RESOLVED - AV then try creat memory dump in Win7 after fix #355

[VictorVG]

Then I try create dump or minidimp then PH crashed and press MsRClick -> Create dump file... command I have AV (Access Violation) in if press Minidump have new AV in to circuit cycle before not press Restart or Close button:

:( I try send crashed process in to debugger, but he says whats process already close and send to OS return code is 0. Created files .dump or .minidumps have size 0 bytes and not included any data or hidden NTFS streams.

I say any users and all say whats this phenomena exists on Windows 7. Users use Win10 don't see it. I don't known whats find source for this phenomena. Also I see old problem #355 and only after recompile. I try clean all setting PH_config.zip - helps .... until the next update. I'm already completely confused in the search for the causes of the phenomenon. Obviously something simple, but slipping away ...

[VictorVG]

Additional information^ I download and tray test for 3.0.6633.2106 Git-0bfcb231 in to https://wj32.org/processhacker/nightly.php and also have AV then try make dump...

[VictorVG]

v3.0.6637.2110 Git-0fe27cbb - better

v3.0.6638.2111 Git-c0b2d23b again have AV.

[VictorVG]

v3.0.6651.2124 Git-b6564f3c - also crashed :(

[VictorVG]

I apologize for noticing the Issues label just now and responding ....

Well, I sort of came up with a way to bypass the lock - I took a dump through the Windows Task Manager and previously deciphered it:

ProcessHacker-v3.0.6654.2127-bin.tar.xz - this archive included my test-copy and have all .PDB for here.

ProcessHacker-v3.0.6654.2127-dump.tar.xz - ProcessHacker.DMP, unpacked size ~ 212 MB.

ProcessHacker-v3.0.6654.2127-debug-report.tar.xz - VS2015 dump decode screenshots.

[VictorVG]

Step for repro - in to Win7 SP1 x64:

RMsClick -> Create dump file... -> have AV

then click any Minidump button in to error dialog have secondary AV, Dump make after primary AV then try create dump for process Far.exe....

[VictorVG]

For users laid out such instructions for creating a dump:

1. in case of a failure in the PH, we don’t touch any buttons!
2. we call the Windows Task Manager, in it we search for the failed process, for example ProcessHacker.exe by the name of its task or image;
3. in the Windows Task Manager PCM (context menu, you can click the Apps button on KBD) -> Create a memory dump file. The dump is written for some time, has decent dimensions (I have ~ 212 MB), so he will tell us everything.
4. we pack a dump into the archive (here to choose from depending on the availability of archivers) and transfer to decryption.

I did my own for it, please look at it whenever possible - have I missed anything here? And nowhere was it wrong?

[dmex]

I checked the minidump and you should remove or disable these files that are installing hooks into Process Hacker:
'C:\Program Files (x86)\Dexpot\hooxpot64.dll'
'C:\Program Files\Far3\Far\plugins\dnd\drgndrop_x86_64.hook'

TortoiseGit, TortoiseSVN and LinkShellExtension have also injected (about 40) binaries into Process Hacker... You should disable/remove those programs then check if the crashing persists.

You also have lots of unofficial plugins that are known to cause crashes... You need to remove or disable:
plugins\AtomTablePlugin.dll
plugins\AvgCpuPlugin.dll
plugins\DbgViewPlugin.dll
plugins\DnsCachePlugin.dll
plugins\DpiAwarenessExtPlugin.dll
plugins\ExtendedNotifications.dll
plugins\FirewallMonitorPlugin.dll
plugins\FirmwarePlugin.dll
plugins\ForceShutdownPlugin.dll
plugins\LiveDumpPlugin.dll
plugins\MemoryExtPlugin.dll
plugins\NvGpuPlugin.dll
plugins\ObjectManagerPlugin.dll
plugins\PerfMonPlugin.dll
plugins\PoolMonPlugin.dll
plugins\ProductPolicyPlugin.dll
plugins\ROTViewerPlugin.dll
plugins\SecurityExplorer.dll
plugins\ServiceBackupRestorePlugin.dll
plugins\SetCriticalPlugin.dll
plugins\TaskbarExtPlugin.dll
plugins\TerminatorPlugin.dll
plugins\TrustedInstallerPlugin.dll
plugins\WaitChainPlugin.dll

I can't reproduce any crashes anywhere and I dont see anything in that minidump related to any crashes... This means either those injected binaries or those unofficial plugins caused the crash which is not something that can be fixed.

[VictorVG]

Ok, I to test computer I unload Tortoise*, Far Manager, Dexpot tree process, uninstall Link Shell Extension, antivirus is turn off, delete all Plugins Extra but if try Create dump file... command also have AV...

Test binary is - ProcessHacker-v3.0.6669.2142-bin.tar.xz and dump is ProcessHacker-v3.0.6669.2142-dump.tar.xz

But, I also try check old version 2.39.0.124 and see messages:

"The specified procedure could not be found". Is it possible that the reason is not in Process Hacker but in unknown to me OS changes? Something I'm completely confused with this ...

edit: fix typo

[dmex]

"The specified procedure could not be found"

dbghelp.dll has a dependency on dbgcore.dll which is probably missing?

[VictorVG]

For sure! How did I miss it?

[VictorVG]

@dmex

HUGE THANKS! Then I try copy dbghelp.dll and dbgcore.dll version 10.0.17763.1 form compiler this problems is resolved - dump is work w/o AV.

For some reason, it didn’t occur to me to have a hidden dependency on dbghelp.dll - in the ./imports section, the copy of the DLL I had had links only to kernel32.dll and msvcrt.dll and I was sure that all the dependencies it needed were in place , but just in it and there was AV. Well, on the network, I will replace it with a script in no time, and on the githaba I will now make an adjustment.

Once again, HUGE THANKS!