annexes 1 - How to create a dump file when error occur in a Flat Winpe ? https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps https://social.technet.microsoft.com/wiki/contents/articles/8103.windows-7-application-crash-dump-analysis.aspx https://blogs.msdn.microsoft.com/chaun/2013/11/12/steps-to-catch-a-simple-crash-dump-of-a-crashing-process/ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps DumpFolder "X:\dumps" DumpCount 1 DumpType 2 0: Custom dump 1: Mini dump 2: Full dump " These registry values represent the global settings. You can also provide per-application settings that override the global settings. To create a per-application setting, create a new key for your application under : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps\MyApplication.exe Add your dump settings under the MyApplication.exe key. If your application crashes, WER will first read the global settings, and then will override any of the settings with your application-specific settings. " When the dump file is created, i use Windbg to analyze it. 2 - Analyse with windbg Je fais un résumé des informations obtenues avec "!analyze -v" et qui me semblent utiles : error= stack buffer overrun (BEX64) L'adresse de l'erreur est ism!KernelInputConnection<_MIT_PEN_EVENT_MESSAGE>::Initialize+0x00000000000001c8 Cette fonction ism.dll a généré une erreur fatale qui bypass les traitements d'exception et appelle la fonction qui commence le traitement de l'erreur : ism!wil::details::in1diag3::_FailFast_NtStatus Dans la pile, on trouve l'adresse de retour de cette fonction d'erreur : 00007ffc`7b141da0 On peut retrouver le code de ism!KernelInputConnection::Initialize qui n'est pas très long. (Voir ce code plus loin dans le texte) Quelques instructions avant l'appel de la fonction d'erreur, on peut lire : 00007ffc`7b141d8c 448bc8 mov r9d,eax 00007ffc`7b141d8f 4c8d05ba1f1500 lea r8,[ism!`string' (00007ffc`7b293d50)] 00007ffc`7b141d96 ba48000000 mov edx,48h 00007ffc`7b141d9b e8e0400200 call ism!wil::details::in1diag3::_FailFast_NtStatus (00007ffc`7b165e80) 00007ffc`7b141da0 cc int 3 Le registre R8 contient la chaîne "onecoreuap\windows\moderncore\inputv2\utilities\kernelinputconnection\kernelinputconnection.h" Si l'on parcourt le code de la fonction, on trouve un seul saut à ce code d'erreur "00007ffc`7b141d8c". 00007ffc`7b141d47 498d5718 lea rdx,[r15+18h] 00007ffc`7b141d4b b910000000 mov ecx,10h 00007ffc`7b141d50 ff15e2ad1400 call qword ptr [ism!_imp_NtMITCoreMsgKOpenConnectionTo (00007ffc`7b28cb38)] 00007ffc`7b141d56 488b8c24c8000000 mov rcx,qword ptr [rsp+0C8h] 00007ffc`7b141d5e 85c0 test eax,eax 00007ffc`7b141d60 782a js ism!KernelInputConnection<_MIT_PEN_EVENT_MESSAGE>::Initialize+0x1b4 (00007ffc`7b141d8c) --> error Pour trouver l'adresse de _imp_NtMITCoreMsgKOpenConnectionTo : 0:005> dq 00007ffc`7b28cb38 00007ffc`7b28cb38 00007ffc`7fae7590 le code qui est à l'origine de l'erreur : 