Mikrotik Winbox crashes when starting

[drizo72]

When I start Mikrotik's Winbox application to control my router, the application crashes. It seems unable to maximize.

I have closed MaxTO 2 beta and it works fine. I have reinstalled MaxTo 1 and winbox works without any issues.

[vegardlarsen]

Thank you for writing. I will investigate this for 2.0 final and see if it can be fixed.

[vegardlarsen]

@drizo72 I have verified that this issue occurs when Winbox connects to a server. Preliminary findings:

Crashes with 0xC00001AD: The process has terminated because it could not allocate additional memory

Call stack

>	KernelBase.dll!_TerminateProcessOnMemoryExhaustion@4�()	Unknown
 	CoreMessaging.dll!Cn::Process::NotifyOutOfMemory(unsigned int)	Unknown
 	CoreMessaging.dll!Cn::Engine::Heap::_ProcessAllocate(struct Cn::Engine::AllocType,unsigned int,bool,bool)	Unknown
 	CoreMessaging.dll!HeapBuffer<struct AlpcBuffer>::Resize(unsigned int)	Unknown
 	CoreMessaging.dll!AlpcConnection::InitializeDefaultReceiveBuffers(unsigned short,class HeapBuffer<struct AlpcBuffer> *,class HeapBuffer<struct _ALPC_MESSAGE_ATTRIBUTES> *)	Unknown
 	CoreMessaging.dll!AlpcConnection::Callback_ProcessIncoming(struct IAlpcConnectionHost *,bool *)	Unknown
 	CoreMessaging.dll!Microsoft::CoreUI::Messaging::CrossProcessReceivePort__AlpcReceiveSource::OnReceive(void)	Unknown
 	CoreMessaging.dll!Microsoft::CoreUI::Dispatch::OffThreadReceiver::Callback_OnDispatch(void)	Unknown
 	CoreMessaging.dll!Microsoft::CoreUI::Dispatch::Dispatcher::Callback_DispatchLoop(struct Microsoft::CoreUI::Dispatch::RunnablePriorityMask)	Unknown
 	CoreMessaging.dll!Microsoft::CoreUI::Dispatch::EventLoop::Callback_RunCoreLoop(struct Microsoft::CoreUI::Dispatch::RunMode,bool,bool &)	Unknown
 	CoreMessaging.dll!Microsoft::CoreUI::Dispatch::UserAdapter::DrainCoreMessagingQueue(struct Microsoft::CoreUI::Dispatch::UserAdapter__UserPriority,bool,struct System::IntPtr &)	Unknown
 	CoreMessaging.dll!Microsoft::CoreUI::Dispatch::UserAdapter::OnUserDispatch(bool,struct Microsoft::CoreUI::Dispatch::UserAdapter__UserPriority,struct System::IntPtr &)	Unknown
 	CoreMessaging.dll!Microsoft::CoreUI::Dispatch::UserAdapter::OnUserDispatchRaw(struct System::IntPtr,struct Microsoft::CoreUI::Dispatch::UserAdapter__UserPriority,bool,struct System::IntPtr &)	Unknown
 	CoreMessaging.dll!Microsoft::CoreUI::Dispatch::UserAdapter_DoWork(struct Microsoft::CoreUI::Dispatch::UserData *,struct Microsoft::CoreUI::Dispatch::UserAdapter__UserPriority,bool)	Unknown
 	CoreMessaging.dll!Microsoft::CoreUI::Dispatch::UserAdapter_HandleDispatchNotifyMessage(struct HWND__ *,unsigned int)	Unknown
 	CoreMessaging.dll!Microsoft::CoreUI::Dispatch::UserAdapter_WindowProc(struct HWND__ *,unsigned int,unsigned int,long)	Unknown
 	user32.dll!__InternalCallWinProc@20�()	Unknown
 	user32.dll!UserCallWinProcCheckWow()	Unknown
 	user32.dll!DispatchClientMessage()	Unknown
 	user32.dll!___fnDWORD@4�()	Unknown
 	ntdll.dll!_KiUserCallbackDispatcher@12�()	Unknown
 	winbox.exe!0042b8d1()	Unknown
 	[Frames below may be incorrect and/or missing, no symbols loaded for winbox.exe]	Unknown
 	winbox.exe!004aaf8f()	Unknown
 	ntdll.dll!_NtProtectVirtualMemory@20�()	Unknown
 	ntdll.dll!LdrpWriteBackProtectedDelayLoad()	Unknown
 	ntdll.dll!_NtOpenKey@12�()	Unknown
 	ntdll.dll!_NtOpenKey@12�()	Unknown
 	KernelBase.dll!FindFirstFileA()	Unknown
 	kernel32.dll!@BaseThreadInitThunk@12�()	Unknown
 	ntdll.dll!__RtlUserThreadStart()	Unknown
 	ntdll.dll!__RtlUserThreadStart@8�()	Unknown

