16GB (32GB adding later, when prices get real) 3600MHz CL17 (XMP #2=3000MHz CL15, so I 3200MHz CL15, which a Full Run of memtest86+ PASSES 100% at 3000cl15, 3200CL15, 3600CL17, AND 3800(1900flck ROCK SOLID HERE AS WELL, But LATENCY!!!)CL17 setting, 3200CL15 now, and just Indexed four drives, with about 3.8TB total files overnight Without A Burp last night.

The ONLY Bluescreen so far, is ASUS AI Suite 3 (69rev) ASIO2.DLL CONFLICTS WITH CPU SVM setting, which IS REQUIRED BY HYPERVISOR in Pro, or NO Virtualization Happens AT ALL. So ASUS is GONE, and based on their lack of ASUS Community Forum, They Don't Care. I only bought ASUS since it had the best price for B550, M.2, WiFi6, and Zen 3 capability promise. I have my new Gigabyte X570 Aorus Master mobo sitting next to me, WAITING FOR Zen 3 Ryzen 9 5950X prices to Get Real, for its 128GB G.Skill Trident Z Royal F4-4000C18Q-128, Sabrent ADHD here, got side-tracked.

I managed to get a semi-valid WinDbg Debugger Trace on this AV for Opera, as follows:


Microsoft (R) Windows Debugger Version 10.0.19041.685 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: E:\MadGello\Browsers\OperaSetup.exe

************* Path validation summary **************
Response Time (ms) Location
Deferred srv*E:\Windows10_Symbols*https://msdl.microsoft.com/download/symbols

************* Path validation summary **************
Response Time (ms) Location
Deferred srv*E:\Windows10_Symbols*https://msdl.microsoft.com/download/symbols
Symbol search path is: srv*E:\Windows10_Symbols*https://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00000000`00010000 00000000`00428000 image00000000`00010000
ModLoad: 00007ff9`3c5f0000 00007ff9`3c7e6000 ntdll.dll
ModLoad: 00000000`77650000 00000000`777f3000 ntdll.dll
ModLoad: 00007ff9`3ad40000 00007ff9`3ad99000 C:\WINDOWS\System32\wow64.dll
ModLoad: 00007ff9`3acb0000 00007ff9`3ad33000 C:\WINDOWS\System32\wow64win.dll
(b98.1710): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00007ff9`3c6c06d0 cc int 3
0:000> !sympath
Symbol search path is: srv*E:\Windows10_Symbols*https://msdl.microsoft.com/download/symbols
Expanded Symbol search path is: srv*e:\windows10_symbols*https://msdl.microsoft.com/download/symbols

************* Path validation summary **************
Response Time (ms) Location
Deferred srv*E:\Windows10_Symbols*https://msdl.microsoft.com/download/symbols
0:000> g
ModLoad: 00000000`77640000 00000000`7764a000 C:\WINDOWS\System32\wow64cpu.dll
(b98.1710): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll_77650000!LdrpGenericProcessRelocation+0x69:
77712a86 0106 add dword ptr [esi],eax ds:002b:00010004=00000001
0:000:x86> lm
start end module name
00010000 00428000 OperaSetup (deferred)
77640000 7764a000 wow64cpu (deferred)
77650000 777f3000 ntdll_77650000 (pdb symbols) e:\windows10_symbols\wntdll.pdb\3CCC2398F623C3D0915D0E0ADC5714A71\wntdll.pdb
3acb0000 3ad33000 wow64win (deferred)
3ad40000 3ad99000 wow64 (deferred)
00007ff9`3c5f0000 00007ff9`3c7e6000 ntdll (pdb symbols) e:\windows10_symbols\ntdll.pdb\1EB9FACB04C73C5DEA7160764CD333D01\ntdll.pdb
0:000:x86> k
# ChildEBP RetAddr
00 005bf98c 77712820 ntdll_77650000!LdrpGenericProcessRelocation+0x69
01 005bf9ac 77712934 ntdll_77650000!LdrProcessRelocationBlockLongLong+0x40
02 005bf9e0 77701167 ntdll_77650000!LdrRelocateImageWithBias+0xbe
03 005bfa40 776fb5e5 ntdll_77650000!LdrpProtectAndRelocateImage+0xd6
04 005bfcac 776aa831 ntdll_77650000!LdrpInitializeProcess+0x1325
05 005bfd04 776aa721 ntdll_77650000!_LdrpInitialize+0xba
06 005bfd10 00000000 ntdll_77650000!LdrInitializeThunk+0x11
0:000:x86> d
77712a86 01 06 eb 18 66 8b 45 08-66 01 06 eb 0f 0f b7 0e ....f.E.f.......
77712a96 c1 e1 10 03 4d 08 c1 e9-10 66 89 0e 5f 8b c2 5e ....M....f.._..^
77712aa6 5d c2 08 00 8b ff 55 8b-ec 51 51 0f b7 01 53 8b ].....U..QQ...S.
77712ab6 d8 c1 e8 0c 81 e3 fe 0f-00 00 03 da 89 5d f8 83 .............]..
77712ac6 e8 05 0f 84 10 01 00 00-48 83 e8 01 74 07 33 c0 ........H...t.3.
77712ad6 e9 0e 01 00 00 0f b7 4b-04 0f b7 53 06 8b c1 c1 .......K...S....
77712ae6 e1 0b 25 00 04 00 00 0b-c1 03 c0 0f b7 c8 0f b6 ..%.............
77712af6 c2 81 e2 00 70 00 00 0b-c8 c1 e1 04 0b ca 89 4d ....p..........M
0:000:x86> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************