0:005> u 00007ffc`7fae7590 win32u!NtMITCoreMsgKOpenConnectionTo: 00007ffc`7fae7590 4c8bd1 mov r10,rcx 00007ffc`7fae7593 b82b130000 mov eax,132Bh 00007ffc`7fae7598 f604250803fe7f01 test byte ptr [SharedUserData+0x308 (00000000`7ffe0308)],1 00007ffc`7fae75a0 7503 jne win32u!NtMITCoreMsgKOpenConnectionTo+0x15 (00007ffc`7fae75a5) 00007ffc`7fae75a2 0f05 syscall 00007ffc`7fae75a4 c3 ret 00007ffc`7fae75a5 cd2e int 2Eh 00007ffc`7fae75a7 c3 ret Il y a un appel "system" depuis win32u!NtMITCoreMsgKOpenConnectionTo 3 - Windbg with "!analyze -v" ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* DEBUG_FLR_EXCEPTION_CODE(80070057) and the ".exr -1" ExceptionCode(c0000409) don't match GetUrlPageData2 (WinHttp) failed: 12002. KEY_VALUES_STRING: 1 STACKHASH_ANALYSIS: 1 TIMELINE_ANALYSIS: 1 Timeline: !analyze.Start Name: Time: 2019-12-14T15:23:56.526Z Diff: 1300526 mSec Timeline: Dump.Current Name: Time: 2019-12-14T15:02:16.0Z Diff: 0 mSec Timeline: Process.Start Name: Time: 2019-12-14T15:02:13.0Z Diff: 3000 mSec Timeline: OS.Boot Name: Time: 2019-12-14T15:00:53.0Z Diff: 83000 mSec DUMP_CLASS: 2 DUMP_QUALIFIER: 400 CONTEXT: (.ecxr) rax=00000056ea97d740 rbx=00000056ea97dcb0 rcx=00000056ea97d740 rdx=0000000000000000 rsi=0000000000000000 rdi=00000056ea97d740 rip=00007ffc7f3ff3bf rsp=00000056ea97d660 rbp=00007ffc7b1409d0 r8=0000000000000000 r9=0000000000000000 r10=00000fff8fe7fe63 r11=0000000800000800 r12=000001aa53046a38 r13=000001aa530405b0 r14=000001aa5327ef80 r15=000001aa53046a40 iopl=0 nv up ei pl zr na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000244 KERNELBASE!RaiseFailFastException+0xaf: 00007ffc`7f3ff3bf 0f1f440000 nop dword ptr [rax+rax] Resetting default scope FAULTING_IP: ism!KernelInputConnection<_MIT_PEN_EVENT_MESSAGE>::Initialize+1c8 00007ffc`7b141da0 cc int 3 EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 00007ffc7b141da0 (ism!KernelInputConnection<_MIT_PEN_EVENT_MESSAGE>::Initialize+0x00000000000001c8) ExceptionCode: c0000409 (Security check failure or stack buffer overrun) ExceptionFlags: 00000001 NumberParameters: 3 Parameter[0]: 0000000000000007 Parameter[1]: ffffffff80070057 Parameter[2]: 0000000000000048 Subcode: 0x7 FAST_FAIL_FATAL_APP_EXIT EXCEPTION_CODE: (HRESULT) 0x80070057 (2147942487) - Param tre incorrect. EXCEPTION_CODE_STR: 80070057 WATSON_BKT_PROCSTAMP: 8e064b77 WATSON_BKT_PROCVER: 10.0.18362.387 PROCESS_VER_PRODUCT: Microsoft® Windows® Operating System WATSON_BKT_MODULE: ism.dll WATSON_BKT_MODSTAMP: b0a921b7 WATSON_BKT_MODOFFSET: 31da0 WATSON_BKT_MODVER: 10.0.18362.387 MODULE_VER_PRODUCT: Microsoft® Windows® Operating System BUILD_VERSION_STRING: 18362.1.amd64fre.19h1_release.190318-1202 MODLIST_WITH_TSCHKSUM_HASH: 21ed482b435233672e93ee94898b5fcc564ea225 MODLIST_SHA1_HASH: 4dcd0bc40e8ad8e9f4918b0cd8a5e2d4d6b143c1 NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 PRODUCT_TYPE: 1 SUITE_MASK: 272 DUMP_FLAGS: 8000c07 DUMP_TYPE: 3 