On the second walkthrough of this, I was able to get an access violation in DefSubclassProc when it tries to call _NtDeleteAtom:

Call stack of second crash

 	winbox.exe!0042e79c()	Unknown
 	[Frames below may be incorrect and/or missing, no symbols loaded for winbox.exe]	Unknown
 	ntdll.dll!_NtDeleteAtom@4�()	Unknown
 	kernel32.dll!_InternalDeleteAtom@8�()	Unknown
 	user32.dll!__InternalCallWinProc@20�()	Unknown
 	user32.dll!UserCallWinProcCheckWow()	Unknown
 	user32.dll!CallWindowProcW()	Unknown
 	comctl32.dll!_CallOriginalWndProc@24�()	Unknown
 	comctl32.dll!_CallNextSubclassProc@20�()	Unknown
 	comctl32.dll!_DefSubclassProc@16�()	Unknown
>	MaxTo.Hook.x86.dll!SubClassFunc(HWND__ * hWnd, unsigned int message, unsigned int wParam, long lParam, unsigned int uIdSubclass, unsigned long dwRefData) Line 323	C++
 	comctl32.dll!_CallNextSubclassProc@20�()	Unknown
 	comctl32.dll!_MasterSubclassProc@16�()	Unknown
 	user32.dll!__InternalCallWinProc@20�()	Unknown
 	user32.dll!UserCallWinProcCheckWow()	Unknown
 	user32.dll!DispatchClientMessage()	Unknown
 	user32.dll!___fnNCDESTROY@4�()	Unknown
 	ntdll.dll!_KiUserCallbackDispatcher@12�()	Unknown
 	winbox.exe!004a3872()	Unknown
 	winbox.exe!0040344d()	Unknown
 	winbox.exe!00403b77()	Unknown
 	winbox.exe!0042bffe()	Unknown
 	winbox.exe!0042eb2c()	Unknown
 	user32.dll!__InternalCallWinProc@20�()	Unknown
 	user32.dll!UserCallWinProcCheckWow()	Unknown
 	user32.dll!DispatchMessageWorker()	Unknown
 	user32.dll!_DispatchMessageA@4�()	Unknown
 	winbox.exe!0042b94a()	Unknown
 	winbox.exe!004aaf8f()	Unknown
 	ntdll.dll!_NtProtectVirtualMemory@20�()	Unknown
 	ntdll.dll!LdrpWriteBackProtectedDelayLoad()	Unknown
 	ntdll.dll!_NtOpenKey@12�()	Unknown
 	ntdll.dll!_NtOpenKey@12�()	Unknown
 	KernelBase.dll!FindFirstFileA()	Unknown
 	kernel32.dll!@BaseThreadInitThunk@12�()	Unknown
 	ntdll.dll!__RtlUserThreadStart()	Unknown
 	ntdll.dll!__RtlUserThreadStart@8�()	Unknown

I have no idea why this occurs at the moment.

[ShutterQuick]

@vegardlarsen Any update on this issue? It is rather annoying to have to disable and reactivate MaxTo all the time.
As a workaround I attempted to add an entry to shims.json, but for some reason it isn't working.
MaxTo finds the shim, but it looks like it's not applied. I could not find the format for shims.json documented anywhere, so I've just tried to monkey-see-monkey-do with base in the other entries in the file.

Do you see any obvious reason why the following wouldn't work? Maybe I'm misunderstanding matching on process, or maybe my assumption about ignore making MaxTo not load itself into the process is wrong?

{
  "id": "winbox",
  "descriptions": {
    "en": {
      "title": "Mikrotik Winbox",
      "subtitle": "Prevent crashes",
      "description": "[Winbox](https://wiki.mikrotik.com/wiki/Manual:Winbox) is a tool for managing Mikrotik routers. It crashes if on connection when MaxTo is injected into it."
    }
  },
  "iconUrl": "https://publicdomainvectors.org/photos/winbox-mikrotik-icon.png",
  "url": null,
  "canDisable": true,
  "defaultEnabled": true,
  "ignore": true,
  "disableSubclassing": false,
  "disableSnapping": false,
  "disableTransparency": false,
  "useMoveWindow": false,
  "emulatesMaximize": false,
  "windowClasses": [],
  "processes": [
    "winbox"
  ]
}

[vegardlarsen]

This seems correct to me at a glance. This assumes that the WinBox process is called winbox.exe. I'd try to set disableSubclassing to true as well, but just using ignore should work.

[Gappa]

Tried disableSubclassing - but no luck.
Also tried both disableSnapping and disableTransparency, with the same result.

