Avast 7 crashing Sysinternals Process Explorer

Before installing Avast 7 free on multiple systems (a variety of 32 & 64-bit Windows XP, Vista, and 7 Home premium), I had the MS Sysinternals app - Process Explorer - installed on each system…
After installing Avast on each, Process Explorer crashes every time on every 64-bit system. (Might be because of something related to procexp.exe self-extracting procexp64.exe from itself)…
I tried shutting off each shield within Avast 1 by 1, tried adding exclusions to every shield, tried disabling AutoSandbox – all with no luck… Process explorer crashes every time…
After uninstalling Avast, it works again…
Avast is great, but I can’t do without Process Exlporer…

Anyone else experiencing this? Looking for a workaround or anything to get these 2 apps to coexist.

Which version of Avast do you use? Avast 7.0.1426 is the latest version.

I’m using the latest… 7.0.1426

Sorry my help ends here,only I can say is:“Update Process Explorer to the latest version but I,m quite sure you already have last one,right.” :smiley:

PC:Did you get BSOD when Process Explorer crashes?

Nope, no BSOD, just an application crash… “APPCRASH” is all I get under the details of the crash… Standard stuff, not many hints as to what it could be.

Thanks anyway…

Well you can send support pack to Avast via FTP server

Open Avast-Maintenance and select Support,now you select also FullDumps if you want and press Generate now,when Avast finish,rename Zip file with unique name (your forum nick+problems Sysinternals Process Explorer) and send file to Avast via FTP server.

Have you excluded procexp.exe from Autosandboxed and added it to trusted process to behavior Shield ?

Yes & Yes.

Windbg exe-attached output of the crash of procexp64.exe, if this helps…

0:000> g ModLoad: 000007fe`fee00000 000007fe`fee2e000 C:\Windows\system32\IMM32.DLL ModLoad: 000007fe`f5d70000 000007fe`f5d7f000 C:\Windows\system32\CSCAPI.dll ModLoad: 000007fe`f4650000 000007fe`f46d0000 C:\Windows\system32\ntshrui.dll ModLoad: 000007fe`fced0000 000007fe`fcef3000 C:\Windows\system32\srvcli.dll ModLoad: 000007fe`faf60000 000007fe`faf6b000 C:\Windows\system32\slc.dll ModLoad: 000007fe`fce40000 000007fe`fce57000 C:\Windows\system32\CRYPTSP.dll ModLoad: 000007fe`fc950000 000007fe`fc997000 C:\Windows\system32\rsaenh.dll ModLoad: 000007fe`fcd80000 000007fe`fcda2000 C:\Windows\system32\bcrypt.dll ModLoad: 000007fe`fc890000 000007fe`fc8dc000 C:\Windows\system32\bcryptprimitives.dll (10f4.aa4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. 00000000`0008000a f0410fba6a7400 lock bts dword ptr [r10+74h],0 ds:00000000`00082030=? ? ? ? ? ? ? ? *** ERROR: Module load completed but symbols could not be loaded for procexp.exe 0:042> g (10f4.aa4): Access violation - code c0000005 (!!! second chance !!!) 00000000`0008000a f0410fba6a7400 lock bts dword ptr [r10+74h],0 ds:00000000`00082030=? ? ? ? ? ? ? ? 0:042> !analyze -v ******************************************************************************* * * * Exception Analysis * * * *******************************************************************************

GetPageUrlData failed, server returned HTTP status 404
URL requested: http://watson.microsoft.com/StageOne/procexp_exe/15_13_0_0/4f39b794/unknown/0_0_0_0/bbbbbbb4/c0000005/0008000a.htm?Retriage=1

FAULTING_IP:
+41
00000000`0008000a f0410fba6a7400 lock bts dword ptr [r10+74h],0

EXCEPTION_RECORD: ffffffffffffffff – (.exr 0xffffffffffffffff)
ExceptionAddress: 000000000008000a
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 0000000000082030
Attempt to write to address 0000000000082030

FAULTING_THREAD: 0000000000000aa4

DEFAULT_BUCKET_ID: INVALID_POINTER_READ

PROCESS_NAME: procexp.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1: 0000000000000001

EXCEPTION_PARAMETER2: 0000000000082030

WRITE_ADDRESS: 0000000000082030

FOLLOWUP_IP:
sechost!LsaLookupOpenLocalPolicy+41
000007fe`fdb3429d 89442440 mov dword ptr [rsp+40h],eax

FAILED_INSTRUCTION_ADDRESS:
+41
00000000`0008000a f0410fba6a7400 lock bts dword ptr [r10+74h],0

MOD_LIST:

NTGLOBALFLAG: 70

APPLICATION_VERIFIER_FLAGS: 0

IP_ON_HEAP: 000000000008000a
The fault address in not in any loaded module, please check your build’s rebase
log at \bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.

PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ

BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_BAD_INSTRUCTION_PTR_INVALID_POINTER_WRITE

LAST_CONTROL_TRANSFER: from 000007feff04a776 to 000000000008000a

STACK_TEXT:
00000000083ce2e8 000007feff04a776 : 0000000000000000 00000000083ce5e0 00000000083cea18 000007feff0598b1 : 0x8000a
00000000083ce2f0 000007feff0ecc74 : 00000000083ce6a0 0000000000000000 00000000083ce6a0 00000000083ce6a0 : RPCRT4!LRPC_CCALL::SendReceive+0x156
00000000083ce3b0 000007feff0ecf25 : 000007fefdb230a0 0000000000000000 0000000000000000 000000000ab84ae0 : RPCRT4!NdrpClientCall3+0x244
00000000083ce670 000007fefdb3429d : 0000000000000001 000000000000000c 0000000000000000 0000000000000000 : RPCRT4!NdrClientCall3+0xf2
00000000083cea00 000007fefdb33e17 : 0000000000000000 00000000083ceb90 00000000083ceac8 0000000000000000 : sechost!LsaLookupOpenLocalPolicy+0x41
00000000083cea60 000007fefdb3422d : 000000000ab84bc0 00000000083cec40 0000000000000000 000000000ab84bc0 : sechost!LookupAccountSidInternal+0x7f
00000000083ceb30 000007feff16b8ef : 0000000000000000 0000000000000000 0000000000000000 000007fe00000000 : sechost!LookupAccountSidLocalW+0x25
00000000083ceb80 000007fefd717ba2 : 0000000000000000 0000000000000000 0000000000000000 0000000000000158 : ADVAPI32!LookupAccountSidW+0x53
00000000083cebd0 000007fefd71b74f : 0000000000000000 00000000083cf368 00000000083cf0cc 0000000000000000 : Wintrust!_SSCatDBSetupRPCConnection+0x26f
00000000083cef20 000007fefd71b921 : 0000000000000000 00000000083cf0cc 00000000083cf778 0000000000000014 : Wintrust!Client_SSCatDBEnumCatalogs+0x3f
00000000083cefc0 000007fefd71cecc : 0000000000000000 00000000003d51b0 000000000040f470 0000000000000000 : Wintrust!_CatAdminAddCatalogsToCache+0x8c
00000000083cf070 000007fefd71b251 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : Wintrust!CryptCATAdminRemoveCatalog+0x37d
00000000083cf330 000000013fcd4b30 : 00000000003f2c70 000000000344efb0 0000000000000000 0000000000000000 : Wintrust!CryptCATAdminEnumCatalogFromHash+0x157
00000000083cf3e0 000000013fcc1a1e : 000000000344ee20 0000000000000000 0000000000000000 0000000000000000 : procexp+0x84b30
00000000083cf7d0 000000013fcc1bd5 : 000000000344e530 0000000000000001 0000000000000000 0000000000000000 : procexp+0x71a1e
00000000083cf990 000000013fce77ef : 000000000344e530 0000000000000000 0000000000000000 0000000000000000 : procexp+0x71bd5
00000000083cf9c0 000000013fce7899 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : procexp+0x977ef
00000000083cf9f0 0000000076b6652d : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : procexp+0x97899
00000000083cfa20 0000000076f4c521 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : kernel32!BaseThreadInitThunk+0xd
00000000083cfa50 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x1d

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: sechost!LsaLookupOpenLocalPolicy+41

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: sechost

IMAGE_NAME: sechost.dll

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5be05e

STACK_COMMAND: ~42s ; kb

FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_sechost.dll!LsaLookupOpenLocalPolicy

BUCKET_ID: X64_APPLICATION_FAULT_INVALID_POINTER_READ_BAD_INSTRUCTION_PTR_INVALID_POINTER_WRITE_BAD_IP_sechost!LsaLookupOpenLocalPolicy+41

WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/procexp_exe/15_13_0_0/4f39b794/unknown/0_0_0_0/bbbbbbb4/c0000005/0008000a.htm?Retriage=1

Followup: MachineOwner
---------

That’s weird, I certainly don’t have any problem with Process Explorer, and never had.
So even if you disable all avast! shields simultaneously (“avast! shields control” from the tray icon context menu) - still no change?

Interesting - Are you using the latest and greatest version of process explorer?
Yes, even with all shields disabled, AutoSandbox disabled … pretty much everything disable’able in Avast - set to disabled — procexp still crashes.
I can’t think of anything else these 5-6 systems have in common other than process explorer, firefox, and avast…

00000000`0008000a f0410fba6a7400 lock bts dword ptr [r10+74h],0

This is probably our fault – or a compatibility issue with other apps.
Can you please upload your dump to our ftp? Thanks!

You can generate App Crash Dump from Task Manager (in Process tab, click on procexp process and select Crash Dump).

Dear P.K.

The problem was not in Avast but the 15.21 build of process explorer. Avast in the crash dump was a smokescreen. Process Explorer build 15.22 fixes the problem …

Thanks for info, I used above mentioned instruction “lock bts dword ptr [r10+74h],0” in sandbox/autosandbox hooking engine – that’s why I thought there’s a compatibility issue between avast and other products.

I’m having exactly the same problem:

Avast Internet security version: 7.0.1474
Process explorer: v15.23
OS: win7 x64

I just installed avast IS today and its very disappointing suprise :cry:

Exception at the same instruction:
lock bts dword ptr [r10+74h],0 ds:00000000`76f12008=???

I found the problem. How do you use process explorer that it leads to BSOD? Is it running for long time?
Thanks.

no BSOD, just process explorer crash.

I start process explorer and ~2sec later crash. I not able to do anything in process explorer, its crashing so quickly.

Can you please generate a user dump and upload it somewhere? (our ftp: http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=18)
When you receive the application error, run Task Manager, go to Processes tab, find proceexp64.exe, right click and choose generate dump option.
Thanks.

well, the problem is that procexp64.DMP dump is 110MB, and my network connection is very slow at the moment, so unfortunately I wont be able to do that at least today, maybe tomorrow

never mind, you can compress it (7z/rar), thanks.