PROCESS_NAME: unknown ANALYSIS_SESSION_HOST: PC-P702 ANALYSIS_SESSION_TIME: 12-14-2019 16:23:56.0526 ANALYSIS_VERSION: 10.0.17763.1 amd64fre THREAD_ATTRIBUTES: OS_LOCALE: FRA BUGCHECK_STR: FAIL_FAST_FATAL_APP_EXIT DEFAULT_BUCKET_ID: FAIL_FAST_FATAL_APP_EXIT PRIMARY_PROBLEM_CLASS: FAIL_FAST PROBLEM_CLASSES: ID: [0n282] Type: [FAIL_FAST] Class: Primary Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix) BUCKET_ID Name: Add Data: Omit PID: [Unspecified] TID: [Unspecified] Frame: [0] ID: [0n271] Type: [FATAL_APP_EXIT] Class: Addendum Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix) BUCKET_ID Name: Add Data: Omit PID: [Unspecified] TID: [Unspecified] Frame: [0] LAST_CONTROL_TRANSFER: from 00007ffc7b161fd9 to 00007ffc7f3ff3bf STACK_TEXT: 00000056`ea97d660 00007ffc`7b161fd9 : 00000000`00000000 00007ffc`7f3ff310 00000000`00000000 00000056`ea97dcb0 : KERNELBASE!RaiseFailFastException+0xaf 00000056`ea97dc30 00007ffc`7b1620a4 : 00000056`ea97dde0 00000000`00000048 00007ffc`7b2ee3a8 00000000`00000000 : ism!wil::details::WilDynamicLoadRaiseFailFastException+0x49 00000056`ea97dc60 00007ffc`7b162083 : 000001aa`53019890 00000000`00000000 00000056`ea97e270 00000000`00000001 : ism!wil::details::WilRaiseFailFastException+0x18 00000056`ea97dc90 00007ffc`7b12112c : 00007ffc`7b1409d0 00000000`00000003 00007ffc`7b1409d0 00000000`00000048 : ism!wil::details::WilFailFast+0x93 00000056`ea97dd60 00007ffc`7b1654d0 : ffffffff`00000000 000001aa`553d1380 0000c000`00000000 00000000`00000000 : ism!wil::details::ReportFailure+0xd4 00000056`ea97f2a0 00007ffc`7b165ea0 : 000001aa`553dd2e0 00000056`ea97f448 00007ffc`7c9424b0 4d6cd94b`0f82a7e0 : ism!wil::details::ReportFailure_NtStatus+0x68 00000056`ea97f300 00007ffc`7b141da0 : 000001aa`53047120 000001aa`553dd2e0 00007ffc`7c9424b0 000001aa`53034890 : ism!wil::details::in1diag3::_FailFast_NtStatus+0x20 00000056`ea97f350 00007ffc`7b1409d0 : 000001aa`530469e8 000001aa`53046900 000001aa`53046a38 000001aa`53046900 : ism!KernelInputConnection<_MIT_PEN_EVENT_MESSAGE>::Initialize+0x1c8 00000056`ea97f420 00007ffc`7b1327ad : 000001aa`53046970 000001aa`5302ce78 000001aa`00000000 000001aa`5302ce70 : ism!PenEventsDispatcherPrincipal::PenEventsDispatcherPrincipal+0x140 00000056`ea97f4c0 00007ffc`7b1321b3 : 000001aa`5302ce70 00007ffc`7c9056a0 000001aa`53046970 000001aa`5302d340 : ism!InputSystem::InputSystem+0x1a1 00000056`ea97f510 00007ffc`7b12b149 : 00000056`ea97f5d8 000001aa`53040718 000001aa`553dd2b0 000001aa`530288c0 : ism!InputSystemServerConnection::Create+0xdf 00000056`ea97f590 00007ffc`7b129dfb : 000001aa`5327ef80 000001aa`5302d340 000001aa`53040718 000001aa`01020080 : ism!ISMStatics::GetBamoServerConnection+0x55 00000056`ea97f5d0 00007ffc`7b12f915 : 00000000`01020080 000001aa`00000000 00000000`00000000 00000000`00000000 : ism!DWMInputRouter::Initialize+0x383 00000056`ea97f890 00007ffc`7b130f5f : 000001aa`530405b0 000001aa`52fea4f0 000001aa`53038408 