KEY_VALUES_STRING: 1

Key : AV.Fault
Value: Write

Key : Analysis.CPU.Sec
Value: 0

Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on MADGELLOLANDX

Key : Analysis.DebugData
Value: CreateObject

Key : Analysis.DebugModel
Value: CreateObject

Key : Analysis.Elapsed.Sec
Value: 1

Key : Analysis.Memory.CommitPeak.Mb
Value: 54

Key : Analysis.System
Value: CreateObject

Key : Timeline.OS.Boot.DeltaSec
Value: 3204

Key : Timeline.Process.Start.DeltaSec
Value: 34


NTGLOBALFLAG: 70

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS: 0

EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 77712a86 (ntdll_77650000!LdrpGenericProcessRelocation+0x00000069)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 00010004
Attempt to write to address 00010004

FAULTING_THREAD: 00001710

PROCESS_NAME: OperaSetup.exe

WRITE_ADDRESS: 00010004

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR: c0000005

EXCEPTION_PARAMETER1: 00000001

EXCEPTION_PARAMETER2: 00010004

STACK_TEXT:
005bf98c 77712820 ffc10000 ffffffff 00010078 ntdll_77650000!LdrpGenericProcessRelocation+0x69
005bf9ac 77712934 00000002 00427260 ffc10000 ntdll_77650000!LdrProcessRelocationBlockLongLong+0x40
005bf9e0 77701167 00010000 00010078 005bfa10 ntdll_77650000!LdrRelocateImageWithBias+0xbe
005bfa40 776fb5e5 00000200 005bfcac 0000005c ntdll_77650000!LdrpProtectAndRelocateImage+0xd6
005bfcac 776aa831 0733e68c 00000000 00000000 ntdll_77650000!LdrpInitializeProcess+0x1325
005bfd04 776aa721 00000000 00000000 00000000 ntdll_77650000!_LdrpInitialize+0xba
005bfd10 00000000 005bfd24 77650000 00000000 ntdll_77650000!LdrInitializeThunk+0x11


STACK_COMMAND: ~0s ; .cxr ; kb

SYMBOL_NAME: ntdll_77650000!LdrpGenericProcessRelocation+69

MODULE_NAME: ntdll_77650000

IMAGE_NAME: ntdll.dll

FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_ntdll.dll!LdrpGenericProcessRelocation

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {894feab3-ccde-e916-4609-28c756af91bd}

Followup: MachineOwner
---------

This "MachineOwner" has sent this off to them, and I wait.


Anything else, I didn't examine?

THANKS!

Stay Safe



Reply ↓  Report •

Related Solutions

#4
January 24, 2021 at 14:07:36
The fact that you run programs like System Mechanic makes me wonder what other crapware you have installed. You made a point of describing your IT qualifications in one of your other posts so I don't understand how or why someone of your background would condone the use of such programs, let alone use them himself. My guess is something you have installed is affecting the installation of other programs.

Reply ↓  Report •

#5
January 25, 2021 at 06:53:27
yeesh!~~~~~~

I can install any gauwghd!!damed thing I NEED!

or even just simply wish to examine for what it does or doesn't do here.