[Gappa]

Also, here's the crash log:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
	<System>
		<Provider Name="Application Error" /> 
		<EventID Qualifiers="0">1000</EventID> 
		<Level>2</Level> 
		<Task>100</Task> 
		<Keywords>0x80000000000000</Keywords> 
		<TimeCreated SystemTime="2019-01-29T09:42:41.351552200Z" /> 
		<EventRecordID>4752</EventRecordID> 
		<Channel>Application</Channel> 
		<Computer>DESKTOP-Q6QJ7OC</Computer> 
		<Security /> 
	</System>
	<EventData>
		<Data>winbox.exe</Data> 
		<Data>0.0.0.0</Data> 
		<Data>382f3815</Data> 
		<Data>roteros.dll</Data> 
		<Data>0.0.0.0</Data> 
		<Data>4cee2c15</Data> 
		<Data>40000015</Data> 
		<Data>000b674d</Data> 
		<Data>99624</Data> 
		<Data>01d4b7b6e96af21f</Data> 
		<Data>G:\Software\winbox.exe</Data> 
		<Data>C:\Users\User\AppData\Roaming\Mikrotik\Winbox\5.0rc5-1475189138\roteros.dll</Data> 
		<Data>fa15f794-40c7-47c3-928f-555fe389bc19</Data> 
		<Data /> 
		<Data /> 
	</EventData>
</Event>

[vegardlarsen]

@Gappa Can you go into MaxTo settings, under Compatibility, and hit Check for updates? Then after restarting MaxTo and WinBox, check to see if the issue is still present?

It took me quite a while to figure this out, but apparently some intermediary windows are shown. They have a window class of routeros_null, so targetting them is easy.

The JSON for this update looks like this:

  {
    "id": "winbox",
    "descriptions": {
      "en": {
        "title": "Mikrotik WinBox",
        "subtitle": "Prevent crash",
        "description": "Microtik WinBox presents some intermediary windows that MaxTo should not subclass, to prevent crashes."
      }
    },
    "iconUrl": null,
    "url": null,
    "canDisable": true,
    "defaultEnabled": true,
    "ignore": false,
    "disableSubclassing": true,
    "disableSnapping": false,
    "disableTransparency": false,
    "useMoveWindow": false,
    "emulatesMaximize": false,
    "windowClasses": [
      "routeros_null"
    ],
    "processes": []
  }

[Gappa]

Version 2.0.0-beta9, updated compatibility list, restarted MaxTo.

Sadly, it still crashes, outputting the same log as above.

How can I determine the window class? Because after successful log-in the whole window/GUI changes so drastically that it might be completely something new.

[vegardlarsen]

@Gappa Did Mikrotik WinBox show up on the compatibility list?

Your assumption is correct; WinBox opens and closes a bunch of windows when you connect, and it is one of the intermediary ones that caused issues on my machine at least. The other main candidate was routeros_main, but the crashes only stopped on my machine after adding routeros_null.

[ShutterQuick]

@vegardlarsen Thanks for looking into this.

I put in place my backup-copy of shims.json and tried to update.
Your shim shows up now, but winbox still crashes when connecting to the router.

I'm running MaxTo 2.0.0-beta9.

[Gappa]

Yup, WinBox is present in the compatibility list.

One thing to add - I have to use an older version to connect to the device, newer versions aren't compatible, that might mean something as well.

Tried all of these, no change:

"windowClasses": [
	"routeros_connect",
	"routeros_mbox",
	"routeros_null",
	"routeros_main"
],

The mbox is just a guess, spotted that one once during login and I'm not even sure :)

[vegardlarsen]

After a reboot here, the problem started re-appearing. I am looking into it.

[vegardlarsen]

I have found that checking WinBox' "Open in new window" stops the crash from happening. Still investigating.

[vegardlarsen]

I found the reason this wouldn't work; and it is a bug in MaxTo itself. For 32-bit programs, MaxTo won't be able to read the list of compatibility shims from the hook DLL, due to a misunderstanding about how types change sizes in C/C++ when compiling for different architectures.

This means that until I get a new version released (hopefully tomorrow), you won't be able to get this to work.

[ShutterQuick]

Still not working on 2.0.0-beta10 for me. Shim enabled, but winbox still crashes.

Can confirm the open in new window workaround works, though, so it's not all bad 👍

[Gappa]

Still not working on 2.0.0-beta10 for me. Shim enabled, but winbox still crashes.

Confirmed still crashing.

However, there is a typo in the shim:

    "windowClasses": [
      "routeros_null",
      "routeros_connet"
    ],

...which is the reason why it doesn't work :)

After correcting it to routeros_connect (and restarting MaxTo) it works now - cool, thanks!

Edit: my own typos, some claficiations.

[vegardlarsen]

@Gappa Thanks. I have corrected this typo this server-side, so the next time you update your shims the correct one will be pulled down.

cc: @ShutterQuick

[ShutterQuick]

Thanks for fixing this issue, it's working correctly now!

Just one pedantic little thing; you have a spelling error in the description: "description": "Microtik. Should be Mikrotik. :)

[Gappa]

Thanks for fixing this issue, it's working correctly now!

Just one pedantic little thing; you have a spelling error in the description: "description": "Microtik. Should be Mikrotik. :)

Well... MikroTik :)

https://mikrotik.com/aboutus

[vegardlarsen]