000001aa`53040960 : ism!MPCInputRouter::Initialize+0x1d 00000056`ea97f920 00007ffc`7b120235 : 000001aa`530405b0 000001aa`530383e8 000001aa`53038408 000001aa`00000004 : ism!MPCInputRouter::Create+0xb7 00000056`ea97f980 00007ffc`7b120109 : 000001aa`5327ef80 000001aa`52fea4f0 00000000`00000000 00000000`00000001 : ism!OneCoreUAPInputHost::Initialize+0xd1 00000056`ea97f9c0 00007ffc`7bd72b9a : 00000000`00000000 000001aa`530383e0 00000000`00000001 00000000`7fffffff : ism!OneCoreUAPInputHost::Create+0x89 00000056`ea97f9f0 00007ffc`7fd97944 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : dwmcore!CMit::Run+0xde 00000056`ea97fa30 00007ffc`81b6ce71 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14 00000056`ea97fa60 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21 THREAD_SHA1_HASH_MOD_FUNC: 2d89beed3316a4fbf030828080b4632848d6ab02 THREAD_SHA1_HASH_MOD_FUNC_OFFSET: ba198311a43566338a6986cfb7a77c558a40e12c THREAD_SHA1_HASH_MOD: 34ce7c93f303a0823663be655b3efdbfdbc5a5df FOLLOWUP_IP: ism!KernelInputConnection<_MIT_PEN_EVENT_MESSAGE>::Initialize+1c8 00007ffc`7b141da0 cc int 3 FAULT_INSTR_CODE: 58d4ccc SYMBOL_STACK_INDEX: 7 SYMBOL_NAME: ism!KernelInputConnection<_MIT_PEN_EVENT_MESSAGE>::Initialize+1c8 FOLLOWUP_NAME: MachineOwner MODULE_NAME: ism IMAGE_NAME: ism.dll DEBUG_FLR_IMAGE_TIMESTAMP: 0 STACK_COMMAND: ~5s ; .ecxr ; kb BUCKET_ID: FAIL_FAST_FATAL_APP_EXIT_ism!KernelInputConnection__MIT_PEN_EVENT_MESSAGE_::Initialize+1c8 FAILURE_EXCEPTION_CODE: 80070057 FAILURE_IMAGE_NAME: ism.dll BUCKET_ID_IMAGE_STR: ism.dll FAILURE_MODULE_NAME: ism BUCKET_ID_MODULE_STR: ism FAILURE_FUNCTION_NAME: KernelInputConnection__MIT_PEN_EVENT_MESSAGE_::Initialize BUCKET_ID_FUNCTION_STR: KernelInputConnection__MIT_PEN_EVENT_MESSAGE_::Initialize BUCKET_ID_OFFSET: 1c8 BUCKET_ID_MODTIMEDATESTAMP: 0 BUCKET_ID_MODCHECKSUM: 1fe5bc BUCKET_ID_MODVER_STR: 10.0.18362.387 BUCKET_ID_PREFIX_STR: FAIL_FAST_FATAL_APP_EXIT_ FAILURE_PROBLEM_CLASS: FAIL_FAST FAILURE_SYMBOL_NAME: ism.dll!KernelInputConnection__MIT_PEN_EVENT_MESSAGE_::Initialize FAILURE_BUCKET_ID: FAIL_FAST_FATAL_APP_EXIT_80070057_ism.dll!KernelInputConnection__MIT_PEN_EVENT_MESSAGE_::Initialize WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/unknown/10.0.18362.387/8e064b77/ism.dll/10.0.18362.387/b0a921b7/80070057/00031da0.htm?Retriage=1 TARGET_TIME: 2019-12-14T15:02:16.000Z OSBUILD: 18362 OSSERVICEPACK: 1 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 OSPLATFORM_TYPE: x64 OSNAME: Windows 10 OSEDITION: Windows 10 WinNt SingleUserTS USER_LCID: 0 OSBUILD_TIMESTAMP: unknown_date BUILDDATESTAMP_STR: 190318-1202 BUILDLAB_STR: 19h1_release BUILDOSVER_STR: 10.0.18362.1.amd64fre.19h1_release.190318-1202 ANALYSIS_SESSION_ELAPSED_TIME: 84f1 ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:fail_fast_fatal_app_exit_80070057_ism.dll!kernelinputconnection__mit_pen_event_message_::initialize FAILURE_ID_HASH: {90280a54-8cbd-07d7-3c1c-3a2bf6ea8bc4} Followup: MachineOwner --------- Code de ism!KernelInputConnection::Initialize: 0:005> u 00007ffc`7b141bd8 l a0 ism!KernelInputConnection::Initialize: 00007ffc`7b141bd8 4053 push rbx 00007ffc`7b141bda 55 push rbp 00007ffc`7b141bdb 56 push rsi 00007ffc`7b141bdc 57 push rdi 00007ffc`7b141bdd 4154 push r12 00007ffc`7b141bdf 4156 push r14 00007ffc`7b141be1 4157 push r15 00007ffc`7b141be3 4881ec90000000 sub rsp,90h 00007ffc`7b141bea 48c7442430feffffff mov qword ptr [rsp+30h],0FFFFFFFFFFFFFFFEh 00007ffc`7b141bf3 488b05f6e11a00 mov rax,qword ptr [ism!_security_cookie (00007ffc`7b2efdf0)] 00007ffc`7b141bfa 4833c4 xor rax,rsp 00007ffc`7b141bfd 4889842480000000 mov qword ptr [rsp+80h],rax 00007ffc`7b141c05 498be9 mov rbp,r9 00007ffc`7b141c08 4c8be2 mov r12,rdx 00007ffc`7b141c0b 4c8bf9 mov r15,rcx 00007ffc`7b141c0e 4c894c2438 mov qword ptr [rsp+38h],r9 00007ffc`7b141c13 488364247800 and qword ptr [rsp+78h],0 00007ffc`7b141c19 498b4938 mov rcx,qword ptr [r9+38h] 00007ffc`7b141c1d 4885c9 test rcx,rcx 00007ffc`7b141c20 7416 je ism!KernelInputConnection<_MIT_PEN_EVENT_MESSAGE>::Initialize+0x60 (00007ffc`7b141c38) 00007ffc`7b141c22 488b01 mov rax,qword ptr [rcx] 00007ffc`7b141c25 488d542440 lea rdx,[rsp+40h] 00007ffc`7b141c2a 488b00 mov rax,qword ptr [rax] 00007ffc`7b141c2d ff1585af1400 call qword ptr [ism!_guard_dispatch_icall_fptr (00007ffc`7b28cbb8)] 00007ffc`7b141c33 4889442478 mov qword ptr [rsp+78h],rax 00007ffc`7b141c38 498d5740 lea rdx,[r15+40h] 00007ffc`7b141c3c 488d4c2440 lea rcx,[rsp+40h] 00007ffc`7b141c41 e8a2210000 call ism!std::_Func_class::_Swap (00007ffc`7b143de8) 00007ffc`7b141c46 488d4c2440 lea rcx,[rsp+40h] 00007ffc`7b141c4b e8a0220000 call ism!std::_Func_class::_Tidy (00007ffc`7b143ef0) 00007ffc`7b141c50 488b8c24c8000000 mov rcx,qword ptr [rsp+0C8h] 00007ffc`7b141c58 488b05b9f11a00 mov rax,qword ptr [ism!ISMTestMode::s_instance (00007ffc`7b2f0e18)] 00007ffc`7b141c5f 4885c0 test rax,rax 00007ffc`7b141c62 0f8439010000 je ism!KernelInputConnection<_MIT_PEN_EVENT_MESSAGE>::Initialize+0x1c9 (00007ffc`7b141da1) 00007ffc`7b141c68 803800 cmp byte ptr [rax],0 00007ffc`7b141c6b 0f85f1000000 jne ism!KernelInputConnection<_MIT_PEN_EVENT_MESSAGE>::Initialize+0x18a (00007ffc`7b141d62) 00007ffc`7b141c71 498b3c24 mov rdi,qword ptr [r12] 00007ffc`7b141c75 488b07 mov rax,qword ptr [rdi] 00007ffc`7b141c78 488b5840 mov rbx,qword ptr [rax+40h] 00007ffc`7b141c7c 498bcf mov rcx,r15 00007ffc`7b141c7f e8605dffff call ism!Microsoft::WRL::ComPtr::InternalRelease (00007ffc`7b1379e4) 00007ffc`7b141c84 4d8bc7 mov r8,r15 00007ffc`7b141c87 488d15b2021500 lea rdx,[ism!`string' (00007ffc`7b291f40)] 00007ffc`7b141c8e 488bcf mov rcx,rdi 00007ffc`7b141c91 488bc3 mov rax,rbx 00007ffc`7b141c94 ff151eaf1400 call qword ptr [ism!