I also have childhood-onset ADHD, so I really do need the other 250 apps that did successfully install so far, with maybe another 100-200 more to come this coming week, depending on how busy these three vendors get me helping them track-down these 3 of 250 app installer AVs.

If YOU did your homework, you may look inside your owned self and ask you the same question, eh.

"Why am I using an AV that isn't Microsoft Windows Defender?"

true, correct, you are using a 3rd-party AV?

so, if you cannot, will not, or do not provide any App Installer AV Crash Debugginh Assistance, then . . .

I KNOW WHAT I AM DOING ON THIS BRAND-NEW MACHINE!!!

It now has a Super-Phine Super-Fast WD SN850 Gen 4 x4 NVMe SSD as boot drive with a matching SATA SSD as a Backup Boot drive that I cone the working one over to the Test one Nightly, so YOU POINT IS TOTALLY MOOT, sirrah.

Not to mention that other GAUWGHD!!!awful Acronis True Image 2020 (2021 C R A W L S so slow, it take 5-10 minutes for the system's drives and folder layout to show-up when choosing Destination Drive, so I got a Refund on it and went back to 2020) USB 3.2 Gen 2 external hdd setup as the Bootable Backup/Rescue Drive in case my Truly Severe this year more than ever by about 10,000x ADHD screws both of my SSD Boot Drives.

YOUR POINT IS SO TOTALLY MOOT, sirrah

way too phucking phunny!!!

it is people like you that make the Tech Support Scammers RICH!

thinking the way you appear to do.

y e e s h

out, damned spot

find someone else to harrass@now!


Reply ↓  Report •

#6
January 25, 2021 at 07:04:09
Roland says, "Our devs tell me (tech support email person) that this has NEVER HAPPENED to anyone else on this entire planet, so this AV 05 is YOUR MACHINE's fault.

er, uh, like wow, I told them right back.

"Let us take a Vote here & now on this accusation that it is my machine causing these 3:250 app installer AVs." i says to Roland Tech Support...


following that with

"The envelope, please?"

rips it open and pulls out . . .

"HEY!!! You three Total Failures vs. 250 Successes!!! Yeah, You 3!!! Get off your ass and fix your s---!!!"

the other exactly 250 (today's count with 100-200 more coming this week) Happily Error-Free App Installs Running Happily As Geoducks tilted back their snouts and Laughed at Roland and the other two Vendors So Hard, they fell off their bookshelf over by my office window here at MadGelloLandX, Perveyor of Super-Phine Military-Grade Zen 3-Only PCs

out & about now

Come On

GOG Galaxy 2 (Beta) says they're looking into it.

Haven't heard back from Opera Browser yet. today, most likely, though

somebody must know how to Debug an App Installer AV Crash in here, right?


Reply ↓  Report •

#7
January 25, 2021 at 07:05:19
"Highest OCer, eh?"

YUGE BIGLY LAUGH RIOT ENSUES in 3...2."HEY! You started CHORTLING Way Too Early there, sport!"


Reply ↓  Report •

#8
January 25, 2021 at 07:41:09
!analyze -v works great on the AV 05 ones, but not so much on Roland's Zenbeats_Installer.exe's AV 7B.

what next, to get deeper still?

THANKS

Microsoft (R) Windows Debugger Version 10.0.19041.685 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: E:\MadGello\DAW\Zenbeats_Installer.exe

************* Path validation summary **************
Response Time (ms) Location
Deferred srv*E:\Windows10_Symbols*https://msdl.microsoft.com/download/symbols

************* Path validation summary **************
Response Time (ms) Location
Deferred srv*E:\Windows10_Symbols*https://msdl.microsoft.com/download/symbols
Symbol search path is: srv*E:\Windows10_Symbols*https://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00000000`00010000 00000000`0018c000 image00000000`00010000
ModLoad: 00007ffd`0ced0000 00007ffd`0d0c6000 ntdll.dll
ModLoad: 00000000`77ad0000 00000000`77c73000 ntdll.dll
ModLoad: 00007ffd`0b700000 00007ffd`0b759000 C:\WINDOWS\System32\wow64.dll
ModLoad: 00007ffd`0b030000 00007ffd`0b0b3000 C:\WINDOWS\System32\wow64win.dll
(4460.1f3c): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00007ffd`0cfa06d0 cc int 3
0:000> !sympath
Symbol search path is: srv*E:\Windows10_Symbols*https://msdl.microsoft.com/download/symbols
Expanded Symbol search path is: srv*e:\windows10_symbols*https://msdl.microsoft.com/download/symbols