_guard_dispatch_icall_fptr (00007ffc`7b28cbb8)] 00007ffc`7b141c9a 488b8c24c8000000 mov rcx,qword ptr [rsp+0C8h] 00007ffc`7b141ca2 85c0 test eax,eax 00007ffc`7b141ca4 0f8809010000 js ism!KernelInputConnection<_MIT_PEN_EVENT_MESSAGE>::Initialize+0x1db (00007ffc`7b141db3) 00007ffc`7b141caa 498b0f mov rcx,qword ptr [r15] 00007ffc`7b141cad 488b01 mov rax,qword ptr [rcx] 00007ffc`7b141cb0 b201 mov dl,1 00007ffc`7b141cb2 488b4020 mov rax,qword ptr [rax+20h] 00007ffc`7b141cb6 ff15fcae1400 call qword ptr [ism!_guard_dispatch_icall_fptr (00007ffc`7b28cbb8)] 00007ffc`7b141cbc 488b8c24c8000000 mov rcx,qword ptr [rsp+0C8h] 00007ffc`7b141cc4 85c0 test eax,eax 00007ffc`7b141cc6 0f88fc000000 js ism!KernelInputConnection<_MIT_PEN_EVENT_MESSAGE>::Initialize+0x1f0 (00007ffc`7b141dc8) 00007ffc`7b141ccc 498b1424 mov rdx,qword ptr [r12] 00007ffc`7b141cd0 498d4f08 lea rcx,[r15+8] 00007ffc`7b141cd4 e84352ffff call ism!wil::unique_com_token::reset (00007ffc`7b136f1c) 00007ffc`7b141cd9 4d8b3424 mov r14,qword ptr [r12] 00007ffc`7b141cdd 498b06 mov rax,qword ptr [r14] 00007ffc`7b141ce0 488b7058 mov rsi,qword ptr [rax+58h] 00007ffc`7b141ce4 498b1f mov rbx,qword ptr [r15] 00007ffc`7b141ce7 498d4f08 lea rcx,[r15+8] 00007ffc`7b141ceb e8bc5d0300 call ism!wil::unique_com_token::operator& (00007ffc`7b177aac) 00007ffc`7b141cf0 4889442420 mov qword ptr [rsp+20h],rax 00007ffc`7b141cf5 4c8bcb mov r9,rbx 00007ffc`7b141cf8 4d8bc7 mov r8,r15 00007ffc`7b141cfb 488d156e260000 lea rdx,[ism!KernelInputConnection<_MIT_PEN_EVENT_MESSAGE>::s_OnKernelInputEventStatic (00007ffc`7b144370)] 00007ffc`7b141d02 498bce mov rcx,r14 00007ffc`7b141d05 488bc6 mov rax,rsi 00007ffc`7b141d08 ff15aaae1400 call qword ptr [ism!_guard_dispatch_icall_fptr (00007ffc`7b28cbb8)] 00007ffc`7b141d0e 488b8c24c8000000 mov rcx,qword ptr [rsp+0C8h] 00007ffc`7b141d16 85c0 test eax,eax 00007ffc`7b141d18 0f88bf000000 js ism!KernelInputConnection<_MIT_PEN_EVENT_MESSAGE>::Initialize+0x205 (00007ffc`7b141ddd) 00007ffc`7b141d1e 498b0c24 mov rcx,qword ptr [r12] 00007ffc`7b141d22 488b01 mov rax,qword ptr [rcx] 00007ffc`7b141d25 4d8d4718 lea r8,[r15+18h] 00007ffc`7b141d29 498b5710 mov rdx,qword ptr [r15+10h] 00007ffc`7b141d2d 488b4078 mov rax,qword ptr [rax+78h] 00007ffc`7b141d31 ff1581ae1400 call qword ptr [ism!_guard_dispatch_icall_fptr (00007ffc`7b28cbb8)] 00007ffc`7b141d37 488b8c24c8000000 mov rcx,qword ptr [rsp+0C8h] 00007ffc`7b141d3f 85c0 test eax,eax 00007ffc`7b141d41 0f88ab000000 js ism!KernelInputConnection<_MIT_PEN_EVENT_MESSAGE>::Initialize+0x21a (00007ffc`7b141df2) 00007ffc`7b141d47 498d5718 lea rdx,[r15+18h] 00007ffc`7b141d4b b910000000 mov ecx,10h 00007ffc`7b141d50 ff15e2ad1400 call qword ptr [ism!_imp_NtMITCoreMsgKOpenConnectionTo (00007ffc`7b28cb38)] 00007ffc`7b141d56 488b8c24c8000000 mov rcx,qword ptr [rsp+0C8h] 00007ffc`7b141d5e 85c0 test eax,eax 00007ffc`7b141d60 782a js ism!KernelInputConnection<_MIT_PEN_EVENT_MESSAGE>::Initialize+0x1b4 (00007ffc`7b141d8c) 00007ffc`7b141d62 488bcd mov rcx,rbp 00007ffc`7b141d65 e886210000 call ism!std::_Func_class::_Tidy (00007ffc`7b143ef0) 00007ffc`7b141d6a 488b8c2480000000 mov rcx,qword ptr [rsp+80h] 00007ffc`7b141d72 4833cc xor rcx,rsp 00007ffc`7b141d75 e8b6a3ffff call ism!_security_check_cookie (00007ffc`7b13c130) 00007ffc`7b141d7a 4881c490000000 add rsp,90h 00007ffc`7b141d81 415f pop r15 00007ffc`7b141d83 415e pop r14 00007ffc`7b141d85 415c pop r12 00007ffc`7b141d87 5f pop rdi 00007ffc`7b141d88 5e pop rsi 00007ffc`7b141d89 5d pop rbp 00007ffc`7b141d8a 5b pop rbx 00007ffc`7b141d8b c3 ret 00007ffc`7b141d8c 448bc8 mov r9d,eax 00007ffc`7b141d8f 4c8d05ba1f1500 lea r8,[ism!`string' (00007ffc`7b293d50)] 00007ffc`7b141d96 ba48000000 mov edx,48h 00007ffc`7b141d9b e8e0400200 call ism!wil::details::in1diag3::_FailFast_NtStatus (00007ffc`7b165e80) 00007ffc`7b141da0 cc int 3 00007ffc`7b141da1 4c8d05781a1500 lea r8,[ism!`string' (00007ffc`7b293820)] 00007ffc`7b141da8 ba21000000 mov edx,21h 00007ffc`7b141dad e802d20100 call ism!wil::details::in1diag3::FailFast_Unexpected (00007ffc`7b15efb4) 00007ffc`7b141db2 cc int 3 00007ffc`7b141db3 448bc8 mov r9d,eax 00007ffc`7b141db6 4c8d05931f1500 lea r8,[ism!`string' (00007ffc`7b293d50)] 00007ffc`7b141dbd ba23000000 mov edx,23h 00007ffc`7b141dc2 e80dbfffff call ism!wil::details::in1diag3::FailFast_Hr (00007ffc`7b13dcd4) 00007ffc`7b141dc7 cc int 3 00007ffc`7b141dc8 448bc8 mov r9d,eax 00007ffc`7b141dcb 4c8d057e1f1500 lea r8,[ism!`string' (00007ffc`7b293d50)] 00007ffc`7b141dd2 ba37000000 mov edx,37h 00007ffc`7b141dd7 e8f8beffff call ism!wil::details::in1diag3::FailFast_Hr (00007ffc`7b13dcd4) 00007ffc`7b141ddc cc int 3 00007ffc`7b141ddd 448bc8 mov r9d,eax 00007ffc`7b141de0 4c8d05691f1500 lea r8,[ism!`string' (00007ffc`7b293d50)] 00007ffc`7b141de7 ba3f000000 mov edx,3Fh 00007ffc`7b141dec e8e3beffff call ism!wil::details::in1diag3::FailFast_Hr (00007ffc`7b13dcd4) 00007ffc`7b141df1 cc int 3 00007ffc`7b141df2 448bc8 mov r9d,eax 00007ffc`7b141df5 4c8d05541f1500 lea r8,[ism!`string' (00007ffc`7b293d50)] 00007ffc`7b141dfc ba43000000 mov edx,43h 00007ffc`7b141e01 e8cebeffff call ism!wil::details::in1diag3::FailFast_Hr (00007ffc`7b13dcd4) 0:005> db 00007ffc`7b293d50 00007ffc`7b293d50 6f 6e 65 63 6f 72 65 75-61 70 5c 77 69 6e 64 6f onecoreuap\windo 00007ffc`7b293d60 77 73 5c 6d 6f 64 65 72-6e 63 6f 72 65 5c 69 6e ws\moderncore\in 00007ffc`7b293d70 70 75 74 76 32 5c 75 74-69 6c 69 74 69 65 73 5c putv2\utilities\ 00007ffc`7b293d80 6b 65 72 6e 65 6c 69 6e-70 75 74 63 6f 6e 6e 65 kernelinputconne 00007ffc`7b293d90 63 74 69 6f 6e 5c 6b 65-72 6e 65 6c 69 6e 70 75 ction\kernelinpu 00007ffc`7b293da0 74 63 6f 6e 6e 65 63 74-69 6f 6e 2e 68 00 00 00 tconnection.h... 0:005> db 00007ffc`7b291f40 00007ffc`7b291f40 4b 00 65 00 72 00 6e 00-65 00 6c 00 5c 00 4d 00 K.e.r.n.e.l.\.M. 00007ffc`7b291f50 49 00 54 00 5c 00 49 00-6e 00 70 00 75 00 74 00 I.T.