************* Path validation summary **************
Response Time (ms) Location
Deferred srv*E:\Windows10_Symbols*https://msdl.microsoft.com/download/symbols
0:000> lm
start end module name
00000000`00010000 00000000`0018c000 Zenbeats_Installer (deferred)
00000000`77ad0000 00000000`77c73000 ntdll_77ad0000 (deferred)
00007ffd`0b030000 00007ffd`0b0b3000 wow64win (deferred)
00007ffd`0b700000 00007ffd`0b759000 wow64 (deferred)
00007ffd`0ced0000 00007ffd`0d0c6000 ntdll (pdb symbols) e:\windows10_symbols\ntdll.pdb\1EB9FACB04C73C5DEA7160764CD333D01\ntdll.pdb
0:000> g
ModLoad: 00000000`77ac0000 00000000`77aca000 C:\WINDOWS\System32\wow64cpu.dll
wow64cpu!CpupSyscallStub+0xc:
00000000`77ac1cfc c3 ret
0:000> lm
start end module name
00000000`00010000 00000000`0018c000 Zenbeats_Installer (deferred)
00000000`77ac0000 00000000`77aca000 wow64cpu (pdb symbols) e:\windows10_symbols\wow64cpu.pdb\36500DC25D7F0C6D9A7F88A105763DCF1\wow64cpu.pdb
00000000`77ad0000 00000000`77c73000 ntdll_77ad0000 (deferred)
00007ffd`0b030000 00007ffd`0b0b3000 wow64win (deferred)
00007ffd`0b700000 00007ffd`0b759000 wow64 (deferred)
00007ffd`0ced0000 00007ffd`0d0c6000 ntdll (pdb symbols) e:\windows10_symbols\ntdll.pdb\1EB9FACB04C73C5DEA7160764CD333D01\ntdll.pdb
0:000> k
# Child-SP RetAddr Call Site
00 00000000`0043eed8 00000000`77ac1cbb wow64cpu!CpupSyscallStub+0xc
01 00000000`0043eee0 00000000`77ac11b9 wow64cpu!Thunk0Arg+0x5
02 00000000`0043ef90 00007ffd`0b7038c9 wow64cpu!BTCpuSimulate+0x9
03 00000000`0043efd0 00007ffd`0b7032bd wow64!RunCpuSimulation+0xd
04 00000000`0043f000 00007ffd`0cfa35b2 wow64!Wow64LdrpInitialize+0x12d
05 00000000`0043f2b0 00007ffd`0cf92239 ntdll!LdrpInitializeProcess+0x1932
06 00000000`0043f6e0 00007ffd`0cf449d3 ntdll!_LdrpInitialize+0x4d84d
07 00000000`0043f780 00007ffd`0cf4497e ntdll!LdrpInitialize+0x3b
08 00000000`0043f7b0 00000000`00000000 ntdll!LdrInitializeThunk+0xe
0:000> d
00000000`77ac1cfc c3 cd 2e c3 cc cc cc cc-cc cc 66 66 0f 1f 84 00 ..........ff....
00000000`77ac1d0c 00 00 00 00 ff e0 cc cc-cc cc cc cc cc cc cc cc ................
00000000`77ac1d1c cc cc cc cc 40 55 48 83-ec 20 48 8b ea 48 89 4d ....@UH.. H..H.M
00000000`77ac1d2c 28 48 89 4d 20 48 8b 4d-20 48 ff 15 74 24 00 00 (H.M H.M H..t$..
00000000`77ac1d3c 0f 1f 44 00 00 b8 01 00-00 00 48 83 c4 20 5d c3 ..D.......H.. ].
00000000`77ac1d4c cc cc 33 c0 e9 19 f3 ff-ff b8 0d 00 00 c0 e9 a2 ..3.............
00000000`77ac1d5c f3 ff ff b9 28 00 00 00-cd 29 b9 28 00 00 00 cd ....(....).(....
00000000`77ac1d6c 29 cc 8b 88 38 0e 00 00-e9 b2 f4 ff ff cc cc cc )...8...........
0:000> !analyze -v
Last event: 4460.1f3c: Exit process 0:4460, code c000007b
debugger time: Mon Jan 25 07:35:47.707 2021 (UTC - 8:00)

dart! carnsarn you, !analyze!!!!


Reply ↓  Report •

Ask Question