\.I.n.p.u.t. 00007ffc`7b291f60 50 00 6f 00 72 00 74 00-00 00 00 00 00 00 00 00 P.o.r.t ------------------------------------------------------------------------------------------- from trace procmon 16:01:07,6081641 winlogon.exe 540 RegDeleteKey HKLM\System\CurrentControlSet\Control\MiniNT SUCCESS boucle d'attente 16:01:15,0308391 winlogon.exe 540 RegCreateKey HKLM\System\CurrentControlSet\Control\MiniNT SUCCESS Desired Access: Maximum Allowed, Granted Access: None 0x0, Disposition: REG_CREATED_NEW_KEY 16:01:18,5822660 winlogon.exe 540 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe NAME NOT FOUND Desired Access: Query Value, Enumerate Sub Keys thread 712 16:01:18,5867099 winlogon.exe 540 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winpeshl.exe NAME NOT FOUND Desired Access: Query Value, Enumerate Sub Keys thread 544 16:01:18,5880402 winlogon.exe 540 Process Create X:\windows\system32\winpeshl.exe SUCCESS PID: 472, Command line: winpeshl.exe 16:01:18,6902198 winlogon.exe 540 Process Create X:\windows\system32\dwm.exe SUCCESS PID: 768, Command line: "dwm.exe" 16:01:18,6902267 dwm.exe 768 Process Start SUCCESS Parent PID: 540, Command line: "dwm.exe", Current directory: X:\windows\system32\, Environment: ------------------------ C:\WINDOWS\system32>dir "D:\Windows\WinSxS\amd64_microsoft-windows-win32k_31bf3856ad364e35_10.0.18362.1_none_8b50e9b617bf38a0" Le volume dans le lecteur D s’appelle winpe1909Fr-flat Le numéro de série du volume est A676-018F Répertoire de D:\Windows\WinSxS\amd64_microsoft-windows-win32k_31bf3856ad364e35_10.0.18362.1_none_8b50e9b617bf38a0 19/03/2019 04:50 . 19/03/2019 04:50 .. 19/03/2019 04:50 550 400 win32k.sys 19/03/2019 04:50 3 751 936 win32kfull.sys 19/03/2019 04:50 127 272 win32u.dll C:\WINDOWS\system32>dir c:\Users\noelb\Desktop\enAttente\winreMount\Windows\WinSxS\amd64_microsoft-windows-win32k_31bf3856ad364e35_10.0.18362.387_none_0ea23bac2c3f3737 Le volume dans le lecteur C n’a pas de nom. Le numéro de série du volume est 06C9-E5EE Répertoire de c:\Users\noelb\Desktop\enAttente\winreMount\Windows\WinSxS\amd64_microsoft-windows-win32k_31bf3856ad364e35_10.0.18362.387_none_0ea23bac2c3f3737 07/10/2019 03:24 . 07/10/2019 03:24 .. 07/10/2019 03:24 f 07/10/2019 03:24 r 07/10/2019 03:24 550 400 win32k.sys 07/10/2019 03:24 3 727 360 win32kfull.sys 07/10/2019 03:24 127 064 win32u.dll takeown /F D:\Windows\system32\win32k.sys /A icacls D:\Windows\system32\win32k.sys /grant:r Administrateurs:F move D:\Windows\system32\win32k.sys D:\Windows\system32\win32k.sys.org takeown /F D:\Windows\system32\win32kFull.sys /A icacls D:\Windows\system32\win32kFull.sys /grant:r Administrateurs:F move D:\Windows\system32\win32kFull.sys D:\Windows\system32win32kFull.sys.org takeown /F D:\Windows\system32\win32kBase.sys /A icacls D:\Windows\system32\win32kBase.sys /grant:r Administrateurs:F move D:\Windows\system32\win32kBase.sys D:\Windows\system32win32kBase.sys.org -------------------------- notes: https://channel9.msdn.com/Shows/Inside/C0000409 The Exception Code is 0xC0000409 STATUS_FAIL_FAST_EXCEPTION ----------